monitor traffic

 

Syntax

Release Information

Command introduced before Junos OS Release 7.4.

Command introduced in Junos OS Release 9.0 for EX Series switches.

Command introduced in Junos OS Release 11.1 for the QFX Series.

Command introduced in Junos OS Release 14.1X53-D20 for the OCX Series.

Options read-file and write-file introduced in Junos OS Release 19.1R1.

Description

Display packet headers or packets received and sent from the Routing Engine.

Note
  • Using the monitor-traffic command can degrade router or switch performance.

  • Delays from DNS resolution can be eliminated by using the no-resolve option.

Note

This command is not supported on the QFabric system.

Note

In Junos OS Evolved, if you modify an interface that you are monitoring with the monitor traffic interface command, the monitoring session ends with the message: pcap_loop: read: Device not configured. To continue monitoring the interface, rerun the monitor traffic interface command. However, if the monitored interface is removed, the command session continues, but there will be no packets or errors reported.

Options

none(Optional) Display packet headers transmitted through fxp0. On a TX Matrix Plus router, display packet headers transmitted through em0.
brief | detail | extensive(Optional) Display the specified level of output.
absolute-sequence(Optional) Display absolute TCP sequence numbers.
count count(Optional) Specify the number of packet headers to display (0 through 1,000,000). The monitor traffic command quits automatically after displaying the number of packets specified.
interface interface-name(Optional) Specify the interface on which the monitor traffic command displays packet data. If no interface is specified, the monitor traffic command displays packet data arriving on the lowest-numbered interface.
layer2-headers(Optional) Display the link-level header on each line.
matching matching(Optional) Display packet headers that match a regular expression. Use matching expressions to define the level of detail with which the monitor traffic command filters and displays packet data.
no-domain-names(Optional) Suppress the display of the domain portion of hostnames. With the no-domain-names option enabled, the monitor traffic command displays only team for the hostname team.company.net.
no-promiscuous(Optional) Do not put the interface into promiscuous mode.
no-resolve(Optional) Suppress reverse lookup of the IP addresses.
no-timestamp(Optional) Suppress timestamps on displayed packets.
print-ascii(Optional) Display each packet in ASCII format.
print-hex(Optional) Display each packet, except the link-level header, in hexadecimal format.
read-file filenameRead packets from the file specified.
resolve-timeout timeout(Optional) Amount of time the router or switch waits for each reverse lookup before timing out. You can set the timeout for 1 through 4,294,967,295 seconds. The default is 4 seconds. To display each packet, use the print-ascii, print-hex, or extensive option.
size size(Optional) Read but do not display up to the specified number of bytes for each packet. When set to brief output, the default packet size is 96 bytes and is adequate for capturing IP, ICMP, UDP, and TCP packet data. When set to detail and extensive output, the default packet size is 1514. The monitor traffic command truncates displayed packets if the matched data exceeds the configured size.
write-file filenameWrite packets to the file specified.

Additional Information

In the monitor traffic command, you can specify an expression to match by using the matching option and including the expression in quotation marks:

Replace expression with one or more of the match conditions listed in Table 1.

Table 1: Match Conditions for the monitor traffic Command

Match Type

Condition

Description

Entity

host [address | hostname]

Matches packets that contain the specified address or hostname.

The protocol match conditions arp, ip, or rarp, or any of the directional match conditions can be prepended to the host match condition.

net address

Matches packets with source or destination addresses containing the specified network address.

net address mask mask

Matches packets containing the specified network address and subnet mask.

port (port-number  | port-name)

Matches packets containing the specified source or destination TCP or UDP port number or port name.

In place of the numeric port address, you can specify a text synonym, such as bgp  (179), dhcp  (67), or domain  (53) (the port numbers are also listed).

Directional

dst

Matches packets going to the specified destination. This match condition can be prepended to any of the entity type match conditions.

src

Matches packets from a specified source. This match condition can be prepended to any of the entity type match conditions.

src and dst

Matches packets that contain the specified source and destination addresses. This match condition can be prepended to any of the entity type match conditions.

src or dst

Matches packets containing either of the specified addresses. This match condition can be prepended to any of the entity type match conditions.

Packet Length

less value

Matches packets shorter than or equal to the specified value, in bytes.

greater value

Matches packets longer than or equal to the specified value, in bytes.

Protocol

amt

Matches all AMT packets. Use the extensive level of output to decode the inner IGMP packets in addition to the AMT outer packet.

arp

Matches all ARP packets.

ether

Matches all Ethernet packets.

ether (broadcast | multicast)

Matches broadcast or multicast Ethernet frames. This match condition can be prepended withsrc and dst.

ether protocol (address | (arp | ip | rarp))

Matches packets with the specified Ethernet address or Ethernet packets of the specified protocol type. The ether protocol arguments arp, ip, and rarp are also independent match conditions, so they must be preceded by a backslash (\) when used in the ether protocol match condition.

icmp

Matches all ICMP packets.

ip

Matches all IP packets.

ip (broadcast | multicast)

Matches broadcast or multicast IP packets.

ip protocol (address | (icmp | igrp | tcp | udp))

Matches packets with the specified address or protocol type. The ip protocol arguments icmp, tcp, and udp are also independent match conditions, so they must be preceded by a backslash (\) when used in the ip protocol match condition.

isis

Matches all IS-IS routing messages.

proto ip-protocol-number

Matches packets whose headers contain the specified IP protocol number.

rarp

Matches all RARP packets.

tcp

Matches all TCP datagrams.

udp

Matches all UDP datagrams.

