Junos
Highlighted
Junos

Expressions don't work in tcpdump on Junos packet captures

[ Edited ]
Thursday

Hi,

 

If I capture transit packets (with "forwarding-options packet-capture" and on the interface "sampling"), I can view the resulting file in tcpdump on the Junos shell and on a generic Linux machine.  However I can't get an expression to match IP variables.

 

forwarding-options {
  packet-capture {
    /* Files are created in /var/tmp/ with the interface as a suffix on the filename */
    file filename Packet-Capture files 100 size 1m;
    maximum-capture-size 1520;
  }
}
interfaces {
# Be careful which interface you enable this on, or rather how long you leave it on!
  ge-0/0/1 {
    unit 0 {
      family inet {
        sampling {
          input;
          output;
        }
      }
    }
  }
}

 

So I can see the packets in the capture:

user@device> start shell
% tcpdump -r /var/tmp/Packet-Capture.ge-0.0.1 Reverse lookup for 192.168.250.2 failed (check DNS reachability). Other reverse lookup failures will not be reported. Use <no-resolve> to avoid reverse lookups on IP addresses. 09:36:53.925094 In IP 192.168.250.2 > 192.168.122.2: ESP(spi=3553665536,seq=0x2a9ef) [snip] 09:38:19.386735 In IP 192.168.250.2 > 192.168.122.2: ESP(spi=3553665536,seq=0x2aab0) %

 

But I can't see them if I use an expression:

% tcpdump -r /var/tmp/Packet-Capture.ge-0.0.1 host 192.168.122.2 
% 

 

If I open the packet capture in Wireshark I can filter with an expression there.  And if I copy a capture file from tcpdump on a Linux machine to the Juniper device I use expressions in tcpdump on the Juniper device and they work.  So I suspect that there's something about the way that Junos creates the packet capture file the means that the versions of tcpdump I'm using can't identify the variables to filter on them with an expression.  Perhaps that the link type is "link-type JUNIPER_ETHER (Juniper Ethernet)"?

[Generic-Linux]$ tcpdump -nvvr Packet-Capture.ge-0.0.1
reading from file Packet-Capture.ge-0.0.1, link-type JUNIPER_ETHER (Juniper Ethernet)
09:36:53.925094 
        Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 6
          Logical Interface Index Extension TLV #4, length 4, value 87
        -----original packet-----
        IP (tos 0xc0, ttl 59, id 33241, offset 0, flags [none], proto ESP (50), length 120)
    192.168.250.2 > 192.168.122.2: ESP(spi=0xd3d0a200,seq=0x2a9ef), length 100
[snip]

 

In no way is this a major problem, just that sometimes it would be nice to be able to use proper expressions in the Junos shell tcpdump, rather than copying the file to a computer with Wireshark or doing something ugly with grep.

 

Cheers.

 

3 REPLIES 3
Junos

Re: Expressions don't work in tcpdump on Junos packet captures

Thursday

It is working for me. Which model and junos version you are using?

 

root@:/var/tmp # tcpdump -r tcpdump.pcap host 192.168.1.1
Reverse lookup for 192.168.1.1 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

10:27:09.153537 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1
10:27:10.117394 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1
10:27:10.965244 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1
10:27:11.755102 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1
10:27:12.513973 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1
10:27:13.378905 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Junos

Re: Expressions don't work in tcpdump on Junos packet captures

Thursday

SRX300, Junos 15.1X49-D140.2.  Was your capture file from the interface sampling method (so inlcuding transit traffic), or tcpdump from the shell (just traffic to/from the RE)?

Junos

Re: Expressions don't work in tcpdump on Junos packet captures

Thursday

Out of curiosity, does it work if you match the other host, 192.168.250.2 ?

 

Cheers

Pooja