Using Packet Capture to Analyze Network Traffic
Packet Capture Overview
Packet capture is a tool that helps you to analyze network traffic and troubleshoot network problems. The packet capture tool captures real-time data packets traveling over the network for monitoring and logging.
Packet capture is supported on physical interfaces, reth interfaces, and tunnel interfaces, such as gr, ip, st0, and lsq-/ls.
Packets are captured as binary data, without modification. You can read the packet information offline with a packet analyzer such as Wireshark or tcpdump. If you need to quickly capture packets destined for or originating from the Routing Engine and analyze them online, you can use the J-Web packet capture diagnostic tool.
The packet capture tool does not support IPv6 packet capture.
You can use either the J-Web configuration editor or CLI configuration editor to configure packet capture.
Network administrators and security engineers use packet capture to perform the following tasks:
Monitor network traffic and analyze traffic patterns.
Identify and troubleshoot network problems.
Detect security breaches in the network, such as unauthorized intrusions, spyware activity, or ping scans.
Packet capture operates like traffic sampling on the device, except that it captures entire packets including the Layer 2 header and saves the contents to a file in libpcap format. Packet capture also captures IP fragments.
You cannot enable packet capture and traffic sampling on the device at the same time. Unlike traffic sampling, there are no tracing operations for packet capture.
You can enable packet capture and port mirroring simultaneously on a device.
This section contains the following topics:
- Packet Capture on Device Interfaces
- Firewall Filters for Packet Capture
- Packet Capture Files
- Analysis of Packet Capture Files
Packet Capture on Device Interfaces
Packet capture is supported on the T1, T3, E1, E3, serial, Gigabit Ethernet, ADSL, G.SHDSL, PPPoE, and ISDN interfaces.
To capture packets on an ISDN interface, configure packet capture on the dialer interface. To capture packets on a PPPoE interface, configure packet capture on the PPPoE logical interface.
Packet capture supports PPP, Cisco HDLC, Frame Relay, and other ATM encapsulations. Packet capture also supports Multilink PPP (MLPPP), Multilink Frame Relay end-to-end (MLFR), and Multilink Frame Relay UNI/NNI (MFR) encapsulations.
You can capture all IPv4 packets flowing on an interface in the inbound or outbound direction. However, on traffic that bypasses the flow software module (protocol packets such as ARP, OSPF, and PIM), packets generated by the Routing Engine are not captured unless you have configured and applied a firewall filter on the interface in the outbound direction.
Tunnel interfaces support packet capture in the outbound direction only.
Use the J-Web configuration editor or CLI configuration editor to specify the maximum packet size, the filename to be used for storing the captured packets, the maximum file size, the maximum number of packet capture files, and the file permissions.
For packets captured on T1, T3, E1, E3, serial, and ISDN interfaces in the outbound (egress) direction, the size of the packet captured might be 1 byte less than the maximum packet size configured because of the packet loss priority (PLP) bit.
To modify encapsulation on an interface with packet capture configured, you must disable packet capture.
Firewall Filters for Packet Capture
When you enable packet capture on a device, all packets flowing in the direction specified in packet capture configuration (inbound, outbound, or both) are captured and stored. Configuring an interface to capture all packets might degrade the performance of the device. You can control the number of packets captured on an interface with firewall filters and specify various criteria to capture packets for specific traffic flows.
You must also configure and apply appropriate firewall filters on the interface if you need to capture packets generated by the host device, because interface sampling does not capture packets originating from the host device.
Packet Capture Files
When packet capture is enabled on an interface, the entire packet including the Layer 2 header is captured and stored in a file. You can specify the maximum size of the packet to be captured, up to 1500 bytes. Packet capture creates one file for each physical interface.
File creation and storage take place in the following way. Suppose you name the packet capture file pcap-file. Packet capture creates multiple files (one per physical interface), suffixing each file with the name of the physical interface; for example, pcap-file.fe-0.0.1 for the Gigabit Ethernet interface fe-0.0.1. When the file named pcap-file.fe-0.0.1 reaches the maximum size, the file is renamed pcap-file.fe-0.0.1.0. When the file named pcap-file.fe-0.0.1 reaches the maximum size again, the file named pcap-file.fe-0.0.1.0 is renamed pcap-file.fe-0.0.1.1 and pcap-file.fe-0.0.1 is renamed pcap-file.fe-0.0.1.0. This process continues until the maximum number of files is exceeded and the oldest file is overwritten. The pcap-file.fe-0.0.1 file is always the latest file.
