Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX/M/MX/T] How to narrow down interesting traffic with monitor interface (i.e. match conditions for Junos)

0

0

Article ID: KB16385 KB Last Updated: 25 Feb 2019Version: 4.0
Summary:

When monitoring traffic on an interface, the following match condition commands will be useful to narrow down interesting traffic during troubleshooting. 

Symptoms:

Narrow down specific traffic in the monitor interface output.

Solution:

From the CLI, use the following command with matching condition (host, protocol or port, etc.) to display interested traffic:

Host:
root# run monitor traffic interface ge-0/0/x matching "host 10.130.38.94" no-resolve

Protocol:
root# run monitor traffic interface ge-0/0/x matching arp

Port:
root# run monitor traffic interface ge-0/0/x matching "port 22"

IP address:
root# run monitor traffic interface ge-0/0/x matching "host 10.130.38.94" no-resolve detail

A network:
root# run monitor traffic interface ge-0/0/x matching "net 225.1.1.0/24" no-resolve detail

TCP port 179:
root# run monitor traffic interface ge-0/0/x matching "tcp port 179"

UDP port 646:
root# run monitor traffic interface ge-0/0/x matching "udp port 646"

Increase the size of capture:
root# run monitor traffic interface ge-0/0/x matching arp size 1500

Save the capture to a file:
root# run monitor traffic interface ge-0/0/x matching arp write-file capture.pcap <<<<< write-file is a hidden command so type it out

Matching "not tcp port 3128” and matching tcp port 23
root# run monitor traffic interface ge-0/0/x matching "not tcp port 3128 and tcp port 23"

Matching BDPUs 
monitor traffic interface ge-0/0/1 no-resolve size 1500 layer2-headers matching "ether dst 01:80:c2:00:00:00" 

A more complicated combination but might be useful in some cases:
root# run monitor traffic interface ge-0/0/x matching "arp or (icmp and host 3.3.3.2)"

Modification History:
2019/02/22: Updated 'monitor traffic' link and added CLI syntax for 'Matching BDPUs'

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search