Switching

Hi all,

Why is the following real-time command not capturing the tcp traffic as it is ONLY capturing broadcast and multicast traffic (STP, LLDP, ARP and DHCPv6)? Any ideas....?

what I want to see that whole traffic tcp and udp unicast traffic? Is it possible to do this with this command  -monitor int interface?

>monitor traffic interface ge-0/1/1 matching tcp write-file ge011.pcap size 2000 no-resolve detail

monitor traffic command shows traffic directed to and from the device. It will not show traffic going through the device (transit traffic). If you want to capture transit traffic, you may use port mirroring feature. 

https://www.juniper.net/documentation/en_US/junos/topics/example/port-mirroring-local-ex-series-l2.html

Hello,

Monitor traffic interface command captures the traffic destined to/from the cpu only. This includes all the control traffic, broadcast and multicast.

All the transit traffic never goes to the cpu and hence the above mentioned command doesnt captures the traffic.

If you simply want to check a perticular type of transit traffic you can use the firewall filters to count those packets.

If you want to capture all the transit traffic then go for the port mirroring feature. However for port mirroring you would need to connect a device to capture the packet. 

Hope this helps.

Hi Arix,

The monitor traffic interface command captures traffic to and from the routing engine only which is usually the protocol traffic. For transit traffic sampling, port-mirror or firewall filter can be used.

Reagrds,

Rahul Gautam

If this solves your problem, please mark this post as "Accepted Solution."

For overall traffic on the port you can see stats but not with the detailed filters using

monitor interface traffic

You can also setup a firewall filter with only a count action to apply to the itnerface to get counts of specific types of traffic of interest.

hi all,

It is really strange....

If the command of >monitor interface traffic is not capturing transit traffic on the specified port on the Ex swith, what is the purpose of this command that Juniper made?

How about traceoptions feature? Can we capture whole traffic including transit traffic on specified port?

Port mirror option is not convenience because the ex switch is located remote site... Secondly end-user can not perform any wireshark stuff...

Steve Puluka: |For overall traffic on the port you can see stats but not with the detailed filters using

monitor interface traffic| 

I didn't understand quite this. Can you give an example command that I'd like to perform to see what you mean.

Thanks

Arx

The >monitor traffic interface command is basically useful while troubleshooting the protocols and host bound traffic.

As the transit traffic is switched/routed in the hardware only and it is not sent to the cpu the feature is not pragmatic to implement.

I am afraid but i dont think we have traceoptions to capture the complete interface traffic.

Usually to troubleshoot the transit traffc issues we use the firewall filters, interface stats.

Agree with @raviky and @spuluka.

Hi Arix,

What is the exact goal we are trying to achieve while looking at transit traffic? Do you really need to look at every packet's contents? Capturing packets that are transit for the switch means intercepting the data path of traffic that is switched via the forwarding engine hardware which is meant to happen quickly. It isn't going to be simple on any vendor switches to get that kind of a capture as far as I know, let alone Juniper. Hence you'll find most people offer port mirroring.  I0f that's not feasible, there will be more complicated ways to dig further into packets at the hardware level but that will need caution.  Couple of examples:

1) Configure a firewall filter with action as "log" and then use "show firewall log" to see the packet header data.  Please note this punts the packet to CPU and will take CPU cycles, so should be used with proper match criteria and with caution on a production device.

set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input pkt-capture
set firewall family ethernet-switching filter pkt-capture term pkt-log from source-mac-address aa:bb:cc:dd:ee:ff/48
set firewall family ethernet-switching filter pkt-capture term pkt-log then log

{master:0}
root@jtac-qfx5100> show firewall log detail
Time of Log: 2019-03-04 09:44:41 UTC, Filter: pfe, Filter action: accept, Name of interface: ge-0/0/0.0
Name of protocol: ICMP, Packet Length: 84, Source address: 10.10.10.10, Destination address: 10.10.10.1
ICMP type: 8, ICMP code: 0
Time of Log: 2019-03-04 09:44:40 UTC, Filter: pfe, Filter action: accept, Name of interface: ge-0/0/0.0
Name of protocol: ICMP, Packet Length: 84, Source address: 10.10.10.10, Destination address: 10.10.10.1
ICMP type: 8, ICMP code: 0

2) On an EX4200/4500, following command gives a real time sample of a few packets forwarded at that time:
start shell
cprod -A fpc0 -c "show shim packet-descriptor device 1 summary"

If you don't need to look at every packet and it's contents, there may be simpler ways to achieve your goal like some posts have mentioned here i.e. look at interface traffic stats or use firewall filter to count packets that match your criteria.

The command shared by @spuluka i.e. "monitor interface traffic" shows the real-time statistics of input/output packet counts/rates on interface(s) in an easy to read format. This information is otherwise available from "show interfaces extensive" that gives this information per interface along with a ton of other things. More options for the command are explained here:
https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/monitor-interface.html 

Hope this helps.

Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Arx,

monitor interface traffice ge-0/0/0

This wil show a live display of packets on the selected interface including the transit ones, not just the RE bound packets.  But this lacks the fine grain filters for specific packets.

You can create a firewall filter with only a count action that will match specific packets of interest then apply this to the interface input or output.  then monitor the counters to confirm traffic passing the interface.  These have a wide variety of options.

https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-ex-series-match-understanding.html

be sure to include a final term with just accept as the default action is to deny and drop traffic when creating these.