traffic monitoring and pcap of twamp test

Owned by Jean-luc KRIKER
Last updated: Jun 14, 2019
6 min read

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/monitor-traffic.html#jd0e1189






On the client:

request services rpm twamp start client Reflector1


on the Client ( or the server)


monitor traffic interface ge-0/0/4

monitor traffic interface 
15:33:30.946434 Out
        Juniper PCAP Flags [Ext, no-L2], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 35840
          Logical Interface Index Extension TLV #4, length 4, value: 85
        -----original packet-----
        PFE proto 2 (ipv4): (tos 0x0, ttl 255, id 42543, offset 0, flags [none], proto: UDP (17), length: 88) 10.17.3.1.28287 > 10.217.4.1.28287: [udp sum ok] UDP, length 60
15:33:30.947864  In
        Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 35840
          Logical Interface Index Extension TLV #4, length 4, value: 85
        -----original packet-----
        PFE proto 2 (ipv4): (tos 0x0, ttl  64, id 42543, offset 0, flags [none], proto: UDP (17), length: 88) 10.217.4.1.28287 > 10.17.3.1.28287: [no cksum] UDP, length 60


monitor traffic interface ge-0/0/4.0


monitor traffic interface unit 0 
monitor traffic interface ge-0/0/4.0

15:27:11.704586 Out IP 10.17.3.1.28275 > 10.217.4.1.28275: UDP, length 60
15:27:11.705899  In IP 10.217.4.1.28275 > 10.17.3.1.28275: UDP, length 60

monitor traffic interface ge-0/0/4.0 detail

15:30:51.376287 Out IP (tos 0x0, ttl 255, id 40744, offset 0, flags [none], proto: UDP (17), length: 88) 
		10.17.3.1.28283 > 10.217.4.1.28283: UDP, length 60
15:30:51.377705  In IP (tos 0x0, ttl  64, id 40744, offset 0, flags [none], proto: UDP (17), length: 88) 
		10.217.4.1.28283 > 10.17.3.1.28283: UDP, length 60




monitor traffic interface ge-0/0/4.0 extensive

14:14:48.148636 Out
        Juniper PCAP Flags [Ext, no-L2], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 35840
          Logical Interface Index Extension TLV #4, length 4, value: 85
        -----original packet-----
        PFE proto 2 (ipv4): (tos 0x0, ttl 255, id 55419, offset 0, flags [none], proto: UDP (17), length: 88) 
		10.17.3.1.28199 > 10.217.4.1.28199: [udp sum ok] UDP, length 60



14:14:48.149982  In
        Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 35840
          Logical Interface Index Extension TLV #4, length 4, value: 85
        -----original packet-----
        PFE proto 2 (ipv4): (tos 0x0, ttl  64, id 55419, offset 0, flags [none], proto: UDP (17), length: 88) 
		10.217.4.1.28199 > 10.17.3.1.28199: [no cksum] UDP, length 60
match command

monitor traffic interface ge-0/0/4 matching "proto 17" no-resolve extensive layer2-headers print-ascii

extensive with print-ascii 
root@SRX340-1-Rack104> monitor traffic interface ge-0/0/4 matching "proto 17" no-resolve extensive layer2-headers print-ascii

Address resolution is OFF.
Listening on ge-0/0/4, capture size 1514 bytes

15:44:39.044967 bpf_flags 0x82, Out
        Juniper PCAP Flags [Ext, no-L2], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 35840
          Logical Interface Index Extension TLV #4, length 4, value: 85
        -----original packet-----
        PFE proto 2 (ipv4): (tos 0x0, ttl 255, id 50138, offset 0, flags [none], proto: UDP (17), length: 88) 10.17.3.1.28305 > 10.217.4.        1.28305: [udp sum ok] UDP, length 60
0x0000   0000 0002 4500 0058 c3da 0000 ff11 dbce        ....E..X........
0x0010   0a11 0301 0ad9 0401 6e91 6e91 0044 dff8        ........n.n..D..
0x0020   0000 0000 0000 0000 0000 0000 0001 0000        ................
0x0030   0000 0000 006c 0880 006c 0884 0000 0000        .....l...l......
0x0040   0000 0016 0000 0000 0000 0000 0000 0000        ................
0x0050   006c 1400 0000 0000 0000 0000                  .l..........


15:44:39.046318 bpf_flags 0x87,  In
        Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
          Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
          Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
          Device Interface Index Extension TLV #1, length 2, value: 35840
          Logical Interface Index Extension TLV #4, length 4, value: 85
        -----original packet-----
        PFE proto 2 (ipv4): (tos 0x0, ttl  64, id 50138, offset 0, flags [none], proto: UDP (17), length: 88) 10.217.4.1.28305 > 10.17.3.        1.28305: [no cksum] UDP, length 60
0x0000   0000 0002 4500 0058 c3da 0000 4011 9acf        ....E..X....@...
0x0010   0ad9 0401 0a11 0301 6e91 6e91 0044 0000        ........n.n..D..
0x0020   0000 0000 e0ac dfd6 6595 feda 0001 0000        ........e.......
0x0030   e0ac dfd6 6595 8969 0000 0000 e0ac dfd7        ....e..i........
0x0040   209f b613 0001 0000 ff00 9611 e0ac dfd7        ................
0x0050   20cc ff21 0000 0000 0000 0000                  ...!........


create a pcap file

root@SRX340-1-Rack104% tcpdump -i ge-0/0/4.0 -s 150 -w /var/tmp/twamp_1.pcap




Read a pcap file on the srxmonitor traffic read-file tcpdump_20_7_18.pcap

https://kb.juniper.net/InfoCenter/index?page=content&id=kb11709

fwd-options packet-captures 
#1
set forwarding-options packet-capture file filename testpacketcapture
set forwarding-options packet-capture maximum-capture-size 1500

#2
set firewall filter PCAP term 1 from source-address 10.17.3.1
set firewall filter PCAP term 1 from destination-address 10.217.4.1
set firewall filter PCAP term 1 then sample
set firewall filter PCAP term 1 then accept
set firewall filter PCAP term 2 from source-address 10.204.115.166
set firewall filter PCAP term 2 from destination-address 10.217.4.1
set firewall filter PCAP term 2 then sample
set firewall filter PCAP term 2 then accept
set firewall filter PCAP term allow-all-else then accept 

#3
set interfaces ge-0/0/4 unit 0 family inet filter output PCAP
set interfaces ge-0/0/4 unit 0 family inet filter input PCAP