[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

monitor traffic

Syntax

monitor traffic
<brief | detail | extensive>
<absolute-sequence>
<count count>
<interface interface-name>
<layer2-headers>
<matching matching>
<no-domain-names>
<no-promiscuous>
<no-resolve>
<no-timestamp>
<print-ascii>
<print-hex>
<resolve-timeout>
<size size>

Release Information

Command introduced before JUNOS Release 7.4.

Description

Display packet headers or packets received and sent from the Routing Engine.

Note: Using the monitor traffic command can degrade router performance

Delays from DNS resolution can be eliminated by using the no-resolve option.

Options

none — (Optional) Display packet headers transmitted through fxp0. On a TX Matrix Plus router, display packet headers transmitted through em0.

brief | detail | extensive — (Optional) Display the specified level of output.

absolute-sequence — (Optional) Display absolute TCP sequence numbers.

count count(Optional) Specify the number of packet headers to display (0 through 1,000,000). The monitor traffic command quits automatically after displaying the number of packets specified.

interface interface-name(Optional) Specify the interface on which the monitor traffic command displays packet data. If no interface is specified, the monitor traffic command displays packet data arriving on the lowest-numbered interface.

layer2-headers — (Optional) Display the link-level header on each line.

matching matching(Optional) Display packet headers that match a regular expression. Use matching expressions to define the level of detail with which the monitor traffic command filters and displays packet data.

no-domain-names — (Optional) Suppress the display of the domain portion of hostnames. With the no-domain-names option enabled, the monitor traffic command displays only team for the hostname team.company.net.

no-promiscuous — (Optional) Do not put the interface into promiscuous mode.

no-resolve — (Optional) Suppress reverse lookup of the IP addresses..

no-timestamp — (Optional) Suppress timestamps on displayed packets.

print-ascii — (Optional) Display each packet in ASCII format.

print-hex — (Optional) Display each packet, except the link-level header, in hexadecimal format.

resolve-timeout timeout(Optional) Amount of time the router waits for each reverse lookup before timing out. The timeout can be set between 1 to 4,294,967,295 seconds. The default is 4 seconds. To display each packet, use the print-ascii, print-hex, or extensive option.

size size(Optional) Read, but not display up to the specified number of bytes for each packet. When set to brief output, the default packet size is 96 bytes and is adequate for capturing IP, ICMP, UDP, and TCP packet data. When set to detail and extensive output, the default packet size is 1514. The monitor traffic command truncates displayed packets if the matched data exceeds the configured size.

Additional Information

In the monitor traffic command, you can specify an expression to match by using the matching option and including the expression in quotation marks:

monitor traffic matching "expression"

Replace expression with one or more of the match conditions listed in Table 24.

Table 24: Match Conditions for the monitor traffic Command

Match Type

Condition

Description
Entity

host {address | hostname]

Matches packets that contain the specified address or hostname.

The host match condition can be prepended with the protocol match conditions arp, ip, or rarp, or any of the directional match conditions.

net address

Matches packets with source or destination addresses containing the specified network address.

net addressmask mask

Matches packets containing the specified network address and subnet mask.

port [port-number  | port-name]

Matches packets containing the specified source or destination TCP or UDP port number or port name.

In place of the numeric port address, you can specify a text synonym, such as bgp  (179), dhcp  (67), or domain  (53) (the port numbers are also listed).

Directional

dst

Matches packets going to the specified destination. This match condition can be prepended to any of the entity type match conditions.

src

Matches packets from a specified source. This match condition can be prepended to any of the entity type match conditions.

src and dst

Matches packets that contain the specified source and destination addresses. This match condition can be prepended to any of the entity type match conditions.

src or dst

Matches packets containing either of the specified addresses. This match condition can be prepended to any of the entity type match conditions.

Packet Length

less value

Matches packets shorter than or equal to the specified value, in bytes.

greater value

Matches packets longer than or equal to the specified value, in bytes.

