In this example, we're wanting to see any traffic in either direction between ports 68 and 67 (which is dhcp traffic).  We create one filter statement "PCAP-DHCP" and then have two terms ("1" & "2"), one for traffic going one direction, and then the second going the other.  Anything that matches the source/destination mapping in those terms is "accept"ed, and we also add the "sample" statement that tells the firewall to capture the traffic from that match.  The final line is the third term ("accept-other-traffic") which allows all other traffic that is going through the firewall.  With out that last line, the firewall would default-deny, and any traffic other then dhcp would be blocked.  

 

When the firewall filter starts capturing data, it needs to know what to call the file it stores the data in, and the characteristics of that file (size, etc.). We can define this within the "forwarding-options packet-capture" section.  In this example, we are defining the file name to "DHCP-Capture" and the max file size "1500".  

 

We have defined the filters, but we need to apply it to an interface before it will work.  In this case, we can apply it to irb.66 (vlan 66).   

 

The files will be stored in /var/tmp/{filename}.{interface_name}   where the {filename} in this example is "DHCP-Capture".  

 

Grab them from your laptop with the following scp command: 

Please take in mind that capturing and sampling packets is CPU intensive so make sure you don’t leave this running on the firewall. You can try with a “commit confirmed” which will give you 10 minutes to test before all the configuration rollbacks.

• How to create a PCAP packet capture on a J-Series or SRX branch device: Juniper KB11709, Feb 2018 

Reference - Interface

As a side reference, defining interfaces via "irb.x" is a bit more unusual then your standard reference to a direct interface.  This would be the configs for an interface like that.