Junos OS

Hi,all,

I use the monitor traffic command and I found something wrong,as:

juniper@R1> monitor traffic interface ge-0/0/0

18:01:22.896037  In IP 12.1.1.2 > 12.1.1.1: ICMP echo reply, id 6762, seq 4, length 64

18:01:22.974066  In IP 12.1.1.2.55937 > 12.1.1.1.telnet: . ack 469 win 33304 <nop,nop,timestamp 3095373763 1644564341>

18:01:22.974190 Out IP truncated-ip - 215 bytes missing! 12.1.1.1.telnet > 12.1.1.2.55937: P 469:692(223) ack 69 win 33304 <nop,nop,timestamp 1644564446 3095373763>

18:01:23.080077  In IP 12.1.1.2.55937 > 12.1.1.1.telnet: . ack 692 win 33304 <nop,nop,timestamp 3095373870 1644564446>

^C

191 packets received by filter0 packets dropped by kernel
juniper@R1> 

What the meaning for "215 bytes missing"?Anything wrong with my router?

Thank you.

Hi

That means you are probably capturing only small part of each packet. Try monitor traffic interface ge-0/0/0 size 1500. I also recommend you using no-resolve, because without this command, it try to resolve ip addresses into dns name and it sometimes takes long. monitor traffic interface captures traffic only from and to routing engine, but I am not sure if it is true on all platforms.

Hi,jozef.klacko

 Thank you for your response,I exec the command " monitor traffic interface ge-0/0/0 size 1500",however,the JUNOS display as:

01:23:48.681373 Out IP truncated-ip - 36 bytes missing! 12.1.1.1 > 12.1.1.2: ICMP echo reply, id 39055, seq 0, length 1480

01:23:48.681387 Out IP 12.1.1.1 > 12.1.1.2: icmp

You can see the files which I upload for detail,thank you.

Attachment(s)

R1.txt   4 KB 1 version

R2.txt   1 KB 1 version

try it with size 1600

Hi,rasmus,

Thank you for your response,I try to size 1600,and the result as:

05:54:36.375779  In IP 12.1.1.2 > 12.1.1.1: ICMP echo request, id 404, seq 0, length 1480

05:54:36.375820  In IP 12.1.1.2 > 12.1.1.1: icmp

05:54:36.375858 Out IP truncated-ip - 1440 bytes missing! 12.1.1.1 > 12.1.1.2: ICMP echo reply, id 404, seq 0, length 1480

05:54:36.375869 Out IP truncated-ip - 88 bytes missing! 12.1.1.1 > 12.1.1.2: icmp

The more detail information,you can see the log which I uploaded,thank you.

Attachment(s)

R2.txt   269 B 1 version

r1.txt   2 KB 1 version

Hi,

The truncated bytes messages are seen when the entire packet doesn't fit into the capture buffer. To resolve this you need to increase the capture buffer by adding the 'size' keyword and specify a value that is large enough to contain  the packet size you are sending plus overheads (this number may vary due to fpc architecture differences).

lab@R1> monitor traffic interface ge-5/1/2 size ?
Possible completions:
  <size>               Amount of each packet to receive (bytes)

In your original post you were sending 64byte pings, to ensure you captured the entire packet plus overheads you would need to specify a size of at least 120bytes. Here's an example:

<<<< default capture size of 96bytes

lab@M320> monitor traffic interface ge-5/1/2 matching icmp no-resolve 
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-5/1/2, capture size 96 bytes

22:49:00.454818  In IP 100.100.100.2 > 100.100.100.1: ICMP echo request, id 26902, seq 212, length 64
22:49:00.454842 Out IP truncated-ip - 24 bytes missing! 100.100.100.1 > 100.100.100.2: ICMP echo reply, id 26902, seq 212, length 64
22:49:01.458197  In IP 100.100.100.2 > 100.100.100.1: ICMP echo request, id 26902, seq 213, length 64
22:49:01.458220 Out IP truncated-ip - 24 bytes missing! 100.100.100.1 > 100.100.100.2: ICMP echo reply, id 26902, seq 213, length 64
^C
12 packets received by filter
0 packets dropped by kernel

<<< increase capture size to 118bytes, issue still seeen

lab@M320> monitor traffic interface ge-5/1/2 matching icmp no-resolve size 118
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-5/1/2, capture size 118 bytes

22:49:07.474277  In IP 100.100.100.2 > 100.100.100.1: ICMP echo request, id 26902, seq 219, length 64
22:49:07.474304 Out IP truncated-ip - 2 bytes missing! 100.100.100.1 > 100.100.100.2: ICMP echo reply, id 26902, seq 219, length 64
22:49:08.477005  In IP 100.100.100.2 > 100.100.100.1: ICMP echo request, id 26902, seq 220, length 64
22:49:08.477026 Out IP truncated-ip - 2 bytes missing! 100.100.100.1 > 100.100.100.2: ICMP echo reply, id 26902, seq 220, length 64
^C
13 packets received by filter
0 packets dropped by kernel

<<< increase capture size to 120 bytes, now packet is completely contained in the buffer:

lab@M320> monitor traffic interface ge-5/1/2 matching icmp no-resolve size 120   
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-5/1/2, capture size 120 bytes

22:49:14.493764  In IP 100.100.100.2 > 100.100.100.1: ICMP echo request, id 26902, seq 226, length 64
22:49:14.493792 Out IP 100.100.100.1 > 100.100.100.2: ICMP echo reply, id 26902, seq 226, length 64
22:49:15.496438  In IP 100.100.100.2 > 100.100.100.1: ICMP echo request, id 26902, seq 227, length 64
22:49:15.496466 Out IP 100.100.100.1 > 100.100.100.2: ICMP echo reply, id 26902, seq 227, length 64