Junos
Junos

JUNOS 9.0 and Monitoring Traffic

08.11.08   |  
‎08-11-2008 10:40 AM

Hey all, I'm new to the JUNOS world and I've hoping someone could explain why the following happens.

 

I have 2 J2330 routers running 9.0 and a XP system setup in my test network assembled as such:

 

 

192.168.1.100 (XP) ------- 192.168.1.1 (Router 1 ge-0/0/0.0) (Router 1 ge-0/0/1.0) 192.168.2.1-----------192.168.2.2 (Router 2 ge-0/0/1.0)

 

 RIP has been setup on both routers.

 

If I do a continuos ping from 192.168.1.100 -> 192.168.2.2, all responses are received; however, if I go to Router 1 and do a tcpdump or a monitor command, I never see any ICMP traffic, only ARP information and RIP updates.  Shouldn't I be able to see my pings going across the wire?

12 REPLIES
Junos

Re: JUNOS 9.0 and Monitoring Traffic

08.12.08   |  
‎08-12-2008 11:14 AM

'monitor interface traffic', and tcpdump will only capture traffic that is originated by, or destined for, the router itself.  In order to capture transit traffic, you will need to use sampling, or firewall rules.

 

Regards,

Ben

Highlighted
Junos

Re: JUNOS 9.0 and Monitoring Traffic

10.01.08   |  
‎10-01-2008 11:46 PM

Hi,

 

I trying to tcpdump or monitor, if you prefered,  one interface on my J2320 version 9.1 butI do not see any traffic.

I'm currently configuring the snmp on my J2320 but it doesn't work Smiley Sad

So I began to sniff .... 

I do not see any traffic.

 

I wondered if I correctly configured my traffic monitor, so I've tryed to sniff a ping. No more result....

I do not understand why cause I was sniffing traffic going to the J2320.

 

does any one have an answer ... an idear ?

 

regards

Saruhand

Junos

Re: JUNOS 9.0 and Monitoring Traffic

[ Edited ]
10.02.08   |  
‎10-02-2008 08:08 AM

 

Hi,

 

Do You see any differences between sniffing on the whole interface and just the specific unit?

I mean, assuming You want to sniff the 10th unit of ge-0/0/0 interface, do both commands bring the same effect?:

>   monitor traffic interface ge-0/0/0 no-resolve

>   monitor traffic interface ge-0/0/0.10 no-resolve

 

 I added the 'no-resolve' option to eliminate any DNS issues.

 

Thanks,

 

Have a nice day,

G.

Message Edited by Gniewko on 10-02-2008 06:12 PM
Junos

Re: JUNOS 9.0 and Monitoring Traffic

10.02.08   |  
‎10-02-2008 09:08 AM

no, I do both but I do not see any traffic comming to the Jseries.

 

regards

Junos

Re: JUNOS 9.0 and Monitoring Traffic

[ Edited ]
11.11.08   |  
‎11-11-2008 03:47 AM

I have the same issue.

I have e1 interface (frame-relay encapsulation) faced to the Internet.

When I'm trying to ping it's address with standard ping command (from FreeBSD box) then I see no ICMP traffic in monitor traffic interface output. But when I'm tracing it's address with mtr or ping -R command then I see incoming ICMP packets.

 

It seems that "monitor traffic interface" command does not match ICMP echo requests without record route flag set.

 

Message Edited by Minotaur on 11-11-2008 04:00 AM
Message Edited by Minotaur on 11-11-2008 04:01 AM
Junos

Re: JUNOS 9.0 and Monitoring Traffic

11.12.08   |  
‎11-12-2008 09:35 PM

Monitor traffic would only show traffic to and from the RE side of the router. That means you would see ARP, routing protocols, etc. But ICMP echos and echo replies actually stay within the PFE side of the router. So you would not see that in monitor traffic. If you want to see transit traffic then you should instead use packet-capture. This is documented in the JUNOS for J-Series Administration Guide.

 

-Richard

Junos

Re: JUNOS 9.0 and Monitoring Traffic

06.03.09   |  
‎06-03-2009 01:35 PM

Thanks, packet capturing works for me on E1-interfaces. But what's about VLAN-subinterfaces? I've tried to configure packet capture as follows:

 

minotaur@cr1-igo.ki# show forwarding-options packet-capture { file filename pcap files 10 size 2k world-readable; } [edit] minotaur@cr1-igo.ki# show interfaces ge-0/0/0 unit 150 vlan-id 150; family inet { sampling { input; output; } address 10.2.0.1/24; }

 It does not work. How to see traffic on VLAN-subinterfaces? Thanks.

 

 

Junos

Re: JUNOS 9.0 and Monitoring Traffic

06.04.09   |  
‎06-04-2009 08:41 AM

The packet capture feature on J-series is not currently supported on Gigabit Ethernet interfaces.

 

Regards,

Ben

Junos

Re: JUNOS 9.0 and Monitoring Traffic

06.04.09   |  
‎06-04-2009 11:23 PM

Packet capture is supported on GE interfaces on J-Series. Rather than using sampling input output configuration on family inet, try instead to use firewall filters with action of sample and apply that to the interface instead. That is also discussed in the documentation for packet captures.

 

-Richard

Junos

Re: JUNOS 9.0 and Monitoring Traffic

06.05.09   |  
‎06-05-2009 09:56 AM

Thanks Richard, packet capture with filters works on GE-interfaces and on VLAN-subinterfaces.

But they don't work for  GRE-interfaces. Now I have following configuration:

 

minotaur@cr1-kur.ki> show configuration interfaces gr-0/0/0 unit 0
description "Tunnel: Sarny";
tunnel {
source 91.200.195.6;
destination 91.211.132.102;
}
family inet {
filter {
input PCAP;
}
address 10.250.0.1/30;
}

minotaur@cr1-kur.ki> show configuration firewall filter PCAP
term capture {
from {
protocol icmp;
}
then {
sample;
accept;
}
}
term DEFAULT {
then accept;
}

 

 minotaur@cr1-kur.ki> show configuration forwarding-options packet-capture
file filename pcap files 3 size 2m world-readable;

 But pcap-files for gr-interface do not appear in /var/tmp directory. Traffic sampling commands on gr-interface also don't work.

 How to debug taffic on gr-interfaces? Thanks.

 

-- Alexander

Junos

Re: JUNOS 9.0 and Monitoring Traffic

06.05.09   |  
‎06-05-2009 11:12 PM

No, packet captures do not work on GRE interfaces themselves. Packet-captures only work on physical type interfaces. To capture GRE traffic you would perform packet-capture on whatever physical interface terminates the GRE tunnel. Since GRE traffic is not normally encrypted you would be able to see the encapsulated packet within the GRE packet.

 

-Richard

Junos

Re: JUNOS 9.0 and Monitoring Traffic

06.06.09   |  
‎06-06-2009 04:55 AM

Thanks, all issues with traffic monitoring and capturing became much more clear for me.

I wish to add short notice about tunnel interfaces to those who want just to monitor traffic, not to capture.  Filter can be modified to log matched packet to syslog and then to accept it:

 

minotaur@cr1-kur.ki> show configuration firewall filter Monitor-ICMP term Monitor { from { protocol icmp; } then { syslog; accept; } } term DEFAULT { then accept; }