To combine expressions, use the logical operators listed in Table 2.

Table 2: Logical Operators for the monitor traffic Command

Logical Operator (Highest to Lowest Precedence)

Description

!

Logical NOT. If the first condition does not match, the next condition is evaluated.

&&

Logical AND. If the first condition matches, the next condition is evaluated. If the first condition does not match, the next condition is skipped.

||

Logical OR. If the first condition matches, the next condition is skipped. If the first condition does not match, the next condition is evaluated.

( )

Group operators to override default precedence order. Parentheses are special characters, each of which must be preceded by a backslash (\).

You can use relational operators to compare arithmetic expressions composed of integer constants, binary operators, a length operator, and special packet data accessors. The arithmetic expression matching condition uses the following syntax:

The packet data accessor uses the following syntax:

The optional size field represents the number of bytes examined in the packet header. The available values are1, 2, or 4 bytes. The following sample command captures all multicast traffic:

To specify match conditions that have a numeric value, use the arithmetic and relational operators listed in Table 3.

Note

Because the Packet Forwarding Engine removes Layer 2 header information before sending packets to the Routing Engine:

  • The monitor traffic command cannot apply match conditions to inbound traffic.

  • The monitor traffic interface command also cannot apply match conditions for Layer 3 and Layer 4 packet data, resulting in the match pipe option (| match) for this command for Layer 3 and Layer 4 packets not working either. Therefore, ensure that you specify match conditions as described in this command summary. For more information about match conditions, see Table 1.

  • The 802.1Q VLAN tag information included in the Layer 2 header is removed from all inbound traffic packets. Because the monitor traffic interface ae[x] command for aggregated Ethernet interfaces (such as ) only shows inbound traffic data, the command does not show VLAN tag information in the output.

Table 3: Arithmetic and Relational Operators for the monitor traffic Command

Arithmetic or Relational Operator

Description

Arithmetic Operator

+

Addition operator.

-

Subtraction operator.

/

Division operator.

&

Bitwise AND.

*

Bitwise exclusive OR.

|

Bitwise inclusive OR.

Relational Operator (Highest to Lowest Precedence)

<=

If the first expression is less than or equal to the second, the packet matches.

>=

If the first expression is greater than or equal to the second, the packet matches.

<

If the first expression is less than the second, the packet matches.

>

If the first expression is greater than the second, the packet matches.

=

If the compared expressions are equal, the packet matches.

!=

If the compared expressions are unequal, the packet matches.

Required Privilege Level

trace

maintenance

List of Sample Output

monitor traffic count

monitor traffic detail count

monitor traffic extensive (Absolute Sequence)

monitor traffic extensive (Relative Sequence)

monitor traffic extensive count

monitor traffic interface

monitor traffic matching

monitor traffic (TX Matrix Plus Router)

monitor traffic (QFX3500 Switch)

monitor traffic matching icmp

monitor traffic matching IP protocol number

monitor traffic matching arp

monitor traffic matching port

monitor traffic read-files

monitor traffic write-file

Output Fields

When you enter this command, you are provided feedback on the status of your request.

Sample Output

monitor traffic count

user@host> monitor traffic count 2

monitor traffic detail count

user@host> monitor traffic detail count 2

monitor traffic extensive (Absolute Sequence)

user@host> monitor traffic extensive no-domain-names no-resolve no-timestamp count 20 matching "tcp" absolute-sequence

monitor traffic extensive (Relative Sequence)

user@host> monitor traffic extensive no-domain-names no-resolve no-timestamp count 20 matching "tcp"

monitor traffic extensive count

monitor traffic extensive count 5 no-domain-names no-resolve

monitor traffic interface

user@host> monitor traffic interface fxp0

monitor traffic matching

user@host> monitor traffic matching "net 192.168.1.0/24"

monitor traffic (TX Matrix Plus Router)

user@host> monitor traffic

monitor traffic (QFX3500 Switch)

user@switch> monitor traffic

monitor traffic matching icmp

user@host> monitor traffic matching "icmp" no-resolve

monitor traffic matching IP protocol number

user@host> monitor traffic matching "proto 89" no-resolve

monitor traffic matching arp

user@host> monitor traffic matching “arp” no-resolve

monitor traffic matching port

user@host> monitor traffic matching “port 22” no-resolve

monitor traffic read-files

user@host> monitor traffic read-file tcpdump_20_7_18.pcap

monitor traffic write-file

user@host> monitor traffic write-file filename