Hi,

if you want to capture control traffic then you can just use "monitor traffic command".

lab@valletta-re0> monitor traffic interface ge-4/0/0 detail
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-4/0/0, capture size 1514 bytes

18:20:19.805709 Out IS-IS, length 56
        L2 Lan IIH, hlen: 27, v: 1, pdu-v: 1, sys-id-len: 6 (0), max-area: 3 (0)
          source-id: 0010.0100.1001,  holding time: 27s, Flags: [Level 2 only]
          lan-id:    0020.0200.2002.03, Priority: 64, PDU length: 56
            IS Neighbor(s) TLV #6, length: 6
              SNPA: 0024.dca1.e05f
            Protocols supported TLV #129, length: 2
              NLPID(s): IPv4 (0xcc), IPv6 (0x8e)
Reverse lookup for 192.168.1.1 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

            IPv4 Interface address(es) TLV #132, length: 4
              IPv4 interface address: 192.168.1.1
            Area address(es) TLV #1, length: 4
              Area address (length: 3): 49.1111
            Restart Signaling TLV #211, length: 3
              Flags [none], Remaining holding time 0s
^CReverse lookup was interrupted (check DNS reachability).
Use <no-resolve> to avoid reverse lookups on IP addresses.


2 packets received by filter
0 packets dropped by kernel

You cannot capture transit traffic with "monitor" command. 

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it. 

Kind Regards

Michael Pergament

Hi Snet,

Packet-capture is used on J-series only.  If you are trying to capture transit traffic on M-series, sampling is probably what you want.

http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/config-guide-policy/id-11218984.html#id-11218984

Regards,

Ben

Hi Ben,

Thank you very much your help. I have applied the traffic-sampling configuration to the router. I have captured the transit traffic according to the filter applied (exmp. SIP traffic, UDP-5060). I have a question; my applied filter as in the following:

 show configuration firewall family inet filter sip-trafik
term sip-tafik-1 {
    from {
        protocol udp;
        port 5060;
    }
}
term sip-trafik1 {
    then {
        sample;
        accept;
    }
}

some the captuted traffic output:

 # Sep 30 11:44:16  
#          Dest             Src  Dest   Src Proto  TOS   Pkt  Intf    IP   TCP
#          addr            addr  port  port              len   num  frag flags

   213.243.18.5  91.188.224.194  5980 21221     6  0x0   330   180   0x0   0x18
  91.188.239.34    64.14.90.231 11411    80     6  0x0   441   104   0x4000   0x18
    92.45.20.19   91.188.194.12  5060  5060    17  0x0   396   107   0x4000   0x0
  85.99.244.219   91.188.216.26     0     0    50  0x0   240   107   0x4000   0x0

 Why there are also other traffic output except UDP-5060 which I have filtered only.

Regards

Can

---

snet wrote: Why there are also other traffic output except UDP-5060 which I have filtered only.

Regards

 

---

This is because you put the from (condition) and then (action) in separate terms.   Your second term, named "sip-trafik1", is unconditional.  So all traffic is sampled and accepted.  Try this instead.

term sip-trafik1 {
    from {
        protocol udp;
        port 5060;
    }
    then {
        sample;
        accept;
    }
}

term accept-all {

    then accept;

}

Regards,

Ben