Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    show services stateful-firewall statistics

    Syntax

    show services stateful-firewall statistics <application-protocol protocol> <brief | detail | extensive | summary> <interface interface-name> <service-set service-set>

    Release Information

    Command introduced in Junos OS Release 10.4.

    Description

    Display stateful firewall statistics.

    Options

    none

    Display standard information about all stateful firewall statistics.

    brief | detail | extensive | summary

    (Optional) Display the specified level of output.

    interface interface-name

    (Optional) Display information about a particular interface. On M Series and T Series routers, the interface-name can be ms-fpc/pic/port or rspnumber. On J Series routers, the interface-name is ms-pim/0/port.

    service-set service-set

    (Optional) Display information about a particular service set.

    Required Privilege Level

    view

     

    Related Documentation

     

    List of Sample Output

    show services stateful-firewall statistics extensive

    Output Fields

    Table 1 lists the output fields for the show services stateful-firewall statistics command. Output fields are listed in the approximate order in which they appear.

    Table 1: show services stateful-firewall statistics Output Fields

    Field Name

    Field Description

    Interface

    Name of an adaptive services interface.

    Service set

    Name of a service set.

    New flows

    Rule match counters for new flows:

    • Accept—New flows accepted.
    • Discard—New flows discarded.
    • Reject—New flows rejected.

    Existing flows

    Rule match counters for existing flows:

    • Accept—Match existing forward or watch flow.
    • Discard—Match existing discard flow.
    • Reject—Match existing reject flow.

    Drops

    Drop counters:

    • TCP SYN defense—Packets dropped by SYN defender.
    • NAT ports exhausted—Hide mode. The router has no available Network Address Translation (NAT) ports for a given address or pool.

    Errors

    Total errors, categorized by protocol:

    • IP—Total IP version 4 errors.
    • TCP—Total Transmission Control Protocol (TCP) errors.
    • UDP—Total User Datagram Protocol (UDP) errors.
    • ICMP—Total Internet Control Message Protocol (ICMP) errors.
    • Non-IP—Total non-IPv4 errors.

    IP Errors

    IPv4 errors:

    • IP packet length inconsistencies—IP packet length does not match the Layer 2 reported length.
    • Minimum IP header length check failures—Minimum IP header length is 20 bytes. The received packet contains less than 20 bytes.
    • Reassembled packet exceeds maximum IP length—After fragment reassembly, the reassembled IP packet length exceeds 65,535.
    • Illegal source address 0—Source address is not a valid address. Invalid addresses are, loopback, broadcast, multicast, and reserved addresses. Source address 0, however, is allowed to support BOOTP and the destination address 0xffffffff.
    • Illegal destination address 0—Destination address is not a valid address.  The address is reserved.
    • TTL zero errors—Received packet had a time-to-live (TTL) value of 0.
    • IP protocol number 0 or 255—IP protocol is 0 or 255.
    • Land attack—IP source address is the same as the destination address.
    • Smurf attack—Echo request is sent to a directed broadcast address.
    • Non-IP packets—Packet did not conform to the IP standard.
    • IP option—Packet dropped because of a nonallowed IP option.
    • Non-IPv4 packets—Packet was not IPv4. (Only IPv4 is supported.)
    • Bad checksum—Packet had an invalid IP checksum.
    • Illegal IP fragment length—Illegal fragment length. All fragments (other than the last fragment) must have a length that is a multiple of 8 bytes.
    • IP fragment overlap—Fragments have overlapping fragment offsets.
    • IP fragment reassembly timeout—Some of the fragments for an IP packet were not received in time, and the reassembly handler dropped partial fragments.

