Thursday, September 5, 2013

Juniper JunOS Packet Capture Sampling

Previous posting about Cisco Packet Capture. To completed reference, Lets check how to get packet sampling in JunOS. This method less detail than packet capture (sniffing), it is usefull for first troubleshooting by gathering packet summary, usefull to find DDos and flooding.

 #### Example config JunOS packet sampling

 #### Adjust rate value for sensitivity
rate: Ratio of packets to be sampled (1 out of N) (1..65535)
rate 200: 200 packets will be displayed 1 as sample

 #### JunOS Router
set forwarding-options sampling input family inet rate 200
set forwarding-options sampling input family inet run-length 0
set forwarding-options sampling input family inet max-packets-per-second 65535
set forwarding-options sampling output file filename PacketSampling
set forwarding-options sampling output file files 2
set forwarding-options sampling output file size 102400
set forwarding-options sampling output file stamp

 user@JunOS> show configuration forwarding-options sampling 
input {
family inet {
   rate 200;
   run-length 0;
   max-packets-per-second 65535;
}
}
output {
file filename PacketSampling files 2 size 100k stamp;
}

 user@JunOS> show configuration firewall 
filter Internet-in {
    term akhir {
        from {
            protocol [ icmp udp tcp ];
        }
        then {
            count PacketSamplingCounter;
            sample;
            accept;
        }
    }
}

 user@JunOS> show configuration interfaces ge-0/0/0 
unit 0 {
    family inet {
        filter {
            input Internet-in;
        }
        address 192.168.2.1/24;
    }
}

 #### JunOS Security
set forwarding-options sampling input rate 200
set forwarding-options sampling input run-length 0
set forwarding-options sampling input max-packets-per-second 65535
set forwarding-options sampling family inet output file filename PacketSampling
set forwarding-options sampling family inet output file files 2
set forwarding-options sampling family inet output file size 102400
set forwarding-options sampling family inet output file stamp

 user@JunOSRX> show configuration forwarding-options sampling 
input {
    rate 200;
    run-length 0;
    max-packets-per-second 65535;
}
family inet {
    output {
        file filename PacketSampling files 2 size 100k stamp;
    }
}

 user@JunOSRX> show configuration firewall 
filter Internet-in {
    term akhir {
        from {
            protocol [ icmp udp tcp ];
        }
        then {
            count PacketSamplingCounter;
            sample;
            accept;
        }
    }
}

 user@JunOSRX> show configuration interfaces ge-0/0/0 
unit 0 {
    family inet {
        filter {
            input Internet-in;
        }
        address 192.168.2.1/24;
    }
}

 #### Verify and test

 user@JunOSRX> show firewall                       

 Filter: __default_bpdu_filter__                                

 Filter: Internet-in                                            
Counters:
Name                                                Bytes              Packets
PacketSamplingCounter                               37676                  391

 user@JunOSRX> show log /var/tmp/PacketSampling    
#            Time            Dest             Src  Dest   Src Proto  TOS   Pkt  Intf    IP   TCP
#                            addr            addr  port  port              len   num  frag flags
# Sep  5 06:33:06     192.168.2.1     192.168.2.2  2048     0     1  0x0    84    75   0x4000   0x0
# Sep  5 07:38:45     192.168.2.1     192.168.2.2  2048     0     1  0x0    84    69   0x4000   0x0
Posted by Hermawan Widiyanto at 3:07 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)