show interfaces flow-statistics

Syntax

show interfaces flow-statistics <interface-name>

Release Information

Command introduced in Release 8.5 of Junos OS.

Description

Display interfaces flow statistics.

Options

Interface-name —(Optional) Display flow statistics about the specified interface. Following is a list of typical interface names. Replace pim with the PIM slot and port with the port number. For a complete list, see the Junos OS Interfaces Configuration Guide for Security Devices.

at-pim/0/port—ATM-over-ADSL or ATM-over-SHDSL interface.
br-pim/0/port—Basic Rate Interface for establishing ISDN connections.
ce1-pim/0/port—Channelized E1 interface.
ct1-pim/0/port—Channelized T1 interface.
dl0—Dialer Interface for initiating ISDN and USB modem connections.
e1-pim/0/port—E1 interface.
e3-pim/0/port—E3 interface.
fe-pim/0/ port—Fast Ethernet interface.
ge-pim/0/port—Gigabit Ethernet interface.
se-pim/0/port—Serial interface.
t1-pim/0/port—T1 (also called DS1) interface.
t3-pim/0/ port—T3 (also called DS3) interface.
wx-slot/0/0—WAN acceleration interface, for the WXC Integrated Services Module (ISM 200).

Required Privilege Level

view

List of Sample Output

show interfaces flow-statistics (Gigabit Ethernet)

Output Fields

Table 27 lists the output fields for the show interfaces flow-statistics command. Output fields are listed in the approximate order in which they appear.

Table 27: show interfaces flow-statistics Output Fields

Field Name	Field Description
Traffic statistics	Number of packets and bytes transmitted and received on the physical interface.
Local statistics	Number of packets and bytes transmitted and received on the physical interface.
Transit statistics	Number of packets and bytes transiting the physical interface.
Flow input statistics	Statistics on packets received by flow module.
Flow output statistics	Statistics on packets sent by flow module.
Flow error statistics	Packet drop statistics for the flow module. For further detail, see Table 28

Table 28: Flow Error Statistics (packet drop statistics for the flow module)

Error	Error Description
Screen:
Address spoofing	The packet was dropped when the screen module detected address spoofing.
Syn-attack protection	The packet was dropped because of SYN attack protection or SYN cookie protection.
VPN:
Authentication failed	The packet was dropped because the IPsec Encapsulating Security Payload (ESP) or Authentication Header (AH) authentication failed.
No SA for incoming SPI	The packet was dropped because the incoming IPsec packet's security parameter index (SPI) does not match any known SPI.
Security association not active	The packet was dropped because an IPsec packet was received for an inactive SA.
NAT:
Incoming NAT errors	The source NAT rule search failed, an invalid source NAT binding was found, or the NAT allocation failed.
Multiple incoming NAT	Sometimes packets are looped through the system more than once; if source NATing is specified more than once, the packet will be dropped.
Auth:
Multiple user authentications	Sometimes packets are looped through the system more than once. Each time a packet passes through the system, that packet must be permitted by a policy. If the packet matches more than one policy that specifies user authentication, then it will be dropped.
User authentication errors	Packet was dropped because policy requires authentication; however: Only Telnet, FTP, and HTTP traffic can be authenticated. The corresponding authentication entry could not be found, if web-auth is specified. The maximum number of authenticated sessions per user was exceeded.
Flow:
No one interested in self packets	This counter is incremented for one of the following reasons: The outbound interface is a self interface, but the packet is not marked as a to-self packet and the destination address is in a source NAT pool. No service is interested in the to-self packet When a zone has ident-reset service enabled, the TCP RST to IDENT request for port 113 is sent back and this counter is incremented.
No minor session	The packet was dropped because no minor sessions are available and a minor session was requested. Minor sessions are allocated for storing additional TCP state information.
No more sessions	The packet was dropped because there were no more free sessions available.
No route present	The packet was dropped because a valid route was not available to forward the packet. For new sessions, the counter is incremented for one of the following reasons: No valid route was found to forward the packet. A discard or reject route was found. The route could not be added due to lack of memory. The reverse path forwarding check failed for an incoming multicast packet. For existing sessions, the prior route was changed or deleted, or a more specific route was added. The session is rerouted, and this reroute could fail because: A new route could not be found; either the previous route was removed, or the route was changed to discard or reject. Multiple packets may concurrently force rerouting to occur, and only one packet can successfully complete the rerouting process. Other packets will be dropped. The route table was locked for updates by the routing engine. Packets that match a new session are retried, whereas packets that match an existing session are not.
No tunnel found	The packet was dropped because a valid tunnel could not be found
No session for a gate	This counter is incremented when a packet is destined for an ALG, and the ALG decides to drop this packet.
No zone or NULL zone binding	The packet was dropped because its incoming interface was not bound to any zone.
Policy denied	The error counter is incremented for one of the following reasons: Source and/or destination NAT has occurred and policy says to drop the packet. Policy specifies user authentication, which failed. Policy was configured to deny this packet.
TCP sequence number out of window	A TCP packet with a sequence number failed the TCP sequence number check that was received.
Counters Not Currently in Use
No parent for a gate	-
Invalid zone received packet	-
No NAT gate	-

Sample Output

show interfaces flow-statistics (Gigabit Ethernet)

user@host> show
interfaces flow-statistics ge-0/0/1.0

  Logical interface ge-0/0/1.0 (Index 70) (SNMP ifIndex 49)
    Flags: SNMP-Traps Encapsulation: ENET2
    Input packets : 5161
    Output packets: 83
    Security: Zone: zone2
    Allowed host-inbound traffic : bootp bfd bgp  dns dvmrp igmp ldp msdp nhrp ospf pgm
    pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike
    netconf ping rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl
    lsping
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      2564
      Bytes permitted by policy :        3478
      Connections established :          1
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        16994
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1500
      Flags: None
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 2.2.2/24, Local: 2.2.2.2, Broadcast: 2.2.2.255