[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

monitor traffic

Syntax

monitor traffic
<brief | detail | extensive>
<absolute-sequence>
<count count>
<interface interface-name>
<layer2-headers>
<matching matching>
<no-domain-names>
<no-promiscuous>
<no-resolve>
<no-timestamp>
<print-ascii>
<print-hex>
<size size>

Release Information

Command introduced before JUNOS Release 7.4.

Description

Display packet headers transmitted through network interfaces sent from or received by the Routing Engine.

Note: Using the monitor traffic command can degrade router performance. Not including options, such as count or a matching expression, can slow packet throughput on your router.

Options

none — (Optional) Display all packet headers transmitted through all network interfaces sent from or received by the Routing Engine.

brief | detail | extensive — (Optional) Display the specified level of output.

absolute-sequence — (Optional) Display absolute TCP sequence numbers.

count count(Optional) Specify the number of packet headers to display (0 through 1,000,000). The monitor traffic command quits automatically after displaying the number of packets specified.

interface interface-name(Optional) Specify the interface on which the monitor traffic command displays packet data. If no interface is specified, the monitor traffic command displays packet data arriving on the lowest-numbered interface.

layer2-headers — (Optional) Display the link-level header on each line.

matching matching(Optional) Display packet headers that match a regular expression. Use matching expressions to define the level of detail with which the monitor traffic command filters and displays packet data.

no-domain-names — (Optional) Suppress the display of the domain portion of hostnames. With the no-domain-names option enabled, the monitor traffic command displays only team for the hostname team.company.net.

no-promiscuous — (Optional) Do not put the interface into promiscuous mode.

no-resolve — (Optional) Suppress symbolic addressing.

no-timestamp — (Optional) Suppress timestamps on displayed packets.

print-ascii — (Optional) Display each packet in ASCII format.

print-hex — (Optional) Display each packet, except the link-level header, in hexadecimal format.

size size(Optional) Receive the specified number of bytes for each packet. The default size is 68 bytes and is adequate for capturing IP, ICMP, UDP, and TCP packet data. The monitor traffic command truncates displayed packets if the matched data exceeds the configured size.

Additional Information

In the monitor traffic command, you can specify an expression to match by using the matching option and including the expression in quotation marks:

monitor traffic matching "expression"

Replace expression with one or more of the match conditions listed in .

: Match Conditions for the monitor traffic Command

Match Type

Condition

Description
Entity

host {address | hostname]

Matches packets that contain the specified address or hostname.

The host match condition can be prepended with the protocol match conditions arp, ip, or rarp, or any of the directional match conditions.

network address

Matches packets with source or destination addresses containing the specified network number.

network addressmask mask

Matches packets containing the specified network address and subnet mask.

port [port-number  | port-name]

Matches packets containing the specified source or destination TCP or UDP port number or port name.

In place of the numeric port address, you can specify a text synonym, such as bgp  (179), dhcp  (67), or domain  (53) (the port numbers are also listed).

Directional

dst

Matches packets going to the specified destination. This match condition can be prepended to any of the entity type match conditions.

src

Matches packets from a specified source. This match condition can be prepended to any of the entity type match conditions.

src and dst

Matches packets that contain the specified source and destination addresses. This match condition can be prepended to any of the entity type match conditions.

src or dst

Matches packets containing either of the specified addresses. This match condition can be prepended to any of the entity type match conditions.
Packet Length

less value

Matches packets shorter than or equal to the specified value, in bytes.

greater value

Matches packets longer than or equal to the specified value, in bytes.
Protocol

arp

Matches all ARP packets.

ether

Matches all Ethernet packets.

ether [broadcast | multicast]

Matches broadcast or multicast Ethernet frames. This match condition can be prepended withsrc and dst.

ether protocol [address | (arp | ip | rarp)]

Matches packets with the specified Ethernet address or Ethernet packets of the specified protocol type. The ether protocol arguments arp, ip, and rarp are also independent match conditions, so they must be preceded by a backslash (\) when used in the ether protocol match condition.

icmp

Matches all ICMP packets.

ip

Matches all IP packets.

ip [broadcast | multicast]

Matches broadcast or multicast IP packets.

ip protocol [address | (icmp | igrp | tcp | udp)]

Matches packets with the specified address or protocol type. The ip protocol arguments icmp, tcp, and udp are also independent match conditions, so they must be preceded by a backslash (\) when used in the ip protocol match condition.

isis

Matches all IS-IS routing messages.

rarp

Matches all RARP packets.

tcp

Matches all TCP datagrams.

udp

Matches all UDP datagrams.

To combine expressions, use the logical operators listed in .

: Logical Operators for the monitor traffic Command

Logical Operator (Highest to Lowest Precedence)

Description

!

Logical NOT. If the first condition does not match, the next condition is evaluated.

&&

Logical AND. If the first condition matches, the next condition is evaluated. If the first condition does not match, the next condition is skipped.

||

Logical OR. If the first condition matches, the next condition is skipped. If the first condition does not match, the next condition is evaluated.

( )

Group operators to override default precedence order. Parentheses are special characters, each of which must be preceded by a backslash (\).

