Wednesday, August 24, 2011

Packet Capture to and from the RE of the SRX


Use the 'monitor traffic interface' command to capture packets destined to and from the RE (Routing Engine) of the Junos device. This feature is useful for troubleshooting why one can't telnet to the SRX device, or for troubleshooting if a SNMP request is being received and transmitted from the SRX device, or for troubleshooting OSPF, BGP, and PPP connectivity issues

Notes: This feature is not promiscuous mode. This feature only captures traffic to/from the RE of the SRX or J Series device itself. It does not capture transit traffic (forwarding plane) for transit traffic packet capture kindly read the previous post [Packet Capture for transit traffic through the SRX]

ICMP traffic to the SRX is excluded. As ICMP stays within the forwarding plane, and 'monitor traffic' is tracking the RE (control plane))

RE[Routing Engine] traffic can be captured at shell prompt using "tcpdump" or at operational mode using "monitor traffic" command. The examples are shown below respectively to capture the bi-directional traffic for the host 10.10.10.10. To stop the capture press [Ctrl + c]


root@vit-se-got-srx210% tcpdump -i ge-0/0/0.0 host 10.10.10.10
verbose output suppressed, use or for full protocol decode
Address resolution is ON. Use to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0.0, capture size 96 bytes

Reverse lookup for 10.221.227.5 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use to avoid reverse lookups on IP addresses.

11:00:09.719293 Out IP truncated-ip - 268 bytes missing! 10.221.227.5.ssh > 10.10.10.10.4325: P 555395906:555396194(288) ack 2586990612 win 65535
11:00:10.152051 In IP 10.10.10.10.4325 > 10.221.227.5.ssh: . ack 288 win 65535
11:00:10.158260 In IP 10.10.10.10.4325 > 10.221.227.5.ssh: P 1:81(80) ack 288 win 65535
11:00:10.260264 Out IP 10.221.227.5.ssh > 10.10.10.10.4325: . ack 81 win 65535
11:00:10.750728 Out IP truncated-ip - 204 bytes missing! 10.221.227.5.ssh > 10.10.10.10.4325: P 288:512(224) ack 81 win 65535
11:00:10.758631 Out IP truncated-ip - 428 bytes missing! 10.221.227.5.ssh > 10.10.10.10.4325: P 512:960(448) ack 81 win 65535
11:00:11.071996 In IP 10.10.10.10.4325 > 10.221.227.5.ssh: . ack 960 win 64863
11:00:11.780993 Out IP truncated-ip - 364 bytes missing! 10.221.227.5.ssh > 10.10.10.10.4325: P 960:1344(384) ack 81 win 65535
11:00:12.140755 In IP 10.10.10.10.4325 > 10.221.227.5.ssh: . ack 1344 win 64479
^C
14 packets received by filter
0 packets dropped by kernel




root@srx210> monitor traffic interface ge-0/0/0.0 matching "host 10.10.10.10"
verbose output suppressed, use or for full protocol decode
Address resolution is ON. Use to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0.0, capture size 96 bytes

Reverse lookup for 10.221.227.5 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use to avoid reverse lookups on IP addresses.

10:52:30.785014 Out IP truncated-ip - 268 bytes missing! 10.221.227.5.ssh > 10.10.10.10.4325: P 555386658:555386946(288) ack 2586987092 win 65535
10:52:30.954026 In IP 10.10.10.10.4325 > 10.221.227.5.ssh: . ack 0 win 64799
10:52:31.216362 In IP 10.10.10.10.4325 > 10.221.227.5.ssh: . ack 288 win 64511
10:52:31.815841 Out IP truncated-ip - 204 bytes missing! 10.221.227.5.ssh > 10.10.10.10.4325: P 288:512(224) ack 1 win 65535
10:52:31.821488 Out IP truncated-ip - 332 bytes missing! 10.221.227.5.ssh > 10.10.10.10.4325: P 512:864(352) ack 1 win 65535
10:52:32.017942 In IP 10.10.10.10.4325 > 10.221.227.5.ssh: . ack 864 win 65535
10:52:32.842956 Out IP truncated-ip - 364 bytes missing! 10.221.227.5.ssh > 10.10.10.10.4325: P 864:1248(384) ack 1 win 65535
10:52:33.166213 In IP 10.10.10.10.4325 > 10.221.227.5.ssh: . ack 1248 win 65151
10:52:33.864493 Out IP truncated-ip - 236 bytes missing! 10.221.227.5.ssh > 10.10.10.10.4325: P 1248:1504(256) ack 1 win 65535
10:52:34.070565 In IP 10.10.10.10.4325 > 10.221.227.5.ssh: P 1:81(80) ack 1504 win 64895
10:52:34.172786 Out IP 10.221.227.5.ssh > 10.10.10.10.4325: . ack 81 win 65535
^C
15 packets received by filter
0 packets dropped by kernel




Leave your comment below

No comments:

Post a Comment