Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

show interfaces flow-statistics

 

Syntax

Release Information

Command introduced in Junos OS Release 9.2.

Description

Display interfaces flow statistics.

Options

Interface-name —(Optional) Display flow statistics about the specified interface. Following is a list of typical interface names. Replace pim with the PIM slot and port with the port number. For a complete list, see the Interface Naming Conventions.

  • at-pim/0/port—ATM-over-ADSL or ATM-over-SHDSL interface.

  • br-pim/0/port—Basic Rate Interface for establishing ISDN connections.

  • ce1-pim/0/port—Channelized E1 interface.

  • ct1-pim/0/port—Channelized T1 interface.

  • dl0—Dialer Interface for initiating ISDN and USB modem connections.

  • e1-pim/0/port—E1 interface.

  • e3-pim/0/port—E3 interface.

  • fe-pim/0/ port—Fast Ethernet interface.

  • ge-pim/0/port—Gigabit Ethernet interface.

  • se-pim/0/port—Serial interface.

  • t1-pim/0/port—T1 (also called DS1) interface.

  • t3-pim/0/ port—T3 (also called DS3) interface.

  • wx-slot/0/0—WAN acceleration interface, for the WXC Integrated Services Module (ISM 200).

Required Privilege Level

view

List of Sample Output

show interfaces flow-statistics (Gigabit Ethernet)

Output Fields

Table 1 lists the output fields for the show interfaces flow-statistics command. Output fields are listed in the approximate order in which they appear.

Table 1: show interfaces flow-statistics Output Fields

Field Name

Field Description

Traffic statistics

Number of packets and bytes transmitted and received on the physical interface.

Local statistics

Number of packets and bytes transmitted and received on the physical interface.

Transit statistics

Number of packets and bytes transiting the physical interface.

Flow input statistics

Statistics on packets received by flow module.

Flow output statistics

Statistics on packets sent by flow module.

Flow error statistics

Packet drop statistics for the flow module.

For further details, see Table 2.

Table 2: Flow Error Statistics (Packet Drop Statistics for the Flow Module)

ErrorError Description
Screen:

Address spoofing

The packet was dropped when the screen module detected address spoofing.

Syn-attack protection

The packet was dropped because of SYN attack protection or SYN cookie protection.

VPN:

Authentication failed

The packet was dropped because the IPsec Encapsulating Security Payload (ESP) or Authentication Header (AH) authentication failed.

No SA for incoming SPI

The packet was dropped because the incoming IPsec packet's security parameter index (SPI) does not match any known SPI.

Security association not active

The packet was dropped because an IPsec packet was received for an inactive SA.

NAT:

Incoming NAT errors

The source NAT rule search failed, an invalid source NAT binding was found, or the NAT allocation failed.

Multiple incoming NAT

Sometimes packets are looped through the system more than once; if source NAT is specified more than once, the packet will be dropped.

Auth:

Multiple user authentications

Sometimes packets are looped through the system more than once. Each time a packet passes through the system, that packet must be permitted by a policy. If the packet matches more than one policy that specifies user authentication, then it will be dropped.

User authentication errors

Packet was dropped because policy requires authentication; however:

  • Only Telnet, FTP, and HTTP traffic can be authenticated.

  • The corresponding authentication entry could not be found, if web-auth is specified.

  • The maximum number of authenticated sessions per user was exceeded.

Flow:

No one interested in self packets

This counter is incremented for one of the following reasons:

  • The outbound interface is a self interface, but the packet is not marked as a to-self packet and the destination address is in a source NAT pool.

  • No service is interested in the to-self packet

  • When a zone has ident-reset service enabled, the TCP RST to IDENT request for port 113 is sent back and this counter is incremented.

No minor session

The packet was dropped because no minor sessions are available and a minor session was requested. Minor sessions are allocated for storing additional TCP state information.

No more sessions

The packet was dropped because there were no more free sessions available.

No route present

The packet was dropped because a valid route was not available to forward the packet.

For new sessions, the counter is incremented for one of the following reasons:

  • No valid route was found to forward the packet.

  • A discard or reject route was found.

  • The route could not be added due to lack of memory.

  • The reverse path forwarding check failed for an incoming multicast packet.

For existing sessions, the prior route was changed or deleted, or a more specific route was added. The session is rerouted, and this reroute could fail because:

  • A new route could not be found; either the previous route was removed, or the route was changed to discard or reject.

  • Multiple packets may concurrently force rerouting to occur, and only one packet can successfully complete the rerouting process. Other packets will be dropped.

  • The route table was locked for updates by the Routing Engine. Packets that match a new session are retried, whereas packets that match an existing session are not.

No tunnel found

The packet was dropped because a valid tunnel could not be found

No session for a gate

This counter is incremented when a packet is destined for an ALG, and the ALG decides to drop this packet.

No zone or NULL zone binding

The packet was dropped because its incoming interface was not bound to any zone.

Policy denied

The error counter is incremented for one of the following reasons:

  • Source and/or destination NAT has occurred and policy says to drop the packet.

  • Policy specifies user authentication, which failed.

  • Policy was configured to deny this packet.

TCP sequence number out of window

A TCP packet with a sequence number failed the TCP sequence number check that was received.

Counters Not Currently in Use

No parent for a gate

-

Invalid zone received packet

-

No NAT gate

-

Sample Output

show interfaces flow-statistics (Gigabit Ethernet)

user@host> show interfaces flow-statistics ge-0/0/1.0