Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sun Oct 20, 2019 1:06 pm


Articles for JNCIS, JNCIP, JNCIE SP and ENT tracks covering:
- Multicast
- MPLS, L3VPN, VPLS, L2VPN
- ISIS, OSPFv2, OSPFv3
- IPv6
- Class of Service

Author Message
mandrei99
Post  Post subject: Junos & Tcpdump: How to capture traffic on physical interface  |  Posted: Mon Mar 02, 2015 5:56 pm

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Offline
 

Junos & Tcpdump: How to capture traffic on physical interface

Junos has a nifty feature that will capture ONLY traffic from and towards the Routing Engine (RE) - monitor traffic interface. It is tcpdump under the hood and it supports many tcpdump powerful filters: protocol, source and destination host and port as well as the power to debug protocols like IS-IS, OSPF, BGP and IPv6 ICMP6 and all traffic that concerns the routing engine.

Transit traffic flowing through the Packet Forwarding Engine (PFE) / Data Plane cannot be captured with tcpdump in any Junos platform, but it can be by using other configuration and depends on the platform it is used. I will not chase this subject in the post.

Here are the options to capture traffic from/to Routing Engine in Junos


Code:
admin@vMX-TEST> monitor traffic interface ge-0/0/1.10 ?
Possible completions:
  <[Enter]>            Execute this command
  absolute-sequence    Display absolute TCP sequence numbers
  brief                Display brief output
  count                Number of packets to receive (0..1000000 packets)
  detail               Display detailed output
  extensive            Display extensive output
  layer2-headers       Display link-level header on each dump line
  matching             Expression for headers of receive packets to match
  no-domain-names      Don't display domain portion of hostnames
  no-promiscuous       Don't put interface into promiscuous mode
  no-resolve           Don't attempt to print addresses symbolically
  no-timestamp         Don't print timestamp on each dump line
  print-ascii          Display packets in ASCII when displaying in hexadecimal format
  print-hex            Display packets in hexadecimal format
  resolve-timeout      Period of time to wait for each name resolution (1..4294967295 seconds)
  size                 Amount of each packet to receive (bytes)
  |                    Pipe through a command


How to debug BGP TCP packets in Junos


Code:
admin@vMX-TEST> monitor traffic interface ge-0/0/1.10 no-resolve extensive matching "port 179"
Address resolution is OFF.
Listening on ge-0/0/1.10, capture size 1514 bytes
... after TCP 3way handshake...

22:09:45.346906  In
   Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 22
     Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
     Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
     Device Interface Index Extension TLV #1, length 2, value: 138
     Logical Interface Index Extension TLV #4, length 4, value: 358
     Logical Unit Number Extension TLV #5, length 4, value: 10
   -----original packet-----
   PFE proto 2 (ipv4): (tos 0xc0, ttl   1, id 33643, offset 0, flags [none], proto: TCP (6), length: 111) 10.0.10.7.179 > 10.0.10.1.63117: P 1:60(59) ack 60 win 16384 <nop,nop,timestamp 250748879 250748875>: BGP, length: 59
   Open Message (1), length: 59
     Version 4, my AS 77, Holdtime 90s, ID 7.7.7.7
     Optional parameters, length: 30
       Option Capabilities Advertisement (2), length: 6
         Multiprotocol Extensions (1), length: 4
      AFI IPv4 (1), SAFI Unicast (1)
      0x0000: 0001 0001
       Option Capabilities Advertisement (2), length: 2
         Route Refresh (Cisco) (128), length: 0
       Option Capabilities Advertisement (2), length: 2
         Route Refresh (2), length: 0
       Option Capabilities Advertisement (2), length: 4
         Graceful Restart (64), length: 2
      Restart Flags: [none], Restart Time 120s
      0x0000: 0078
       Option Capabilities Advertisement (2), length: 6
         32-Bit AS Number (65), length: 4
       4 Byte AS 77
      0x0000: 0000 004d
...