    TCP Errors

    TCP protocol errors:

    • TCP header length inconsistencies—Minimum TCP header length is 20 bytes, and the IP packet received does not contain at least 20 bytes.
    • Source or destination port number is zero—TCP source or destination port is zero.
    • Illegal sequence number, flags combination—Dropped because of TCP errors, such as an illegal sequence number, which causes an illogical combination of flags to be set.
    • SYN attack (multiple SYN messages seen for the same flow)—Multiple SYN packets received for the same flow are treated as a SYN attack. The packets might be retransmitted SYN packets and therefore valid, but a large number is cause for concern.
    • First packet not SYN—First packets for a connection are not SYN packets. These packets might originate from previous connections or from someone performing an ACK/FIN scan.
    • TCP port scan (Handshake, RST seen from server for SYN)—In the case of a SYN defender, if an RST (reset) packet is received instead of a SYN/ACK message, someone is probably trying to scan the server. This behavior can result in false alarms if the RST packet is not combined with an intrusion detection service (IDS).
    • Bad SYN cookie response—SYN cookie generates a SYN/ACK message for all incoming SYN packets. If the ACK received for the SYN/ACK message does not match, this counter is incremented.

    UDP Errors

    UDP protocol errors:

    • IP data length less than minimum UDP header length (8 bytes)—Minimum UDP header length is 8 bytes. The received IP packets contain less than 8 bytes.
    • Source or destination port is zero—UDP source or destination port is 0.
    • UDP port scan (ICMP error seen for UDP flow)—ICMP error is received for a UDP flow. This could be a genuine UDP flow, but it is counted as an error.

    ICMP Errors

    ICMP protocol errors:

    • IP data length less than minimum ICMP header length (8 bytes)—ICMP header length is 8 bytes. This counter is incremented when received IP packets contain less than 8 bytes.
    • ICMP error length inconsistencies—Minimum length of an ICMP error packet is 48 bytes, and the maximum length is 576 bytes. This counter is incremented when the received ICMP error falls outside this range.
    • Ping duplicate sequence number—Received ping packet has a duplicate sequence number.
    • Ping mismatched sequence number—Received ping packet has a mismatched sequence number.

    Sample Output

    show services stateful-firewall statistics extensive

    user@host> show services stateful-firewall statistics extensive 
    Interface: ms-1/3/0
  Service set: interface-svc-set
    New flows:
      Accept: 907, Discard: 0, Reject: 0
    Existing flows:
      Accept: 3535, Discard: 0, Reject: 0
    Drops:
      IP option: 0, TCP SYN defense: 0
      NAT ports exhausted: 0
    Errors:
      IP: 0, TCP: 0
      UDP: 0, ICMP: 0
      Non-IP packets: 0, ALG: 0
    IP errors:
      IP packet length inconsistencies: 0
      Minimum IP header length check failures: 0
      Reassembled packet exceeds maximum IP length: 0
      Illegal source address: 0
      Illegal destination address: 0
      TTL zero errors: 0, IP protocol number 0 or 255: 0
      Land attack: 0, Smurf attack: 0
      Non IP packets: 0, IP option: 0
      Non-IPv4 packets: 0, Bad checksum: 0
      Illegal IP fragment length: 0
      IP fragment overlap: 0
      IP fragment reassembly timeout: 0
TCP errors:
      TCP header length inconsistencies: 0
      Source or destination port number is zero: 0
      Illegal sequence number, flags combination: 0
      SYN attack (multiple SYNs seen for the same flow): 0
      First packet not SYN: 0
      TCP port scan (Handshake, RST seen from server for SYN): 0
      Bad SYN cookie response: 0
    UDP errors:
      IP data length less than minimum UDP header length (8 bytes): 0
      Source or destination port is zero: 0
      UDP port scan (ICMP error seen for UDP flow): 0
    ICMP errors:
      IP data length less than minimum ICMP header length (8 bytes): 0
      ICMP error length inconsistencies: 0
      Ping duplicate sequence number: 0
      Ping mismatched sequence number: 0
    ALG drops:
      BOOTP: 0, DCE-RPC: 0, DCE-RPC portmap: 0
      DNS: 0, Exec: 0, FTP: 0
      ICMP: 0
      Login: 0, Netbios: 0, Netshow: 0
      RPC: 0, RPC portmap: 0
      RTSP: 0, Shell: 0
      SNMP: 0, Sqlnet: 0, TFTP: 0
      Traceroute: 0

    Published: 2012-07-02

    Previous Page Next Page