[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

JUNOSe 9.1.x Policy Management Configuration Guide > Monitoring Policy Management > Packet Flow Monitoring Overview

Packet Flow Monitoring Overview

The policy log rule provides a way to monitor a packet flow by capturing a sample of the packets that satisfy the classification of the rule in the system log. See the JUNOSe System Event Logging Reference Guide for information about logging.

To capture the interface, protocol, source address, destination address, source port, and destination port, set the policyMgrPacketLog event category to log at severity info and at low verbosity. To capture the version, ToS, len ID, flags, time to live (TTL), protocol, and checksum in addition to the information captured at low verbosity, set the verbosity to medium or high.

When the policy is configured, all packets are examined and the matching packets are placed in the log. No more than 512 packets are logged every 3 seconds. The router maintains a count of the total number of matching packets. This count is incremental even if the packet cannot be stored in the log (for example, because the count exceeds the 512-packet threshold).

This example shows how you might use classification to specify the ingress packets that are logged on an interface. 

host1(config)#ip policy-list testPolicy

host1(config-policy-list)#classifier-group logA

host1(config-policy-list-classifier-group)#log

host1(config-policy-list-classifier-group)#exit

host1(config-policy-list)#exit

host1(config)#interface atm 0/0.0

host1(config-subif)#ip policy input testPolicy statistics enabled

host1(config-subif)#exit

host1(config)#log destination console severity info

host1(config)#log severity info policyMgrPacketLog

host1(config)#log verbosity low policyMgrPacketLog

host1(config)#log here

This example provides a more detailed procedure that an ISP might use to log information during a ping attack on the network. The procedure includes the creation of the classifier and policy lists to specify the desired packet flow to monitor, the logging of the output of the classification operation, and the output of the show command.

In this example, a customer has reported to their ISP that an attack is occurring on their internal servers. The attack is a simple ping flood.

  1. The ISP creates a classifier list to define an ICMP echo request packet flow.
    2. host1:vr2(config)#ip classifier-list icmpEchoReq icmp any any 8 0 

    host1:vr2(config)#ip policy-list pingAttack 

    host1:vr2(config-policy-list)#classifier-group icmpEchoReq

    host1:vr2(config-policy-list-classifier-group)#log 

    host1:vr2(config-policy-list-classifier-group)#exit 

    host1:vr2(config-policy-list)#exit 

    

    host1:vr2(config)#interface gigabitEthernet 2/0 

    host1:vr2(config-if)#ip address 10.10.10.2 255.255.255.0 

    host1:vr2(config-if)#exit 

    

    host1:vr2(config)#virtual-router vr1 

    host1:vr1(config)#interface gigabitEthernet 0/0 

    host1:vr1(config-if)#ip address 10.10.10.1 255.255.255.0 

    host1:vr1(config-if)#ip policy input pingAttack statistics enabled 

    host1:vr1(config-if)#exit 

    host1:vr1(config)#exit
  2. The ISP configures standard logging on the E-series router. 
    3. host1(config)#log destination console severity info 

    host1(config)#log severity info policyMgrPacketLog 

    host1(config)#log here 

    

    INFO 12/16/2003 12:59:47 policyMgrPacketLog ():

    icmpEchoReq icmp GigabitEthernet0/0 10.10.10.2 10.10.10.1 forwarded

    INFO 12/16/2003 12:59:47 policyMgrPacketLog ():

    icmpEchoReq GigabitEthernet0/0 number of hits = 21551

    INFO 12/16/2003 12:59:50 policyMgrPacketLog ():

    icmpEchoReq icmp GigabitEthernet0/0 10.10.10.2 10.10.10.1 forwarded

    INFO 12/16/2003 12:59:50 policyMgrPacketLog ():

    icmpEchoReq GigabitEthernet0/0 number of hits = 21851

    INFO 12/16/2003 12:59:53 policyMgrPacketLog ():

    icmpEchoReq icmp GigabitEthernet0/0 10.10.10.2 10.10.10.1 forwarded

    INFO 12/16/2003 12:59:53 policyMgrPacketLog ():

    icmpEchoReq GigabitEthernet0/0 number of hits = 22151
  3. The ISP displays statistics for the interface. 
    4. host1:vr1#show ip interface gigabitEthernet 0/0

    GigabitEthernet0/0 line protocol Ethernet is up, ip is up

      Network Protocols: IP

      Internet address is 10.10.10.1/255.255.255.0

      Broadcast address is 255.255.255.255

      Operational MTU = 1500  Administrative MTU = 0

      Operational speed = 1000000000  Administrative speed = 0

      Discontinuity Time = 1092358

      Router advertisement = disabled

      Proxy Arp = enabled

      Network Address Translation is disabled

      Administrative debounce-time = disabled

      Operational debounce-time    = disabled

      Access routing = disabled

      Multipath mode = hashed

      Auto Configure = disabled

      Auto Detect = disabled

      Inactivity Timer = disabled

    

      In Received Packets 488421, Bytes 62517888

        Unicast Packets 488421, Bytes 62517888

        Multicast Packets 0, Bytes 0

      In Policed Packets 0, Bytes 0

      In Error Packets 0

      In Invalid Source Address Packets 0

      In Discarded Packets 0

      Out Forwarded Packets 486152, Bytes 62232048

        Unicast Packets 486152, Bytes 62232048

        Multicast Routed Packets 0, Bytes 0

      Out Scheduler Dropped Packets 0, Bytes 0

      Out Policed Packets 0, Bytes 0

      Out Discarded Packets 2269

    

      IP policy input pingAttack

        classifier-group icmpEchoReq entry 1

          488421 packets, 69355782 bytes

          log

    

      queue 0: traffic class best-effort, bound to ip GigabitEthernet0/0

        Queue length 0 bytes

        Forwarded packets 485988, bytes 70954248

        Dropped committed packets 0, bytes 0

        Dropped conformed packets 0, bytes 0

        Dropped exceeded packets 0, bytes 0

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]