Packet capture files are not removed even after you disable packet capture on an interface.
Analysis of Packet Capture Files
Packet capture files are stored in libpcap format in the /var/tmp
directory. You can specify user or administrator privileges
for the files.
Packet capture files can be opened and analyzed offline with tcpdump or any packet analyzer that recognizes the libpcap format. You can also use FTP or the Session Control Protocol (SCP) to transfer the packet capture files to an external device.
Disable packet capture before opening the file for analysis or transferring the file to an external device with FTP or SCP. Disabling packet capture ensures that the internal file buffer is flushed and all the captured packets are written to the file.
Example: Enable Packet Capture on a Device
This example shows how to enable packet capture on a device, to analyze network traffic and to troubleshoot network problems.
Requirements
Before you begin:
Establish basic connectivity.
Configure network interfaces. See Interfaces User Guide for Security Devices.
Overview
In this example, you set the maximum packet capture size in each file as 500 bytes. The range is from 68 through 1500, and the default is 68 bytes. You specify the target filename for the packet capture file as pcap-file. You then specify the maximum number of files to capture as 100. The range is from 2 through 10,000, and the default is 10 files. You set the maximum size of each file to 1024 bytes. The range is from 1,024 through 104,857,600, and the default is 512,000 bytes. Finally, you specify that all users have permission to read the packet capture files.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
set forwarding-options packet-capture maximum-capture-size 500 set forwarding-options packet-capture file filename pcap-file files 100 size 1024 world-readable
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To enable packet capture on a device:
Set the maximum packet capture size.
[edit] user@host# edit forwarding-options user@host# set packet-capture maximum-capture-size 500
Specify the target filename.
[edit forwarding-options] user@host# set packet-capture file filename pcap-file
Specify the maximum number of files to capture.
[edit forwarding-options] user@host# set packet-capture file files 100
Specify the maximum size of each file.
[edit forwarding-options] user@host# set packet-capture file size 1024
Specify that all users have permission to read the file.
[edit forwarding-options] user@host# set packet-capture file world-readable
Results
From configuration mode, confirm your configuration by entering the run show
forwarding-options
command. If the output does not display the
intended configuration, repeat the configuration instructions in this
example to correct it.
[edit] user@host# run show forwarding-options packet-capture { file filename pcap-file files 100 size 1k world-readable; maximum-capture-size 500; }
If you are done configuring the device, enter commit
from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying the Packet Capture Configuration
Purpose
Verify that the packet capture is configured on the device.
Action
From configuration mode, enter the run show forwarding-options
command. Verify
that the output shows the intended file configuration for capturing
packets.
Verifying Captured Packets
Purpose
Verify that the packet capture file is stored under
the /var/tmp
directory and the packets can be analyzed
offline.
Action
Disable packet capture.
Using FTP, transfer a packet capture file (for example,
126b.fe-0.0.1
), to a server where you have installed packet analyzer tools (for example,tools-server
).From configuration mode, connect to
tools-server
using FTP.[edit] user@host# run ftp tools-server Connected to tools-server.mydomain.net 220 tools-server.mydomain.net FTP server (Version 6.00LS) ready Name (tools-server:user):remoteuser 331 Password required for
remoteuser
. Password: 230 User remoteuser logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp>Navigate to the directory where packet capture files are stored on the device.
ftp> lcd /var/tmp Local directory now /cf/var/tmp
Copy the packet capture file that you want to analyze to the server, for example
126b.fe-0.0.1
.ftp> put 126b.fe-0.0.1 local: 126b.fe-0.0.1 remote: 126b.fe-0.0.1 200 PORT command successful. 150 Opening BINARY mode data connection for '126b.fe-0.0.1'. 100% 1476 00:00 ETA 226 Transfer complete. 1476 bytes sent in 0.01 seconds (142.42 KB/s)
Return to configuration mode.