Debug OSPF packets in Junos


Code:
admin@vMX-TEST> monitor traffic interface ge-0/0/1.10 no-resolve extensive matching "ip proto 89"
Address resolution is OFF.
Listening on ge-0/0/1.10, capture size 1514 bytes


22:14:00.345300  In
   Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 22
     Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
     Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
     Device Interface Index Extension TLV #1, length 2, value: 138
     Logical Interface Index Extension TLV #4, length 4, value: 358
     Logical Unit Number Extension TLV #5, length 4, value: 10
   -----original packet-----
   PFE proto 2 (ipv4): (tos 0xc0, ttl   1, id 33869, offset 0, flags [none], proto: OSPF (89), length: 80) 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60 [len 48]
   Router-ID 2.2.2.2, Backbone Area, Authentication Type: none (0)
   Options [External, LLS]
     Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128
     Designated Router 10.0.10.2, Backup Designated Router 10.0.10.1
     Neighbor List:
       1.1.1.1
     LLS: checksum: 0xfff6, length: 3
       Extended Options (1), length: 4
         Options: 0x00000001 [LSDB resync]


Junos: Capture Routing Engine traffic and write to a pcap file on disk


(hidden command)
Code:
admin@vMX-TEST> monitor traffic interface ge-0/0/1.10 no-resolve write-file ospf.pcap matching "ip proto 89" size 1514
Address resolution is OFF.
Listening on ge-0/0/1.10, capture size 1514 bytes

Junos: Read pcap packet capture from disk


(Hidden command)
Code:
dmin@vMX-TEST> monitor traffic read-file ospf.pcap
Reverse lookup for 224.0.0.5 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

20:57:56.316083  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
20:57:58.234904 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:05.804872 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:06.165673  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:15.054779 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:15.186125  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:22.764749 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:24.895841  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:31.014626 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:34.826241  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:38.634545 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:43.055461  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:48.594497 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:52.085253  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
20:58:56.964437 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
20:59:00.926609  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60

Same options apply for monitor traffic command when traffic is captured and when a packet capture (pcap) is read:
Code:
admin@vMX-TEST> monitor traffic read-file ospf.pcap ?
Possible completions:
  <[Enter]>            Execute this command
  absolute-sequence    Display absolute TCP sequence numbers
  brief                Display brief output
  count                Number of packets to receive (0..1000000 packets)
  detail               Display detailed output
  extensive            Display extensive output
  interface            Name of interface
  layer2-headers       Display link-level header on each dump line
  matching             Expression for headers of receive packets to match
  no-domain-names      Don't display domain portion of hostnames
  no-promiscuous       Don't put interface into promiscuous mode
  no-resolve           Don't attempt to print addresses symbolically
  no-timestamp         Don't print timestamp on each dump line
  print-ascii          Display packets in ASCII when displaying in hexadecimal format
  print-hex            Display packets in hexadecimal format
  resolve-timeout      Period of time to wait for each name resolution (1..4294967295 seconds)
  size                 Amount of each packet to receive (bytes)





Top
xpiriasoni
Post  Post subject: Re: Junos & Tcpdump: How to capture traffic on physical interface  |  Posted: Mon Mar 30, 2015 6:42 am

Joined: Mon Mar 30, 2015 6:37 am
Posts: 1

Offline
Ok i understand what you are saying but i think there should be more comments about the topic started initially, Thanks

_________________
card games


Top
admin
Post  Post subject: Re: Junos & Tcpdump: How to capture traffic on physical interface  |  Posted: Mon Mar 30, 2015 6:54 am
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 104

Offline
xpiriasoni wrote:
Ok i understand what you are saying but i think there should be more comments about the topic started initially, Thanks

Hi, Can you elaborate please ?

_________________
VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX
https://vpsie.com


Top
Display posts from previous:  Sort by  
Print view
Who is online
Users browsing this forum: No registered users and 0 guests
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO