Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX/M/MX/T] How to narrow down interesting traffic with monitor interface (i.e. match conditions for Junos)

0

0

Article ID: KB16385 KB Last Updated: 11 Oct 2021Version: 6.0
Summary:

When monitoring traffic on an interface, the following match condition commands will be useful to narrow down interesting traffic during troubleshooting. 

Symptoms:

Narrow down specific traffic in the monitor interface output.

Solution:

From the CLI, use the following commands with matching condition (host, protocol or port, etc.) to display interested traffic:

Host:

root# run monitor traffic interface ge-0/0/x matching "host 10.130.38.94" no-resolve

Protocol:

root# run monitor traffic interface ge-0/0/x matching arp

Port:

root# run monitor traffic interface ge-0/0/x matching "port 22"

IP address:

root# run monitor traffic interface ge-0/0/x matching "host 10.130.38.94" no-resolve detail

A network:

root# run monitor traffic interface ge-0/0/x matching "net 225.1.1.0/24" no-resolve detail

MAC address (source or destination):

root# run monitor traffic interface ge-0/0/x no-resolve detail matching "ether src 00:01:02:03:04:05"

or

root# run monitor traffic interface ge-0/0/x no-resolve detail matching "ether dst 00:01:02:03:04:05"

TCP port 179:

root# run monitor traffic interface ge-0/0/x matching "tcp port 179"

UDP port 646:

root# run monitor traffic interface ge-0/0/x matching "udp port 646"

Increase the size of capture:

root# run monitor traffic interface ge-0/0/x matching arp size 1500

Save the capture to a file:

root# run monitor traffic interface ge-0/0/x matching arp write-file capture.pcap <----- write-file is a hidden command so type it out

Matching "not tcp port 3128” and matching tcp port 23

root# run monitor traffic interface ge-0/0/x matching "not tcp port 3128 and tcp port 23"

Matching STP BPDU's 

monitor traffic interface ge-0/0/1 no-resolve size 1500 layer2-headers matching "ether dst 01:80:c2:00:00:00"

Matching ICMP/ICMPv6 or IGMP

root# monitor traffic interface ge-0/0/1 no-resolve matching icmp
root# monitor traffic interface ge-0/0/1 no-resolve matching icmp6
root# monitor traffic interface ge-0/0/1 no-resolve matching igmp

Matching any IP Protocol (Example OSPF)

root# monitor traffic interface ge-0/0/1 no-resolve matching "proto <ip protocol#>"

Example: 
root# monitor traffic interface ge-0/0/1 no-resolve matching "proto ospf"
or 
monitor traffic interface ge-0/0/1 no-resolve matching "proto 89"

A more complicated combination but might be useful in some cases:

root# run monitor traffic interface ge-0/0/x matching "arp or (icmp and host 10.10.3.2)"

Modification History:
2021-09-23: Added ICMP/IGMP and OSPF 
2020-09-23: Corrected typo (BDPUs for BPDUs), added matching for MAC Address
2019-02-22: Updated 'monitor traffic' link and added CLI syntax for 'Matching BDPUs'

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search