ftp> bye 221 Goodbye. [edit] user@host#
Open the packet capture file on the server with tcpdump or any packet analyzer that supports libpcap format and review the output.
root@server% tcpdump -r 126b.fe-0.0.1 -xevvvv
01:12:36.279769 Out 0:5:85:c4:e3:d1 > 0:5:85:c8:f6:d1, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 33133, offset 0, flags [none], proto: ICMP (1), length: 84) 14.1.1.1 > 15.1.1.1: ICMP echo request seq 0, length 64 0005 85c8 f6d1 0005 85c4 e3d1 0800 4500 0054 816d 0000 4001 da38 0e01 0101 0f01 0101 0800 3c5a 981e 0000 8b5d 4543 51e6 0100 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 01:12:36.279793 Out 0:5:85:c8:f6:d1 > 0:5:85:c4:e3:d1, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 41227, offset 0, flags [none], proto: ICMP (1), length: 84) 15.1.1.1 > 14.1.1.1: ICMP echo reply seq 0, length 64 0005 85c4 e3d1 0005 85c8 f6d1 0800 4500 0054 a10b 0000 3f01 bb9a 0f01 0101 0e01 0101 0000 445a 981e 0000 8b5d 4543 51e6 0100 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 root@server%
Example: Configure Packet Capture on an Interface
This example shows how to configure packet capture on an interface to analyze traffic.
Requirements
Before you begin:
Establish basic connectivity.
Configure network interfaces. See Interfaces User Guide for Security Devices.
Overview
In this example, you create an interface called fe-0/0/1 and then configure the direction of the traffic for which you are enabling packet capture on the logical interface as inbound and outbound.
On traffic that bypasses the flow software module (protocol packets such as ARP, OSPF, and PIM), packets generated by the Routing Engine are not captured unless you have configured and applied a firewall filter on the interface in the output direction.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
edit interfaces fe-0/0/1 set unit 0 family inet sampling input output
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure packet capture on an interface:
Create an interface.
[edit] user@host# edit interfaces fe-0/0/1
Configure the direction of the traffic.
[edit interfaces fe-0/0/1] user@host# set unit 0 family inet sampling input output
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Example: Configure a Firewall Filter for Packet Capture
This example shows how to configure a firewall filter for packet capture and apply it to a logical interface.
Requirements
Before you begin:
Establish basic connectivity.
Configure network interfaces. See Interfaces User Guide for Security Devices.
Overview
In this example, you set a firewall filter called dest-all and a term name called dest-term to capture packets from a specific destination address, which is 192.168.1.1/32. You define the match condition to accept the sampled packets. Finally, you apply the dest-all filter to all of the outgoing packets on interface fe-0/0/1.
If you apply a firewall filter on the loopback interface,
it affects all traffic to and from the Routing Engine. If the firewall
filter has a sample
action, packets to and from the Routing
Engine are sampled. If packet capture is enabled, then packets to
and from the Routing Engine are captured in the files created for
the input and output interfaces.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
set firewall filter dest-all term dest-term from destination-address 192.168.1.1/32 set firewall filter dest-all term dest-term then sample accept edit interfaces set interfaces fe-0/0/1 unit 0 family inet filter output dest-all
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .
To configure a firewall filter for packet capture and apply it to a logical interface:
Specify the firewall filter and its destination address.
[edit] user@host# edit firewall user@host# set filter dest-all term dest-term from destination-address 192.168.1.1/32
Define the match condition and its action.
[edit firewall] user@host# set filter dest-all term dest-term then sample accept
Apply the filter to all the outgoing packets.
[edit interfaces] user@host# set interfaces fe-0/0/1 unit 0 family inet filter output dest-all
Results
From configuration mode, confirm your configuration by entering the run show firewall
filter dest-all
command. If the output does not display the
intended configuration, repeat the configuration instructions in this
example to correct it.
[edit] user@host# run show firewall filter dest-all term dest-term { from { destination-address 192.168.1.1/32; } then { sample; accept; } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
Verifying the Firewall Filter for Packet Capture Configuration
Purpose
Confirm that the configuration is working properly.
