Junos & Tcpdump: How to capture traffic on physical interface

Junos has a nifty feature that will capture ONLY traffic from and towards the Routing Engine (RE) - monitor traffic interface. It is tcpdump under the hood and it supports many tcpdump powerful filters: protocol, source and destination host and port as well as the power to debug protocols like IS-IS, OSPF, BGP and IPv6 ICMP6 and all traffic that concerns the routing engine.

Transit traffic flowing through the Packet Forwarding Engine (PFE) / Data Plane cannot be captured with tcpdump in any Junos platform, but it can be by using other configuration and depends on the platform it is used. I will not chase this subject in the post.

Here are the options to capture traffic from/to Routing Engine in Junos

Code:

admin@vMX-TEST> monitor traffic interface ge-0/0/1.10 ?
Possible completions:
  <[Enter]>            Execute this command
  absolute-sequence    Display absolute TCP sequence numbers
  brief                Display brief output
  count                Number of packets to receive (0..1000000 packets)
  detail               Display detailed output
  extensive            Display extensive output
  layer2-headers       Display link-level header on each dump line
  matching             Expression for headers of receive packets to match
  no-domain-names      Don't display domain portion of hostnames
  no-promiscuous       Don't put interface into promiscuous mode
  no-resolve           Don't attempt to print addresses symbolically
  no-timestamp         Don't print timestamp on each dump line
  print-ascii          Display packets in ASCII when displaying in hexadecimal format
  print-hex            Display packets in hexadecimal format
  resolve-timeout      Period of time to wait for each name resolution (1..4294967295 seconds)
  size                 Amount of each packet to receive (bytes)
  |                    Pipe through a command

How to debug BGP TCP packets in Junos

Code:

admin@vMX-TEST> monitor traffic interface ge-0/0/1.10 no-resolve extensive matching "port 179"
Address resolution is OFF.
Listening on ge-0/0/1.10, capture size 1514 bytes
... after TCP 3way handshake...

22:09:45.346906  In
   Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 22
     Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
     Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
     Device Interface Index Extension TLV #1, length 2, value: 138
     Logical Interface Index Extension TLV #4, length 4, value: 358
     Logical Unit Number Extension TLV #5, length 4, value: 10
   -----original packet-----
   PFE proto 2 (ipv4): (tos 0xc0, ttl   1, id 33643, offset 0, flags [none], proto: TCP (6), length: 111) 10.0.10.7.179 > 10.0.10.1.63117: P 1:60(59) ack 60 win 16384 <nop,nop,timestamp 250748879 250748875>: BGP, length: 59
   Open Message (1), length: 59
     Version 4, my AS 77, Holdtime 90s, ID 7.7.7.7
     Optional parameters, length: 30
       Option Capabilities Advertisement (2), length: 6
         Multiprotocol Extensions (1), length: 4
      AFI IPv4 (1), SAFI Unicast (1)
      0x0000: 0001 0001
       Option Capabilities Advertisement (2), length: 2
         Route Refresh (Cisco) (128), length: 0
       Option Capabilities Advertisement (2), length: 2
         Route Refresh (2), length: 0
       Option Capabilities Advertisement (2), length: 4
         Graceful Restart (64), length: 2
      Restart Flags: [none], Restart Time 120s
      0x0000: 0078
       Option Capabilities Advertisement (2), length: 6
         32-Bit AS Number (65), length: 4
       4 Byte AS 77
      0x0000: 0000 004d
...

Debug OSPF packets in Junos

Code:

admin@vMX-TEST> monitor traffic interface ge-0/0/1.10 no-resolve extensive matching "ip proto 89"
Address resolution is OFF.
Listening on ge-0/0/1.10, capture size 1514 bytes


22:14:00.345300  In
   Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 22
     Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
     Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
     Device Interface Index Extension TLV #1, length 2, value: 138
     Logical Interface Index Extension TLV #4, length 4, value: 358
     Logical Unit Number Extension TLV #5, length 4, value: 10
   -----original packet-----
   PFE proto 2 (ipv4): (tos 0xc0, ttl   1, id 33869, offset 0, flags [none], proto: OSPF (89), length: 80) 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60 [len 48]
   Router-ID 2.2.2.2, Backbone Area, Authentication Type: none (0)
   Options [External, LLS]
     Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128
     Designated Router 10.0.10.2, Backup Designated Router 10.0.10.1
     Neighbor List:
       1.1.1.1
     LLS: checksum: 0xfff6, length: 3
       Extended Options (1), length: 4
         Options: 0x00000001 [LSDB resync]

Junos: Capture Routing Engine traffic and write to a pcap file on disk

(hidden command)

Code:

admin@vMX-TEST> monitor traffic interface ge-0/0/1.10 no-resolve write-file ospf.pcap matching "ip proto 89" size 1514
Address resolution is OFF.
Listening on ge-0/0/1.10, capture size 1514 bytes

Junos: Read pcap packet capture from disk

(Hidden command)

Code:

dmin@vMX-TEST> monitor traffic read-file ospf.pcap
Reverse lookup for 224.0.0.5 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

57:56.316083  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
57:58.234904 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
58:05.804872 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
58:06.165673  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
58:15.054779 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
58:15.186125  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
58:22.764749 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
58:24.895841  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
58:31.014626 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
58:34.826241  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
58:38.634545 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
58:43.055461  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
58:48.594497 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
58:52.085253  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60
58:56.964437 Out IP 10.0.10.1 > 224.0.0.5: OSPFv2, Hello, length 60
59:00.926609  In IP 10.0.10.2 > 224.0.0.5: OSPFv2, Hello, length 60

Same options apply for monitor traffic command when traffic is captured and when a packet capture (pcap) is read:

Code:

admin@vMX-TEST> monitor traffic read-file ospf.pcap ?
Possible completions:
  <[Enter]>            Execute this command
  absolute-sequence    Display absolute TCP sequence numbers
  brief                Display brief output
  count                Number of packets to receive (0..1000000 packets)
  detail               Display detailed output
  extensive            Display extensive output
  interface            Name of interface
  layer2-headers       Display link-level header on each dump line
  matching             Expression for headers of receive packets to match
  no-domain-names      Don't display domain portion of hostnames
  no-promiscuous       Don't put interface into promiscuous mode
  no-resolve           Don't attempt to print addresses symbolically
  no-timestamp         Don't print timestamp on each dump line
  print-ascii          Display packets in ASCII when displaying in hexadecimal format
  print-hex            Display packets in hexadecimal format
  resolve-timeout      Period of time to wait for each name resolution (1..4294967295 seconds)
  size                 Amount of each packet to receive (bytes)

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

Articles for JNCIS, JNCIP, JNCIE SP and ENT tracks covering:
- Multicast
- MPLS, L3VPN, VPLS, L2VPN
- ISIS, OSPFv2, OSPFv3
- IPv6
- Class of Service