Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How do I interpret the snoop output?

0

0

Article ID: KB6708 KB Last Updated: 03 Dec 2012Version: 10.0
Summary:

What do the fields vhl, tos, id, frag, etc indicate in the snoop output?

Symptoms:
  • How do I read the snoop trace?
  • What is the meaning of the field frag= in the snoop output?
Cause:

Solution:

To explain the various SNOOP output fields, it is best to use an example. 

Sample SNOOP Output:
Line 1 35455.0:  ethernet1(i) len=74:0010db1c5921->0010db1b44b4/0800
Line 2   10.1.10.5->1.1.70.250/1
Line 3   vhl=45, tos=00, id=49627, frag=0000, ttl=63, tlen=128
Line 4   icmp:type=8, code=0
     
Line 1 35455.0: ethernet2(o) len=74:0010db1b44ba->0010db21be61/0800
Line 2   10.0.10.5->1.1.70.250/1
Line 3   vhl=45, tos=00, id=49627, frag=0000, ttl=62, tlen=128
Line 4   icmp:type=8, code=0

Interpreting Line 1:

35455.0 Timer - this is the number, in seconds, since the last time the firewall was booted.
ethernet1( i )

Interface (direction) - where:
( i ) = incoming
( o ) = outgoing

len=74 ethernet frame length
0010db1c5921 Source MAC address
0010db1b44b4 Destination MAC address
0800 Protocol Type

Interpreting Line 2:

10.1.10.5   Source IP address
1.1.7.250    Destination IP address
1 Protocol (ICMP in this example)

Interpreting Line 3:

vhl version/header length - IP version 4   and   5 32 bit words
tos Type of service - this is not precedence or QOS bits set
id=49627 Datagram ID
frag=0000 IP fragmentation fields in Hex (16-bits)
 1-bit   = reserved (not used)
 1-bit   = DF bit
 1-bit   = more-frags (0 for last fragment, 1 for all others)
 13-bit = fragment offset (multiply by 8 for bytes offset)

For example:
frag=2000  (0010 0000 0000 0000)
 more-frag set + 0 offset: this is the first fragment of packet.

frag=4000  (0100 0000 0000 0000)
 DF set: packet not fragmented.

frag=00b9  (0000 0000 1011 1001)
 more-frag not set: this is the last fragment.
 offset field  (...0 0000 1011 1001) = 185,
  - multiply by 8 = 1480 bytes offset.
ttl=63 time to live value
tlen=128 Total datagram length (bytes)

Interpreting Line 4:

icmp Key protocol header fields.

For traffic incoming to an interface (i.e. ethernet1(i):), the Destination MAC would be the MAC address of the Firewall interface.  For traffic outgoing from an interface, the Source MAC is the MAC address of the Firewall interface that traffic is egressing from. 

 

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search