Verify that the firewall filter for packet capture is configured.
Action
From configuration mode, enter the run show firewall filter dest-all
command.
Verify that the output shows the intended configuration of the firewall
filter for capturing packets sent to the destination address.
Example: Configure Packet Capture for Datapath Debugging
This example shows how to configure packet capture to monitor traffic that passes through the device. Packet capture then dumps the packets into a PCAP file format that can be later examined by the tcpdump utility.
Requirements
Before you begin, see Debugging the Data Path (CLI Procedure).
Overview
A filter is defined to filter traffic; then an action profile
is applied to the filtered traffic. The action profile specifies a
variety of actions on the processing unit. One of the supported actions
is packet dump, which sends the packet to the Routing Engine and stores
it in proprietary form to be read using the show security datapath-debug
capture
command.
Data path debugging is supported on SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
set security datapath-debug capture-file my-capture set security datapath-debug capture-file format pcap set security datapath-debug capture-file size 1m set security datapath-debug capture-file files 5 set security datapath-debug maximum-capture-size 400 set security datapath-debug action-profile do-capture event np-ingress packet-dump set security datapath-debug packet-filter my-filter action-profile do-capture set security datapath-debug packet-filter my-filter source-prefix 1.2.3.4/32
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Modein the Junos OS CLI User Guide.
To configure packet capture:
Edit the security datapath-debug option for the multiple processing units along the packet-processing path:
[edit] user@host# edit security datapath-debug
Enable the capture file, the file format, the file size, and the number of files. Size number limits the size of the capture file. After the limit size is reached, if the file number is specified, then the capture file will be rotated to filename x, where x is auto-incremented until it reaches the specified index and then returns to zero. If no files index is specified, the packets will be discarded after the size limit is reached. The default size is 512 kilobytes.
[edit security datapath-debug] user@host# set capture-file my-capture format pcap size 1m files 5 [edit security datapath-debug] user@host# set maximum-capture-size 400
Enable action profile and set the event. Set the action profile as do-capture and the event type as np-ingress:
[edit security datapath-debug] user@host# edit action-profile do-capture [edit security datapath-debug action-profile do-capture] user@host# edit event np-ingress
Enable packet dump for the action profile:
[edit security datapath-debug action-profile do-capture event np-ingress] user@host# set packet-dump
Enable packet filter, action, and filter options. The packet filter is set to my-filter, the action profile is set to do-capture, and filter option is set to source-prefix 1.2.3.4/32.
[edit security datapath-debug] user@host# set security datapath-debug packet-filter my-filter action-profile do-capture
[edit security datapath-debug] user@host# set security datapath-debug packet-filter my-filter source-prefix 1.2.3.4/32
Results
From configuration mode, confirm your configuration by entering the show security
datapath-debug
command. If the output does not display the
intended configuration, repeat the configuration instructions in this
example to correct it.
security { datapath-debug { capture-file { my-capture format pcap size 1m files 5; } } maximum-capture-size 100; action-profile do-capture { event np-ingress { packet-dump } } packet-filter my-filter { source-prefix 1.2.3.4/32 action-profile do-capture } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying Packet Capture
- Verifying Data Path Debugging Capture
- Verifying Data Path Debugging Counter
Verifying Packet Capture
Purpose
Verify if the packet capture is working.
Action
From operational mode, enter the request security
datapath-debug capture start
command to start packet capture
and enter the request security datapath-debug capture stop
command to stop packet capture.
To view the results, from CLI operational mode, access the local UNIX shell and navigate to the directory /var/log/my-capture. The result can be read by using the tcpdump utility.
Verifying Data Path Debugging Capture
Purpose
Verify the details of data path debugging capture file.
Action
From operational mode, enter the show security datapath-debug capture
command.
user@host>show security datapath-debug capture
When you are done troubleshooting, make sure to remove or deactivate all the traceoptions configurations (not limited to flow traceoptions) and the complete security datapath-debug configuration stanza. If any debugging configurations remain active, they will continue to use the device's CPU and memory resources.
