[MX] Using "monitor traffic interface" with a byte field parameter for specific packets

  [KB34714] Show Article Properties


Summary:

This article describes specific packet capture by using the monitor traffic interface command and a byte stream number.

 

Solution:

To troubleshoot, you capture packets information in the Command Line Interface by using the monitor traffic interface command. KB33629 - [MX] Sample "monitor traffic interface" CLI commands to filter and capture traffic shows some examples with the common protocol keyword.

To use a more advanced filter and to obtain a very specific packet, you can use a matching parameter in the byte field. In this case, the syntax would be:

protocol [offset number in the protocol field : number of byte(1,2 or 4)]
 

For example

  • ether[0:1] would mean Ethernet frame header from top(0) to 1 byte length.

  • ip[12:4] would mean IP header source address field.

The available operators for this advanced filter are >, <, >=, <=, ==, !=, &, and |.

 

Some examples are as follows:

  1. <-------- Having VLAN tag packet
    
    lab@R2> monitor traffic interface ae0.0 layer2-headers matching "ether[12:2] == 0x8100" extensive print-hex
    
    21:56:06.197822 bpf_flags 0x80, Out
        Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 164
          Logical Interface Index Extension TLV #4, length 4, value: 332
        -----original packet-----
        2c:6b:f5:c9:48:c0 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 64, p 0, ethertype ARP, arp who-has 192.0.2.1 tell 192.0.2.2
                 ffff ffff ffff 2c6b f5c9 48c0 8100 0040
                 0806 0001 0800 0604 0001 2c6b f5c9 48c0
                 c000 0202 0000 0000 0000 c000 0201
    
    
    
  2. <-------- VLAN tag ID is "64."
    
    lab@R2> monitor traffic interface ae0.0 no-resolve layer2-headers matching "ether[15:1] == 0x40" extensive print-hex
    
    22:07:41.948960 bpf_flags 0x80, Out
        Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 164
          Logical Interface Index Extension TLV #4, length 4, value: 332
        -----original packet-----
        2c:6b:f5:c9:48:c0 > 2c:6b:f5:d9:67:c0, ethertype 802.1Q (0x8100), length 102: vlan 64, p 0, ethertype IPv4, (tos 0x0, ttl  64, id 55415, offset 0, flags [none], proto: ICMP (1), length: 84) 192.0.2.2 > 192.0.2.1: ICMP echo request, id 42291, seq 0, length 64
                 2c6b f5d9 67c0 2c6b f5c9 48c0 8100 0040
                 0800 4500 0054 d877 0000 4001 1e2e c000
                 0202 c000 0201 0800 cce2 a533 0000 5d09
                 c31d 000e 7ab1 0809 0a0b 0c0d 0e0f 1011
                 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021
                 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031
                 3233 3435 3637
    
    
    
  3. <-------- Multicast frame
    
    lab@R2> monitor traffic matching "ether[0] & 1 != 0" extensive layer2-headers print-hex
    
    11:23:01.883592 bpf_flags 0x81,  In
        Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 8
          Logical Interface Index Extension TLV #4, length 4, value: 4
        -----original packet-----
        56:68:a3:1e:2f:ba > 01:00:5e:00:00:0d, ethertype IPv4 (0x0800), length 68: (tos 0xc0, ttl   1, id 29644, offset 0, flags [none], proto: PIM (103), length: 54) tt-mkmurthy-10755156-vm-em0.englab.juniper.net > pim-routers.mcast.net: tt-mkmurthy-10755156-vm-em0.englab.juniper.net > pim-routers.mcast.net:PIMv2, length 34
        Hello, cksum 0xf738 (correct)
          Hold Time Option (1), length 2, Value: 1m45s
            0x0000: 0069
          LAN Prune Delay Option (2), length 4, Value:
            T-bit=1, LAN delay 500ms, Override interval 2000ms
            0x0000: 81f4 07d0
          DR Priority Option (19), length 4, Value: 1
            0x0000: 0000 0001
          Generation ID Option (20), length 4, Value: 0x0acd5393
            0x0000: 0acd 5393
                 0100 5e00 000d 5668 a31e 2fba 0800 45c0
                 0036 73cc 0000 0167 74a7 0a31 e5ef e000
                 000d 2000 f738 0001 0002 0069 0002 0004
                 81f4 07d0 0013 0004 0000 0001 0014 0004
                 0acd 5393
    
    
    
  4. <-------- Source MAC address begins with "56:68".
    
    lab@R1> monitor traffic interface ge-0/0/1 matching "ether[6:2] == 0x5668" extensive layer2-headers print-hex
    
    11:32:18.326084 bpf_flags 0x80, Out
        Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 141
          Logical Interface Index Extension TLV #4, length 4, value: 333
        -----original packet-----
        56:68:a3:1e:5e:07 > 56:68:a3:1e:5d:f7, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl  64, id 7394, offset 0, flags [none], proto: ICMP (1), length: 84) 192.168.1.1 > 192.168.1.2: ICMP echo request, id 58128, seq 1, length 64
                 5668 a31e 5df7 5668 a31e 5e07 0800 4500
                 0054 1ce2 0000 4001 da73 c0a8 0101 c0a8
                 0102 0800 0d8a e310 0001 5d0f c5b2 0004
                 f99a 0809 0a0b 0c0d 0e0f 1011 1213 1415
                 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
                 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
                 3637
    
