Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Missing bytes in the output of "monitor traffic interface"

0

0

Article ID: KB31448 KB Last Updated: 12 Jun 2020Version: 3.0
Summary:

The command "monitor traffic interface" is a powerful tool in Junos to help network engineers understand traffic to and from the routing engine. This article uses an example to explain the "missing bytes" when running the "monitor traffic interface" command.

Symptoms:

When using “monitor traffic interface” to monitor traffic, missing bytes are often encountered, as shown below:

user@mx960> monitor traffic interface et-2/0/0 matching icmp
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on et-2/0/0, capture size 96 bytes

Reverse lookup for 68.86.91.14 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses
.

15:31:41.176630 In IP 68.86.91.13 > 68.86.91.14: ICMP echo request, id 29844, seq 560, length 64
15:31:41.176642 Out IP truncated-ip - 24 bytes missing! 68.86.91.14 > 68.86.91.13: ICMP echo reply, id 29844, seq 560, length 64
15:31:42.177407 In IP 68.86.91.13 > 68.86.91.14: ICMP echo request, id 29844, seq 561, length 64
15:31:42.177417 Out IP truncated-ip - 24 bytes missing! 68.86.91.14 > 68.86.91.13: ICMP echo reply, id 29844, seq 561, length 64
15:31:43.178233 In IP 68.86.91.13 > 68.86.91.14: ICMP echo request, id 29844, seq 562, length 64
15:31:43.178242 Out IP truncated-ip - 24 bytes missing! 68.86.91.14 > 68.86.91.13: ICMP echo reply, id 29844, seq 562, length 64
15:31:44.179900 In IP 68.86.91.13 > 68.86.91.14: ICMP echo request, id 29844, seq 563, length 64
15:31:44.179909 Out IP truncated-ip - 24 bytes missing! 68.86.91.14 > 68.86.91.13: ICMP echo reply, id 29844, seq 563, length 64
^C

In the outbound traffic, the IP is truncated and 24 bytes are missing. Where does the 24 bytes go? There is no missing bytes reported on the inbound, Does this mean inbound not missing?

Cause:

For outbound traffic:

The default Junos ping size value is 56 bytes (that means on Junos):
“ping 10.1.1.1” equals to “ping 10.1.1.1 size 56”

This number 56 does include the ICMP header 8 bytes.
Therefore an outbound ping packet, if not missing any bytes, the whole packet length on the wire should be 120 bytes:

Including: juniper Ethernet header(22) + Ethernet frame (98)

Ethernet frame 98 bytes:
Including:
Ethernet header(14) + Ethernet Data(84)

Ethernet data 84 bytes:
Including:
IP header(20) + IP Data(64)

IP data 64 bytes:
Including:
ICMP header(8) + ICMP Data(56)

Wireshark shows:

ICMP data 56 bytes:
Including:
Time stamp from ICMP data(8)+ ICMP-DATA(48)

Using “monitor traffic” to capture the traffic, the default capture size is 96. This capture size includes the whole Ethernet frame plus the Juniper Ethernet header which is 22 bytes. So Ethernet frame has 96-22=74 bytes.

ICMP-DATA = 74- Ethernet header(14) - IP header(20) - ICMP-header(8) - Time stamp from ICMP data(8) = 24 bytes.

So 48-24 =24 bytes missing.

For inbound traffic:

For inbound traffic like IPv4, IPv6 and MPLS, the Ethernet header will be stripped off by the PFE and special 4 bytes header added to send to the RE:

IPv4: identified by PFE protocol 2, [0200 0000] will be added.
MPLS: identified by PFE protocol 4, [0400 0000] will be added.
IPv6: identified by PFE protocol 6, [0600 0000] will be added.

If no missing packets, the whole packet length on the wire should be 110 bytes:

Including: juniper Ethernet header (22) + [0200 0000] (4) + IP packet (84)

IP packet 84 bytes:
Including:
IP header(20) + IP Data(64)

IP data 64 bytes:
Including:
ICMP header(8) + ICMP Data(56)

Wireshark shows:

ICMP data 56 bytes:
Including:
Time stamp from ICMP data(8)+ ICMP-DATA(48)

Because the default capture size is 96, the IP packet changed to (96-22-4)=70 bytes.
ICMP-DATA changed from 48 bytes to (70-20[IP header] - 8[ICMP header] - 8[ICMP data timestamp]) = 34 bytes.

So inbound traffic missing 14 Bytes. But here the 14 bytes not been reported.

Solution:

To include all the bytes increase capture size via:

>monitor traffic interface ge-3/1/1 size ?
Possible completions:
  <size>             Amount of each packet to receive (bytes)
Modification History:
2020-06-12: Article reviewed for accuracy; no changes required
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search