There are two classes of Juniper/Netscreen Firewalls: Appliances and Systems. Appliances only have CPUs for processing. Systems are high end devices that incorporate ASICs as well as CPUs for processing. Packet capturing tools, like Snoop and Debugs only run in CPU. When a system receives and initial packet, it inspects it in CPU, if it is permitted it is passed to ASIC. This provides better performance but you can not capture traffic once it is in ASIC. Starting in 6.1, Juniper incorporated a new feature that will enable you to prevent certain traffic to be sent to the ASIC. The traffic will stay in CPU, enabling you to perform packet captures. The option is available on a per policy basis.
Instructions for preventing traffic from being delivered to ASIC:
set policy set no-hw-sessexit
Note: It is best practice to configure a policy that is specific to interesting traffic and placed in the appropriate order to be processed prior to a more general policy. Once you are done capturing, remove the option, then the policy.
Notes on Captures on Netscreens
Please note that captures on a Netscreen system will usually result in just the initial SYN packet where as a Netscreen appliance will result in all packets. The reason for this is, systems have ASICs, the initial packet goes to CPU then to the ASIC. Debugs and Snoop only work in CPU. The following is a break down of which Netscreens are systems and which are appliances.
Systems: Netscreens above 500 (I.E. NS-500, NS-5200) Appliance: Netscreens below 500 (I.E. NS-5, NS-204)
Systems: ISG (I.E. ISG-1000, ISG-2000) Appliance: SSG (I.E. SSG-5, SSG-520)