    
    
  5. <-------- IP packet and ToS is not zero.
    
    lab@R2> monitor traffic interface ge-0/0/1 matching "ip[1] & 0xff != 0" extensive print-hex
    
    11:02:36.323371  In
        Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 141
          Logical Interface Index Extension TLV #4, length 4, value: 333
        -----original packet-----
        PFE proto 2 (ipv4): (tos 0x80, ttl  64, id 16101, offset 0, flags [none], proto: ICMP (1), length: 84) 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 52232, seq 1, length 64
                 0200 0000 4580 0054 3ee5 0000 4001 b7f0
                 c0a8 0102 c0a8 0101 0000 5af5 cc08 0001
                 5d0f bebc 0004 d22d 0809 0a0b 0c0d 0e0f
                 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f
                 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f
                 3031 3233 3435 3637
    
    
    
  6. <-------- IP source address is 192.168.*.2 (3-octet is wildcard but other octets are exact match).
    
    lab@R2> monitor traffic interface ge-0/0/1 layer2-headers matching "ip[12:4] & 0xffff00ff == 0xc0a80002" extensive print-hex
    
    11:17:54.358837 bpf_flags 0x87,  In
        Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 141
          Logical Interface Index Extension TLV #4, length 4, value: 333
        -----original packet-----
        PFE proto 2 (ipv4): (tos 0x0, ttl  64, id 45110, offset 0, flags [none], proto: ICMP (1), length: 84) 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 8973, seq 1, length 64
                 0200 0000 4500 0054 b036 0000 4001 471f
                 c0a8 0102 c0a8 0101 0000 6166 230d 0001
                 5d0f c252 0005 7121 0809 0a0b 0c0d 0e0f
                 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f
                 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f
                 3031 3233 3435 3637
    
    
    
  7. <-------- IP packet whose size is more than 1000 bytes
    
    lab@R1> monitor traffic interface ge-0/0/1 matching "ip[2:2] >= 1000" extensive layer2-headers print-hex  
    
    11:36:53.413475 bpf_flags 0x80, Out
        Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 141
          Logical Interface Index Extension TLV #4, length 4, value: 333
        -----original packet-----
    Reverse lookup for 192.168.1.1 failed (check DNS reachability).
    Other reverse lookup failures will not be reported.
    Use <no-resolve> to avoid reverse lookups on IP addresses.
    
        56:68:a3:1e:5e:07 > 56:68:a3:1e:5d:f7, ethertype IPv4 (0x0800), length 1042: (tos 0x0, ttl  64, id 16304, offset 0, flags [none], proto: ICMP (1), length: 1028) 192.168.1.1 > 192.168.1.2: ICMP echo request, id 3346, seq 0, length 1008
                 5668 a31e 5df7 5668 a31e 5e07 0800 4500
                 0404 3fb0 0000 4001 b3f5 c0a8 0101 c0a8
                 0102 0800 f297 0d12 0000 5d0f c6c5 0006
                 <..snip..>
    
    
    
  8. <-------- VRRP(protocol 112=0x70)
    
    regress@R2> monitor traffic interface ge-0/0/1 layer2-headers matching "ip[9:1] == 0x70" extensive print-hex
    
    11:10:04.782889 bpf_flags 0x80, Out
        Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 141
          Logical Interface Index Extension TLV #4, length 4, value: 333
        -----original packet-----
        00:00:5e:00:01:63 > 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 60: (tos 0xc0, ttl 255, id 2, offset 0, flags [none], proto: VRRP (112), length: 40) 192.168.1.1 > vrrp.mcast.net: VRRPv2-advertisement 20: vrid=99 prio=100 authtype=none intvl=1 addrs: 192.168.1.250
                 0100 5e00 0012 0000 5e00 0163 0800 45c0
                 0028 0002 0000 ff70 18e8 c0a8 0101 e000
                 0012 2163 6401 0001 b7f7 c0a8 01fa 0000
                 0000 0000 0000 0000 0000 0000
    
    
    
  9. <-------- VRRP group-id = 99(0x63)
    
    lab@R2> monitor traffic interface ge-0/0/1 layer2-headers matching "vrrp[1:1] == 0x63" extensive print-hex
    
    11:21:15.645410 bpf_flags 0x80, Out
        Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 141
          Logical Interface Index Extension TLV #4, length 4, value: 333
        -----original packet-----
        00:00:5e:00:01:63 > 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 60: (tos 0xc0, ttl 255, id 2, offset 0, flags [none], proto: VRRP (112), length: 40) 192.168.1.1 > vrrp.mcast.net: VRRPv2-advertisement 20: vrid=99 prio=100 authtype=none intvl=1 addrs: 192.168.1.250
                 0100 5e00 0012 0000 5e00 0163 0800 45c0
                 0028 0002 0000 ff70 18e8 c0a8 0101 e000
                 0012 2163 6401 0001 b7f7 c0a8 01fa 0000
    
    

    Note: Sometimes, you may see some unworkable field and length combinations. However, this method is helpful when you need to find a specific packet from within a lot of background traffic data.

     

Related Links: