Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show security idp counters tcp-reassembler

Syntax

Description

Displays the status of all TCP reassembler counter values.

Note:

On SRX Series Firewalls with IDP enabled, if IDP attacks are configured for a single direction (server or client), a flow in the opposite direction does not need IDP processing. For TCP traffic, the TCP optimization feature ensures minimal processing for these flows without running into reassembly errors.

Options

none

Displays the status of all TCP reassembler counter values.

logical-system logical-system-name

(Optional) Displays the status of all TCP reassembler counter values for a specific logical system.

logical-system all

(Optional) Displays the status of all TCP reassembler counter values for all logical systems.

tenant tenant-name

(Optional) Displays the status of all TCP reassembler counter values for a specific tenant system.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security idp counters tcp-reassembler command. Output fields are listed in the approximate order in which they appear.

Table 1: show security idp counters tcp-reassembler Output Fields

Field Name

Field Description

Bad TCP checksums

(Unsupported)

Number of packets that have incorrect TCP checksums.

Bad TCP headers

Number of bad TCP headers detected.

Slow path segments

Number of segments that are sent through the slow path if the TCP segment does not pass fast-path segment validation.

Fast path segments

Number of segments that are sent through the fast path after passing a predefined TCP validation sequence.

Tcp Optimized s2c segments

Number of TCP segments that are sent through optimized re-assembly process from server to client.

Tcp Optimized c2s segments

Number of TCP segments that are sent through optimized re-assembly process from server to client.

Sequence number wrap around errors

Number of packets that wrap around of the sequence number.

Session reuses

Number of sessions that reused an already established TCP session.

SYN retransmissions

Number of SYN packets that are retransmitted.

Bad three way handshake acknowledgements

Number of packets that have incorrect three-way handshake acknowledgements (ACK packet).

Sequence number out of sync flows

Number of packets that have out-of-sync sequence numbers.

Fast path pattern matches in queued up streams

Number of queued packets that have fast path pattern match.

New segments with no overlaps with old segment

Number of new segments that do not overlap with old segment.

New segment overlaps with beginning of old segment

Number of new segments that overlap with beginning of old segment.

New segment overlaps completely with old segment

Number of new segments that overlap completely with old segment.

New segment is contained in old segment

Number of new segments contained in old segment.

New segment overlaps with end of old segment

Number of new segments that overlap with the end of old segment.

New segment begins after end of old segment

Number of new segments that overlap after the end of old segment.

Memory consumed by new segment

Memory that is consumed by the new segment.

Peak memory consumed by new segments

Peak memory that is consumed by the new segment.

Segments in memory

Number of segments that are stored in memory for processing.

Per-flow memory overflows

Number of segments dropped after reaching per flow memory limit.

Global memory overflows

Number of segments dropped after reaching reassembler global memory limit.

Overflow drops

Number of packets that are dropped due to memory overflow.

Copied packets

(Unsupported)

Number of packets copied in reassembler.

Closed Acks

Number of Ack packets seen without having seen SYN on the same session.

Ack Validation failures

Number of Invalid ACKs received from server during 3-way handshake.

Simultanious syn

Number of simultaneous syn packets seen.

C2S synack

Number of C2S Syn/Ack packets seen.

Segment to left of receiver window

Number of segments falling left of receive window.

Segment to right of receiver window

Number of segments falling right of receive window.

SYN seen in the window

Number of Syn packets seen after connection establishment.

ACK bit is off

Number of packets seen without ACK after connection establishment.

Unexpected FIN

Number of unexpected FIN packets seen.

Duplicate Syn/Ack with different SEQ

Number of Syn/Ack packets with different SEQ numbers.

Sample Output

show security idp counters tcp-reassembler

show security idp counters tcp-reassembler logical-system LSYS1

Release Information

Command introduced in Junos OS Release 9.2.

logical-system option introduced in Junos OS Release 18.3R1.

tenant option introduced in Junos OS Release 19.2R1.