Packet Flow Monitoring Overview

The policy log rule provides a way to monitor a packet flow by capturing a sample of the packets that satisfy the classification of the rule in the system log. See JunosE System Event Logging Reference Guidefor information about logging.

To capture the interface, protocol, source address, destination address, source port, and destination port, set the policyMgrPacketLog event category to log at severity info and at low verbosity. To capture the version, ToS, len ID, flags, time to live (TTL), protocol, and checksum in addition to the information captured at low verbosity, set the verbosity to medium or high.

When the policy is configured, all packets are examined and the matching packets are placed in the log. No more than 512 packets are logged every 3 seconds. The router maintains a count of the total number of matching packets. This count is incremental even if the packet cannot be stored in the log (for example, because the count exceeds the 512-packet threshold).

This example shows how you might use classification to specify the ingress packets that are logged in to an interface.

This example provides a more detailed procedure that an ISP might use to log information during a ping attack on the network. The procedure includes the creation of the classifier and policy lists to specify the desired packet flow to monitor, the logging of the output of the classification operation, and the output of the show command.

In this example, a customer has reported to their ISP that an attack is occurring on their internal servers. The attack is a simple ping flood.

1. The ISP creates a classifier list to define an ICMP echo request packet flow.
   host1:vr2(config)#ip classifier-list icmpEchoReq icmp any any 8 0 host1:vr2(config)#ip policy-list pingAttack host1:vr2(config-policy-list)#classifier-group icmpEchoReq host1:vr2(config-policy-list-classifier-group)#log host1:vr2(config-policy-list-classifier-group)#exit host1:vr2(config-policy-list)#exit
   host1:vr2(config)#interface gigabitEthernet 2/0 host1:vr2(config-if)#ip address 10.10.10.2 255.255.255.0 host1:vr2(config-if)#exit
   host1:vr2(config)#virtual-router vr1 host1:vr1(config)#interface gigabitEthernet 0/0 host1:vr1(config-if)#ip address 10.10.10.1 255.255.255.0 host1:vr1(config-if)#ip policy input pingAttack statistics enabled host1:vr1(config-if)#exit host1:vr1(config)#exit
2. The ISP configures standard logging on the E Series router.
   host1(config)#log destination console severity info host1(config)#log severity info policyMgrPacketLog host1(config)#log here
   INFO 12/16/2003 12:59:47 policyMgrPacketLog ():icmpEchoReq icmp GigabitEthernet0/0 10.10.10.2 10.10.10.1 forwardedINFO 12/16/2003 12:59:47 policyMgrPacketLog ():icmpEchoReq GigabitEthernet0/0 number of hits = 21551INFO 12/16/2003 12:59:50 policyMgrPacketLog ():icmpEchoReq icmp GigabitEthernet0/0 10.10.10.2 10.10.10.1 forwardedINFO 12/16/2003 12:59:50 policyMgrPacketLog ():icmpEchoReq GigabitEthernet0/0 number of hits = 21851INFO 12/16/2003 12:59:53 policyMgrPacketLog ():icmpEchoReq icmp GigabitEthernet0/0 10.10.10.2 10.10.10.1 forwardedINFO 12/16/2003 12:59:53 policyMgrPacketLog ():icmpEchoReq GigabitEthernet0/0 number of hits = 22151
3. The ISP displays statistics for the interface.

   host1:vr1#show ip interface gigabitEthernet 0/0
   GigabitEthernet0/0 line protocol Ethernet is up, ip is up
     Network Protocols: IP
     Internet address is 10.10.10.1/255.255.255.0
     Broadcast address is 255.255.255.255
     Operational MTU = 1500  Administrative MTU = 0
     Operational speed = 1000000000  Administrative speed = 0
     Discontinuity Time = 1092358
     Router advertisement = disabled
     Proxy Arp = enabled
     Network Address Translation is disabled
     Administrative debounce-time = disabled
     Operational debounce-time    = disabled
     Access routing = disabled
     Multipath mode = hashed
     Auto Configure = disabled
     Auto Detect = disabled
     Inactivity Timer = disabled

     In Received Packets 488421, Bytes 62517888
       Unicast Packets 488421, Bytes 62517888
       Multicast Packets 0, Bytes 0
     In Policed Packets 0, Bytes 0
     In Error Packets 0
     In Invalid Source Address Packets 0
     In Discarded Packets 0
     Out Forwarded Packets 486152, Bytes 62232048
       Unicast Packets 486152, Bytes 62232048
       Multicast Routed Packets 0, Bytes 0
     Out Scheduler Dropped Packets 0, Bytes 0
     Out Policed Packets 0, Bytes 0
     Out Discarded Packets 2269

     IP policy input pingAttack
       classifier-group icmpEchoReq entry 1
         488421 packets, 69355782 bytes
         log

     queue 0: traffic class best-effort, bound to ip GigabitEthernet0/0
       Queue length 0 bytes
       Forwarded packets 485988, bytes 70954248
       Dropped committed packets 0, bytes 0
       Dropped conformed packets 0, bytes 0
       Dropped exceeded packets 0, bytes 0 

You can also capture traffic that transits through the router by using the policyMgrPacketLog category. When you set the logging severity level to info, you have the following options

• interface—filter on an interface
• interface-type—filter on an interface type
• policy-list—filter on a policy list

The policy list must contain the log keyword in the classifier group you want to monitor. You must also enable logging for policyMgrPacketLog and for the specific interface or policy list.

The packet capture can also be done for any source and destination defined in the classifier list. If the logging verbosity is set to low, you can obtain the following level of detail from the packet capture:

INFO 02/20/2008 10:10:23 policyMgrPacketLog:
test icmp FastEthernet2/2.100 100.1.1.2 100.1.2.2 forwarded
INFO 02/20/2008 10:10:26 ppolicyMfrPacketLog:
test icmp FastEthernet2.2.100.100.1.2.2 100.1.1.2 forwarded

INFO 02/20/2008 10:15:11 policyMgrPacketLog: Classifier: test.1, prot: icmp, 
intf:  FastEthernet2/2.100, sa: 100.1.1.2, da: 100.1.2.2 version: 0x45, tos: 
0x0, len: 0x3e8, id: 0x714, flags: 0x0, ttl: 0x20, proto; 0x1, chksum: 0xc4fb, 
forwarded

INFO 02/20/2008 10:15:14 ppolicyMfrPacketLog: classifier: test.1, prot: icmp, 
intf: FastEthernet2/2.100, sa: 100.1.1.2 da: 100.1.2.2 version: 0x45, tos: 
0x0, len: 0x3e8, id: 0xbe8, flags: 0x0, ttl: 0x7e, proto; 0x1, chksum: 0x6227,
forwarded