Verifying Data Path Debugging Counter
Purpose
Verify the details of the data path debugging counter.
Action
From operational mode, enter the show security datapath-debug counter
command.
Disable Packet Capture
You must disable packet capture before opening the packet capture file for analysis or transferring the file to an external device. Disabling packet capture ensures that the internal file buffer is flushed and all the captured packets are written to the file.
To disable packet capture, enter from configuration mode:
[edit forwarding-options] user@host# set packet-capture disable
If you are done configuring the device, enter commit
from configuration mode.
Modify Encapsulation on Interfaces with Packet Capture Configured
Before modifying the encapsulation on a device interface that is configured for packet capture, you must disable packet capture and rename the latest packet capture file. Otherwise, packet capture saves the packets with different encapsulations in the same packet capture file. Packet files containing packets with different encapsulations are not useful, because packet analyzer tools like tcpdump cannot analyze such files.
After modifying the encapsulation, you can safely reenable packet capture on the device.
To change the encapsulation on interfaces with packet capture configured:
- Disable packet capture (see Disabling Packet Capture).
- Enter
commit
from configuration mode. - Rename the latest packet capture file on which you are
changing the encapsulation with the
.chdsl
extension. - Change the encapsulation on the interface using the J-Web user interface or CLI configuration editor.
- If you are done configuring the device, enter
commit
from configuration mode. - Reenable packet capture (see Example: Enabling Packet Capture on a Device).
- If you are done configuring the device, enter
commit
from configuration mode.
Delete Packet Capture Files
Deleting packet capture files from the /var/tmp directory only temporarily removes the packet capture files. Packet capture files for the interface are automatically created again the next time a packet capture configuration change is committed or as part of a packet capture file rotation.
To delete a packet capture file:
- Disable packet capture (see Disabling Packet Capture).
- Delete the packet capture file for the interface.
- Reenable packet capture (see Example: Enabling Packet Capture on a Device).
- If you are done configuring the device, enter
commit
from configuration mode.
Display Packet Headers
Enter the monitor traffic
command to display packet
headers transmitted through network interfaces with the following
syntax:
Using the monitor traffic
command can degrade
system performance. We recommend that you use filtering options—such
as count
and matching
—to minimize the
impact to packet throughput on the system.
user@host> monitor traffic <absolute-sequence> <count number> <interface interface-name> <layer2-headers> <matching "expression"> <no-domain-names> <no-promiscuous> <no-resolve> <no-timestamp> <print-ascii> <print-hex> <size bytes> <brief | detail | extensive>
Table 1 describes
the monitor traffic
command options.
Option |
Description |
---|---|
|
(Optional) Displays the absolute TCP sequence numbers. |
|
(Optional) Displays the specified number of
packet headers. Specify a value from |
|
(Optional) Displays packet headers for traffic on the specified interface. If an interface is not specified, the lowest numbered interface is monitored. |
|
(Optional) Displays the link-layer packet header on each line. |
|
(Optional) Displays packet headers that match an expression enclosed in quotation marks (" "). Table 2 through Table 4 list match conditions, logical operators, and arithmetic, binary, and relational operators you can use in the expression. |
|
(Optional) Suppresses the display of the domain name portion of the hostname. |
|
(Optional) Specifies not to place the monitored interface in promiscuous mode. In promiscuous mode, the interface reads every packet that reaches it. In nonpromiscuous mode, the interface reads only the packets addressed to it. |
|
(Optional) Suppresses the display of hostnames. |
|
(Optional) Suppresses the display of packet header timestamps. |
|
(Optional) Displays each packet header in ASCII format. |
|
(Optional) Displays each packet header, except link-layer headers, in hexadecimal format. |
|
(Optional) Displays the number of bytes for
each packet that you specify. If a packet header exceeds this size,
the displayed packet header is truncated. The default value is |
|
(Optional) Displays minimum packet header information. This is the default. |
|
(Optional) Displays packet header information
in moderate detail. For some protocols, you must also use the |
|
(Optional) Displays the most extensive level
of packet header information. For some protocols, you must also use
the |
To quit the monitor traffic
command and return to
the command prompt, press Ctrl-C.
