Junos
Junos

Expressions don't work in tcpdump on Junos packet captures

[ Edited ]
‎06-13-2019 03:05 AM

Hi,

 

If I capture transit packets (with "forwarding-options packet-capture" and on the interface "sampling"), I can view the resulting file in tcpdump on the Junos shell and on a generic Linux machine.  However I can't get an expression to match IP variables.

 

forwarding-options {
  packet-capture {
    /* Files are created in /var/tmp/ with the interface as a suffix on the filename */
    file filename Packet-Capture files 100 size 1m;
    maximum-capture-size 1520;
  }
}
interfaces {
# Be careful which interface you enable this on, or rather how long you leave it on!
  ge-0/0/1 {
    unit 0 {
      family inet {
        sampling {
          input;
          output;
        }
      }
    }
  }
}

 

So I can see the packets in the capture:

user@device> start shell
% tcpdump -r /var/tmp/Packet-Capture.ge-0.0.1 Reverse lookup for 192.168.250.2 failed (check DNS reachability). Other reverse lookup failures will not be reported. Use <no-resolve> to avoid reverse lookups on IP addresses. 09:36:53.925094 In IP 192.168.250.2 > 192.168.122.2: ESP(spi=3553665536,seq=0x2a9ef) [snip] 09:38:19.386735 In IP 192.168.250.2 > 192.168.122.2: ESP(spi=3553665536,seq=0x2aab0) %

 

But I can't see them if I use an expression:

% tcpdump -r /var/tmp/Packet-Capture.ge-0.0.1 host 192.168.122.2 
% 

 

If I open the packet capture in Wireshark I can filter with an expression there.  And if I copy a capture file from tcpdump on a Linux machine to the Juniper device I use expressions in tcpdump on the Juniper device and they work.  So I suspect that there's something about the way that Junos creates the packet capture file the means that the versions of tcpdump I'm using can't identify the variables to filter on them with an expression.  Perhaps that the link type is "link-type JUNIPER_ETHER (Juniper Ethernet)"?

[Generic-Linux]$ tcpdump -nvvr Packet-Capture.ge-0.0.1
reading from file Packet-Capture.ge-0.0.1, link-type JUNIPER_ETHER (Juniper Ethernet)
09:36:53.925094 
        Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 6
          Logical Interface Index Extension TLV #4, length 4, value 87
        -----original packet-----
        IP (tos 0xc0, ttl 59, id 33241, offset 0, flags [none], proto ESP (50), length 120)
    192.168.250.2 > 192.168.122.2: ESP(spi=0xd3d0a200,seq=0x2a9ef), length 100
[snip]

 

In no way is this a major problem, just that sometimes it would be nice to be able to use proper expressions in the Junos shell tcpdump, rather than copying the file to a computer with Wireshark or doing something ugly with grep.

 

Cheers.

 

6 REPLIES 6
Highlighted
Junos

Re: Expressions don't work in tcpdump on Junos packet captures

‎06-13-2019 03:26 AM

It is working for me. Which model and junos version you are using?

 

root@:/var/tmp # tcpdump -r tcpdump.pcap host 192.168.1.1
Reverse lookup for 192.168.1.1 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

10:27:09.153537 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1
10:27:10.117394 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1
10:27:10.965244 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1
10:27:11.755102 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1
10:27:12.513973 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1
10:27:13.378905 In IP 192.168.1.1 > 224.0.0.18: VRRPv2-advertisement 20: vrid=12 prio=128 authtype=none intvl=1

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Junos

Re: Expressions don't work in tcpdump on Junos packet captures

[ Edited ]
‎06-13-2019 03:36 AM

SRX300, Junos 15.1X49-D140.2.  Was your capture file from the interface sampling method (so including transit traffic), or tcpdump from the shell (just traffic to/from the RE)?

Junos

Re: Expressions don't work in tcpdump on Junos packet captures

‎06-13-2019 05:26 PM

Out of curiosity, does it work if you match the other host, 192.168.250.2 ?

 

Cheers

Pooja

 

Junos

Re: Expressions don't work in tcpdump on Junos packet captures

‎06-17-2019 06:19 AM

Hi Pooja.  No:

% tcpdump -r /var/tmp/Packet-Capture.ge-0.0.1 
Reverse lookup for 192.168.250.2 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

09:36:53.925094  In IP 192.168.250.2 > 192.168.122.2: ESP(spi=3553665536,seq=0x2a9ef)
09:36:53.925294 Out IP 192.168.122.2 > 192.168.250.2: ESP(spi=3910821161,seq=0x1762d)
[snip]
09:38:19.386708 Out IP 192.168.122.2 > 192.168.250.2: ESP(spi=3910821161,seq=0x17721)
09:38:19.386735  In IP 192.168.250.2 > 192.168.122.2: ESP(spi=3553665536,seq=0x2aab0)
% tcpdump -r /var/tmp/Packet-Capture.ge-0.0.1 host 192.168.250.2
% tcpdump -r /var/tmp/Packet-Capture.ge-0.0.1 host 192.168.122.2
% 
Junos

Re: Expressions don't work in tcpdump on Junos packet captures

‎06-17-2019 11:08 AM

Thank you, I'll check if I see something similar on 15.1X49-D140 and respond back shortly.

 

Cheers

Pooja

Junos

Re: Expressions don't work in tcpdump on Junos packet captures

‎06-22-2019 11:28 PM

Hi there,

 

It does seem to match expressions just fine on the D140 code at my end.

Any chance we can get you to create a JTAC service request so this can be further investigated?

 

root@priomct02% tcpdump -i fxp0 host 10.85.146.134
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on fxp0, capture size 96 bytes

Reverse lookup for 1.1.1.3 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

02:22:48.693467 Out IP truncated-ip - 316 bytes missing! 10.85.146.134.ssh > pmallya-t460.jnpr.net.58816: P 1688620192:1688620528(336) ack 3165760738 win 33320
02:22:48.982316 In IP truncated-ip - 76 bytes missing! pmallya-t460.jnpr.net.58816 > 10.85.146.134.ssh: P 4294967201:1(96) ack 4294967200 win 256
02:22:48.982365 Out IP 10.85.146.134.ssh > pmallya-t460.jnpr.net.58816: . ack 1 win 33320
02:22:48.985857 In IP pmallya-t460.jnpr.net.58816 > 10.85.146.134.ssh: . ack 336 win 260
02:22:49.694198 Out IP truncated-ip - 12 bytes missing! 10.85.146.134.50031 > 10.85.128.1.domain: 35081+[|domain]
02:22:49.696563 In IP truncated-ip - 475 bytes missing! 10.85.128.1.domain > 10.85.146.134.50031: 35081[|domain]
02:22:49.697681 Out IP truncated-ip - 12 bytes missing! 10.85.146.134.53386 > 10.85.128.1.domain: 35082+[|domain]
02:22:49.698186 In IP truncated-ip - 77 bytes missing! 10.85.128.1.domain > 10.85.146.134.53386: 35082 NXDomain[|domain]
02:22:49.698542 Out IP truncated-ip - 748 bytes missing! 10.85.146.134.ssh > pmallya-t460.jnpr.net.58816: P 336:1104(768) ack 1 win 33320
02:22:50.276828 In IP pmallya-t460.jnpr.net.58816 > 10.85.146.134.ssh: . ack 1104 win 257
^C
20 packets received by filter
0 packets dropped by kernel
root@priomct02%

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!