You can use relational operators to compare arithmetic expressions composed of integer constants, binary operators, a length operator, and special packet data accessors. The arithmetic expression matching condition uses the following syntax:

monitor traffic matching "ether[0] & 1 != 0""arithmetic_expression relational_operator arithmetic_expression"

The packet data accessor uses the following syntax:

protocol [byte-offset <size>]

The optional size field represents the number of bytes examined in the packet header. The available values are 1, 2, or 4 bytes.The following sample command captures all multicast traffic:

user@host> monitor traffic matching "ether[0] & 1 != 0"

To specify match conditions that have a numeric value, use the arithmetic and relational operators listed in .

Note: Because the Packet Forwarding Engine removes Layer 2 header information before sending packets to the Routing Engine, the monitor traffic command cannot apply match conditions to inbound traffic.

: Arithmetic and Relational Operators for the monitor traffic Command

Arithmetic or Relational Operator

Description
Arithmetic Operator

+

Addition operator.

-

Subtraction operator.

/

Division operator.

&

Bitwise AND.

*

Bitwise exclusive OR.

|

Bitwise inclusive OR.
Relational Operator (Highest to Lowest Precedence)

<=

If the first expression is less than or equal to the second, the packet matches.

>=

If the first expression is greater than or equal to the second, the packet matches.

<

If the first expression is less than the second, the packet matches.

>

If the first expression is greater than the second, the packet matches.

=

If the compared expressions are equal, the packet matches.

!=

If the compared expressions are unequal, the packet matches.

Required Privilege Level

trace and maintenance

List of Sample Output

monitor traffic count
monitor traffic detail count
monitor traffic extensive (Absolute Sequence)
monitor traffic extensive (Relative Sequence)
monitor traffic extensive count
monitor traffic interface

Output Fields

When you enter this command, you are provided feedback on the status of your request.

monitor traffic count

user@host> monitor traffic count 2 
listening on fxp0
04:35:49.814125  In my-server.home.net.1295 > my-server.work.net.telnet: . ack
4122529478 win 16798 (DF)
04:35:49.814185 Out my-server.work.net.telnet > my-server.home.net.1295: P
1:38(37) ack 0 win 17680 (DF) [tos 0x10]

monitor traffic detail count

user@host> monitor traffic detail count 2 
listening on fxp0
04:38:16.265864  In my-server.home.net.1295 > my-server.work.net.telnet: . ack 4122529971 win 17678 (DF) (ttl 121, id 6812)
04:38:16.265926 Out my-server.work.net.telnet.telnet > my-server.home.net.1295: P 1:38(37) ack 0 win 17680 (DF) [tos 0x10]  (ttl 6)

monitor traffic extensive (Absolute Sequence)

user@host> monitor traffic extensive no-domain-names no-resolve no-timestamp count 20 matching "tcp" absolute-sequence 
listening on fxp0
 In 207.17.136.193.179 > 192.168.4.227.1024: . 4042780859:4042780859(0) ack 1845421797 win 16384  [tos 0xc0]  (ttl )
 In 207.17.136.193.179 > 192.168.4.227.1024: P 4042780859:4042780912(53) ack 1845421797 win 16384 : BGP [|BGP UPDAT)
 In 192.168.4.227.1024 > 207.17.136.193.179: P 1845421797:1845421852(55) ack 4042780912 win 16384 : BGP [|BGP UPDAT)
...

monitor traffic extensive (Relative Sequence)

user@host> monitor traffic extensive no-domain-names no-resolve no-timestamp count 20 matching "tcp" 
listening on fxp0
 In 172.24.248.221.1680 > 192.168.4.210.23: . 396159737:396159737(0) ack 1664980689 win 17574 (DF) (ttl 121, id 50003)
Out 192.168.4.210.23 > 172.24.248.221.1680: P 1:40(39) ack 0 win 17680 (DF) [tos 0x10]  (ttl 64, id 5394)
 In 207.17.136.193.179 > 192.168.4.227.1024: P 4042775817:4042775874(57) ack 1845416593 win 16384 : BGP [|BGP UPDAT)
...

monitor traffic extensive count

user@host> monitor traffic extensive count 5 no-domain-names no-resolve 
listening on fxp013:18:17.406933  In 192.168.4.206.2723610880 > 172.17.28.8.2049: 40 null (ttl 64, id 38367)13:18:17.407577  In 172.17.28.8.2049 > 192.168.4.206.2723610880: reply ok 28 null (ttl 61, id 35495)13:18:17.541140  In 0:e0:1e:42:9c:e0 0:e0:1e:42:9c:e0 9000 60:                          0000 0100 0000 0000 0000 0000 0000 0000                         0000 0000 0000 0000 0000 0000 0000 0000                         0000 0000 0000 0000 0000 0000 000013:18:17.591513  In 172.24.248.156.4139 > 192.168.4.210.23: . 3556964918:3556964918(0) ack 295526518 win 17601 (DF) (ttl 121, id 14)13:18:17.591568 Out 192.168.4.210.23 > 172.24.248.156.4139: P 1:40(39) ack 0 win 17680 (DF) [tos 0x10]  (ttl 64, id 52376)

monitor traffic interface

user@host> monitor traffic interface fxp0 
listening on fxp0.0
18:17:28.800650  In server.home.net.723 > host1-0.lab.home.net.log 
18:17:28.800733 Out host2-0.lab.home.net.login > server.home.net.7 
18:17:28.817813  In host30.lab.home.net.syslog > host40.home0
18:17:28.817846  In host30.lab.home.net.syslog > host40.home0
...
[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]