To limit the packet header information displayed by the monitor traffic
command, include the matching "expression"
option. An expression consists of one
or more match conditions listed in Table 2, enclosed in
quotation marks (" "). You can combine match conditions by using
the logical operators listed in Table 3 (shown in
order of highest to lowest precedence).
For example, to display TCP or UDP packet headers, enter:
user@host> monitor traffic matching “tcp || udp”
To compare the following types of expressions, use the relational operators listed in Table 4 (listed from highest to lowest precedence):
Arithmetic—Expressions that use the arithmetic operators listed in Table 4.
Binary—Expressions that use the binary operators listed in Table 4.
Packet data accessor—Expressions that use the following syntax:
protocol [byte-offset <size>]
Replace
protocol
with any protocol in Table 2. Replacebyte-offset
with the byte offset, from the beginning of the packet header, to use for the comparison. The optionalsize
parameter represents the number of bytes examined in the packet header—1, 2, or 4 bytes.For example, the following command displays all multicast traffic:
user@host> monitor traffic matching “ether[0] & 1 !=0”
Match Condition |
Description |
---|---|
Entity Type | |
|
Matches packet headers that contain the specified
address or hostname. You can preprend any of the following protocol
match conditions, followed by a space, to |
|
Matches packet headers with source or destination addresses containing the specified network address. |
|
Matches packet headers containing the specified network address and subnet mask. |
|
Matches packet headers containing the specified source or destination TCP or UDP port number or port name. |
Directional | |
|
Matches packet headers containing the specified destination. Directional match conditions can be prepended to any Entity Type match conditions, followed by a space. |
|
Matches packet headers containing the specified source. |
|
Matches packet headers containing the specified source and destination. |
|
Matches packet headers containing the specified source or destination. |
Packet Length | |
|
Matches packets with lengths less than or equal to the specified value, in bytes. |
|
Matches packets with lengths greater than or equal to the specified value, in bytes. |
Protocol | |
|
Matches all ARP packets. |
|
Matches all Ethernet frames. |
|
Matches broadcast or multicast Ethernet frames.
This match condition can be prepended with |
|
Matches Ethernet frames with the specified
address or protocol type. The arguments |
|
Matches all ICMP packets. |
|
Matches all IP packets. |
|
Matches broadcast or multicast IP packets. |
|
Matches IP packets with the specified address
or protocol type. The arguments |
|
Matches all IS-IS routing messages. |
|
Matches all RARP packets. |
|
Matches all TCP packets. |
|
Matches all UDP packets. |
Logical Operator |
Description |
---|---|
|
Logical NOT. If the first condition does not match, the next condition is evaluated. |
|
Logical AND. If the first condition matches, the next condition is evaluated. If the first condition does not match, the next condition is skipped. |
|
Logical OR. If the first condition matches, the next condition is skipped. If the first condition does not match, the next condition is evaluated. |
|
Group operators to override default precedence order. Parentheses are special characters, each of which must be preceded by a backslash (\). |
Operator |
Description |
---|---|
Arithmetic Operator | |
|
Addition operator. |
|
Subtraction operator. |
|
Division operator. |
Binary Operator | |
|
Bitwise AND. |
|
Bitwise exclusive OR. |
|
Bitwise inclusive OR. |
Relational Operator | |
|
A match occurs if the first expression is less than or equal to the second. |
|
A match occurs if the first expression is greater than or equal to the second. |
|
A match occurs if the first expression is less than the second. |
|
A match occurs if the first expression is greater than the second. |
|
A match occurs if the first expression is equal to the second. |
|
A match occurs if the first expression is not equal to the second. |
The following is sample output from the monitor traffic
command:
user@host> monitor traffic count 4 matching “arp” detail
Listening on fe-0/0/0, capture size 96 bytes 15:04:16.276780 In arp who-has 193.1.1.1 tell host1.site2.net 15:04:16.376848 In arp who-has host2.site2.net tell host1.site2.net 15:04:16.376887 In arp who-has 193.1.1.2 tell host1.site2.net 15:04:16.601923 In arp who-has 193.1.1.3 tell host1.site2.net