Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Viewing the Flow Interface Counters (get counter flow)

0

0

Article ID: KB4261 KB Last Updated: 16 Sep 2020Version: 11.0
Summary:

This article explains how to view flow interface counters.

 

Solution:

To view flow counters, perform the following steps via the WebUI or CLI:

WebUI

Step one: Open the WebUI. For more information on accessing the WebUI, go to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI.

  From the ScreenOS options menu, click Reports, select Counters, and then click Flow.

note: This is an example of the Flow Counter for Interface ethernet 0/0 table:

The flow counters provide the following information. 

These explanations can also be viewed by clicking the Help '?' icon in the upper right corner of the WebUI.

address spoof Number of suspected address spoofing attack packets received
auth deny Number of times user authentication was denied
auth fail Number of times user authentication failed
big bkstr Number of packets that are too big to buffer in the ARP back store while waiting for MAC-to-IP address resolution
connections Number of sessions established since the last boot
encrypt fail Number of failed Point-to-Point Tunneling Protocol (PPTP) packets
*icmp broadcast Number of ICMP broadcasts received
icmp flood Number of ICMP packets that are counted toward the ICMP flood threshold
illegal pak Number of packets dropped because they do not conform to the protocol standards
in arp req Number of incoming arp request packets
in arp resp Number of outgoing arp request packets
in bytes Number of bytes received
in icmp Number of Internet Control Message Protocol (ICMP) packets received
in other Number of incoming packets that are of a different Ethernet type
in packets Number of packets received
in self Number of packets addressed to the Management IP address
*in un auth Number of unauthorized incoming TCP, UDP, and ICMP packets
*in unk prot Number of incoming packets using an unknown Ethernet protocol
in vlan Number of incoming vlan packets
in vpn Number of IPsec packets received
invalid zone Number of packets destined for an invalid security zone
ip sweep Number of packets received and discarded beyond the specified ip sweep threshold
land attack Number of suspected land attack packets received
loopback drop Number of packets dropped because they cannot be looped back through the security device. An example of a loopback session is when a host in the Trust zone sends traffic to a MIP or VIP address that is mapped to a server that is also in the Trust zone. The security device creates a loopback session that directs such traffic from the host to the MIP or VIP server. mac relearn Number of times that the MAC address learning table had to relearn the interface associated with a MAC address because the location of the MAC address changed
mac tbl full Number of times that the MAC address learning table completely filled up
mal url Number of blocked packets destined for a URL determined to be malicious
*misc prot Number of packets using a protocol other than TCP, UDP, or ICMP
mp fail Number of times a problem occurred when sending a PCI message between the primary processor module and the processor module
no conn Number of packets dropped because of unavailable Network Address Translation (NAT) connections
no dip Number of packets dropped because of unavailable Dynamic IP (DIP) addresses
no frag netpak Number of times that the available space in the netpak buffer fell below 70%
*no frag sess The number of times that fragmented sessions were greater than half of the maximum number of NAT sessions
no g-parent Number of packets dropped because the parent connection could not be found
no gate Number of packets dropped because no gate was available
no gate sess Number of terminated sessions because there were no gates in the firewall for them
no map Number of packets dropped because there was no map to the trusted side
no nat vector Number of packets dropped because the Network Address Translation (NAT) connection was unavailable for the gate
*no nsp tunnel Number of dropped packets sent to a tunnel interface to which no VPN tunnel is bound
no route Number of unroutable packets received
no sa The number of packets dropped because no Security Associations (SA) was defined
no sa policy Number of packets dropped because no policy was associated with an SA
*no xmit vpnf Number of dropped VPN packets due to fragmentation
null zone Number of dropped packets erroneously sent to an interface bound to the Null zone
nvec err Number of packets dropped because of NAT vector error
out bytes Number of bytes sent
out defer Number of deferred outgoing packets
out packets Number of packets sent
out defer Number of deferred outgoing packets
out vlan Number of outgoing vlan packets
ping of death Number of suspected Ping of Death attack packets received
policy deny Number of packets denied by a defined policy
port scan Number of packets that are counted as a port scan attempt
proc sess Number of times that the total number of sessions on a processor module exceeded the maximum threshold
sa inactive Number of packets dropped because of an inactive SA
sa policy deny Number of packets denied by an SA policy
sessn thresh the threshold for the maximum number of sessions
*slow mac Number of frames whose MAC addresses were slow to resolve
src route Number of packets dropped because of the filter source route option
syn frag Number of dropped SYN packets because of a fragmentation
tcp out of seq Number of TCP segments received whose sequence number is outside the acceptable range
tcp proxy Number of packets dropped from using a TCP proxy such as the SYN flood protection option or user authentication
teardrop Number of packets blocked as part of a suspected Teardrop attack
tiny frag Number of tiny fragmented packets received
trmn drop Number of packets dropped by traffic management
trmng queue Number of packets waiting in the queue
udp hdlen err Number of packets where the IP header is less than the IP header + UDP header.  If IP Total Length is less than 28 bytes (8 bytes UDP header + 20 bytes IP header), it will increase this counter.  This type of traffic is not valid.
udp flood Number of UDP packets that are counted toward the UDP flood threshold
unknown pak Any packets with an Ethernet type that the firewall does not recognize. Examples would be Spanning Tree or proprietary Cisco protocols that the firewall does not pass or is capable of reading. When the firewall sees a packet with a Ethernet type it does not recognize, it will drop the packet and increment the 'unknown pak' counter.
url block Number of HTTP requests that were blocked
winnuke Number of WinNuke attack packets received
wrong intf Number of session creation messages sent from a processor module to the primary processor module
wrong slot Number of packets erroneously sent to the wrong processor module
 

CLI

Step one: From the CLI, enter the command 'get counter flow' to display the interface statistics for ALL the interfaces.

Enter the command 'get counter flow interface <interface_name>' to display the flow counters for a specific interface.

Image of example

note:  The hardware counters provide information on the general firewall behavior, and the flow counters provide information on the number of packets inspected at the flow level. For more information on the hardware counters, see  KB4247 - Viewing Hardware Interface counters.

Note:  For additional descriptions of the interface counters, refer to the Tables of Screen, Hardware, and Flow Counters in the Concepts & Examples ScreenOS Reference Guide - Volume 3 - Administration:

  1. Go to the ScreenOS Documentation link.
  2. Click your Release version.
  3. Click the Concepts & Examples Reference Guide: Volume 3, Administration.
  4. The tables can be found in the 'Viewing Screen Counters' section of the 'Monitoring Security Devices' chapter.

 

Modification History:

2020-09-16: Article reviewed for accuracy; minor non-technical changes done; article valid and relevant

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search