Protocol

arp

Matches all ARP packets.

ether

Matches all Ethernet packets.

ether [broadcast | multicast]

Matches broadcast or multicast Ethernet frames. This match condition can be prepended withsrc and dst.

ether protocol [address | (arp | ip | rarp)]

Matches packets with the specified Ethernet address or Ethernet packets of the specified protocol type. The ether protocol arguments arp, ip, and rarp are also independent match conditions, so they must be preceded by a backslash (\) when used in the ether protocol match condition.

icmp

Matches all ICMP packets.

ip

Matches all IP packets.

ip [broadcast | multicast]

Matches broadcast or multicast IP packets.

ip protocol [address | (icmp | igrp | tcp | udp)]

Matches packets with the specified address or protocol type. The ip protocol arguments icmp, tcp, and udp are also independent match conditions, so they must be preceded by a backslash (\) when used in the ip protocol match condition.

isis

Matches all IS-IS routing messages.

rarp

Matches all RARP packets.

tcp

Matches all TCP datagrams.

udp

Matches all UDP datagrams.

To combine expressions, use the logical operators listed in Table 25.

Table 25: Logical Operators for the monitor traffic Command

Logical Operator (Highest to Lowest Precedence)

Description

!

Logical NOT. If the first condition does not match, the next condition is evaluated.

&&

Logical AND. If the first condition matches, the next condition is evaluated. If the first condition does not match, the next condition is skipped.

||

Logical OR. If the first condition matches, the next condition is skipped. If the first condition does not match, the next condition is evaluated.

( )

Group operators to override default precedence order. Parentheses are special characters, each of which must be preceded by a backslash (\).

You can use relational operators to compare arithmetic expressions composed of integer constants, binary operators, a length operator, and special packet data accessors. The arithmetic expression matching condition uses the following syntax:

monitor traffic matching "ether[0] & 1 != 0""arithmetic_expression relational_operator arithmetic_expression"

The packet data accessor uses the following syntax:

protocol [byte-offset <size>]

The optional size field represents the number of bytes examined in the packet header. The available values are 1, 2, or 4 bytes.The following sample command captures all multicast traffic:

user@host> monitor traffic matching "ether[0] & 1 != 0"

To specify match conditions that have a numeric value, use the arithmetic and relational operators listed in Table 26.

Note: Because the Packet Forwarding Engine removes Layer 2 header information before sending packets to the Routing Engine:

  • The monitor traffic command cannot apply match conditions to inbound traffic.
  • The monitor traffic interface command also cannot apply match conditions for Layer 3 and Layer 4 packet data, resulting in the match pipe option (| match) for this command for Layer 3 and Layer 4 packets not working either. Therefore, ensure that you specify match conditions as described in this command summary. For more information about match conditions, see Table 24.
  • The 802.1Q VLAN tag information included in the Layer 2 header is removed from all inbound traffic packets. As the monitor traffic interface ae[x] command for aggregated Ethernet interfaces (such as ae0) only shows inbound traffic data, the command does not show VLAN tag information in the output.

Table 26: Arithmetic and Relational Operators for the monitor traffic Command

Arithmetic or Relational Operator

Description
Arithmetic Operator

+

Addition operator.

-

Subtraction operator.

/

Division operator.

&

Bitwise AND.

*

Bitwise exclusive OR.

|

Bitwise inclusive OR.
Relational Operator (Highest to Lowest Precedence)

<=

If the first expression is less than or equal to the second, the packet matches.

>=

If the first expression is greater than or equal to the second, the packet matches.

<

If the first expression is less than the second, the packet matches.

>

If the first expression is greater than the second, the packet matches.

=

If the compared expressions are equal, the packet matches.

!=

If the compared expressions are unequal, the packet matches.

Required Privilege Level

trace and maintenance

List of Sample Output

monitor traffic count
monitor traffic detail count
monitor traffic extensive (Absolute Sequence)
monitor traffic extensive (Relative Sequence)
monitor traffic extensive count
monitor traffic interface
monitor traffic matching
monitor traffic (TX Matrix Plus Router)

Output Fields

When you enter this command, you are provided feedback on the status of your request.

Sample Output

monitor traffic count

user@host> monitor traffic count 2
listening on fxp0
04:35:49.814125  In my-server.home.net.1295 > my-server.work.net.telnet: . ack
4122529478 win 16798 (DF)
04:35:49.814185 Out my-server.work.net.telnet > my-server.home.net.1295: P
1:38(37) ack 0 win 17680 (DF) [tos 0x10]

monitor traffic detail count

user@host> monitor traffic detail count 2 
listening on fxp0
04:38:16.265864  In my-server.home.net.1295 > my-server.work.net.telnet: . ack 4122529971 win 17678 (DF) (ttl 121, id 6812)
04:38:16.265926 Out my-server.work.net.telnet.telnet > my-server.home.net.1295: P 1:38(37) ack 0 win 17680 (DF) [tos 0x10]  (ttl 6)

monitor traffic extensive (Absolute Sequence)

user@host> monitor traffic extensive no-domain-names no-resolve no-timestamp count 20 matching "tcp" absolute-sequence 
listening on fxp0
 In 207.17.136.193.179 > 192.168.4.227.1024: . 4042780859:4042780859(0) ack 1845421797 win 16384 <nop,nop,timestamp 4935628 965951> [tos 0xc0]  (ttl )
 In 207.17.136.193.179 > 192.168.4.227.1024: P 4042780859:4042780912(53) ack 1845421797 win 16384 <nop,nop,timestamp 4935628 965951>: BGP [|BGP UPDAT)
 In 192.168.4.227.1024 > 207.17.136.193.179: P 1845421797:1845421852(55) ack 4042780912 win 16384 <nop,nop,timestamp 965951 4935628>: BGP [|BGP UPDAT)
...

monitor traffic extensive (Relative Sequence)

user@host> monitor traffic extensive no-domain-names no-resolve no-timestamp count 20 matching "tcp" 
listening on fxp0
 In 172.24.248.221.1680 > 192.168.4.210.23: . 396159737:396159737(0) ack 1664980689 win 17574 (DF) (ttl 121, id 50003)
Out 192.168.4.210.23 > 172.24.248.221.1680: P 1:40(39) ack 0 win 17680 (DF) [tos 0x10]  (ttl 64, id 5394)
 In 207.17.136.193.179 > 192.168.4.227.1024: P 4042775817:4042775874(57) ack 1845416593 win 16384 <nop,nop,timestamp 4935379 965690>: BGP [|BGP UPDAT)
...

monitor traffic extensive count

user@host> monitor traffic extensive count 5 no-domain-names no-resolve 
listening on fxp013:18:17.406933  In 192.168.4.206.2723610880 > 172.17.28.8.2049: 40 null (ttl 64, id 38367)13:18:17.407577  In 172.17.28.8.2049 > 192.168.4.206.2723610880: reply ok 28 null (ttl 61, id 35495)13:18:17.541140  In 0:e0:1e:42:9c:e0 0:e0:1e:42:9c:e0 9000 60:                          0000 0100 0000 0000 0000 0000 0000 0000                         0000 0000 0000 0000 0000 0000 0000 0000                         0000 0000 0000 0000 0000 0000 000013:18:17.591513  In 172.24.248.156.4139 > 192.168.4.210.23: . 3556964918:3556964918(0) ack 295526518 win 17601 (DF) (ttl 121, id 14)13:18:17.591568 Out 192.168.4.210.23 > 172.24.248.156.4139: P 1:40(39) ack 0 win 17680 (DF) [tos 0x10]  (ttl 64, id 52376)

monitor traffic interface

user@host> monitor traffic interface fxp0 
listening on fxp0.0
18:17:28.800650  In server.home.net.723 > host1-0.lab.home.net.log 
18:17:28.800733 Out host2-0.lab.home.net.login > server.home.net.7 
18:17:28.817813  In host30.lab.home.net.syslog > host40.home0
18:17:28.817846  In host30.lab.home.net.syslog > host40.home0
...

monitor traffic matching

user@host> monitor traffic matching "net 192.168.1.0/24"
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on fxp0, capture size 96 bytes

Reverse lookup for 192.168.1.255 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use no-resolve to avoid reverse lookups on IP addresses.

21:55:54.003511  In IP truncated-ip - 18 bytes missing! 192.168.1.17.netbios-ns > 192.168.1.255.netbios-ns: UDP, length 50
21:55:54.003585 Out IP truncated-ip - 18 bytes missing! 192.168.1.17.netbios-ns > 192.168.1.255.netbios-ns: UDP, length 50
21:55:54.003864  In arp who-has 192.168.1.17 tell 192.168.1.9
...

monitor traffic (TX Matrix Plus Router)

user@host> monitor traffic
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on em0, capture size 96 bytes

04:11:59.862121 Out IP truncated-ip - 25 bytes missing! summit-em0.englab.juniper.net.syslog > sv-log-01.englab.juniper.net.syslog: SYSLOG kernel.info, length: 57
04:11:59.862303 Out IP truncated-ip - 25 bytes missing! summit-em0.englab.juniper.net.syslog > sv-log-02.englab.juniper.net.syslog: SYSLOG kernel.info, length: 57
04:11:59.923948  In IP aj-em0.englab.juniper.net.65235 > summit-em0.englab.juniper.net.telnet: . ack 1087492766 win 33304 <nop,nop,timestamp 42366734 993490>
04:11:59.923983 Out IP truncated-ip - 232 bytes missing! summit-em0.englab.juniper.net.telnet > aj-em0.englab.juniper.net.65235: P 1:241(240) ack 0 win 33304 <nop,nop,timestamp 993590 42366734>
04:12:00.022900  In IP aj-em0.englab.juniper.net.65235 > summit-em0.englab.juniper.net.telnet: . ack 241 win 33304 <nop,nop,timestamp 42366834 993590>
04:12:00.141204  In IP truncated-ip - 40 bytes missing! ipg-lnx-shell1.juniper.net.46182 > summit-em0.englab.juniper.net.telnet: P 2950530356:2950530404(48) ack 485494987 win 63712 <nop,nop,timestamp 1308555294 987086>
04:12:00.141345 Out IP summit-em0.englab.juniper.net.telnet > ipg-lnx-shell1.juniper.net.46182: P 1:6(5) ack 48 win 33304 <nop,nop,timestamp 993809 1308555294>
04:12:00.141572  In IP ipg-lnx-shell1.juniper.net.46182 > summit-em0.englab.juniper.net.telnet: . ack 6 win 63712 <nop,nop,timestamp 1308555294 993809>
04:12:00.141597 Out IP summit-em0.englab.juniper.net.telnet > ipg-lnx-shell1.juniper.net.46182: P 6:10(4) ack 48 win 33304 <nop,nop,timestamp 993810 1308555294>
04:12:00.141821  In IP ipg-lnx-shell1.juniper.net.46182 > summit-em0.englab.juniper.net.telnet: . ack 10 win 63712 <nop,nop,timestamp 1308555294 993810>
04:12:00.141837 Out IP truncated-ip - 2 bytes missing! summit-em0.englab.juniper.net.telnet > ipg-lnx-shell1.juniper.net.46182: P 10:20(10) ack 48 win 33304 <nop,nop,timestamp 993810 1308555294>
04:12:00.142072  In IP ipg-lnx-shell1.juniper.net.46182 > summit-em0.englab.juniper.net.telnet: . ack 20 win 63712 <nop,nop,timestamp 1308555294 993810>
04:12:00.142089 Out IP summit-em0.englab.juniper.net.telnet > ipg-lnx-shell1.juniper.net.46182: P 20:28(8) ack 48 win 33304 <nop,nop,timestamp 993810 1308555294>
04:12:00.142321  In IP ipg-lnx-shell1.juniper.net.46182 > summit-em0.englab.juniper.net.telnet: . ack 28 win 63712 <nop,nop,timestamp 1308555294 993810>
04:12:00.142337 Out IP truncated-ip - 1 bytes missing! summit-em0.englab.juniper.net.telnet > ipg-lnx-shell1.juniper.net.46182: P 28:37(9) ack 48 win 33304 <nop,nop,timestamp 993810 1308555294>
...
[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]