Friday, September 6, 2013

Juniper Packet Capture like TCPdump (monitor traffic)

Now, the demo of packet capture like TCPdump in Juniper JunOS. It is possible to gather packet a tcpdump-format. With 'monitor traffic' command you can capture packet same as with TCPdump realtime in your session remote (console, ssh, telnet). To write into file use hidden command 'monitor traffic write-file'. The file will be save in /var partition and can display into TCPdump ASCII format using 'monitor traffic read-file'. These commands are hidden due to concerns writing large files to the /var partition, causing a lack of disk space and performance.

#### Show real-time network traffic information

user@JunOS> monitor traffic interface ge-0/0/0                     
verbose output suppressed, use or for full protocol decode
Address resolution is ON. Use to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes

Reverse lookup for 192.168.2.1 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use to avoid reverse lookups on IP addresses.

05:24:12.925727  In arp who-has 192.168.2.1 tell 192.168.2.2
05:24:12.925845 Out arp reply 192.168.2.1 is-at b0:c6:9a:88:bc:0
05:24:12.926047  In arp who-has 192.168.2.1 tell 192.168.2.2
05:24:12.926130 Out arp reply 192.168.2.1 is-at b0:c6:9a:88:bc:0
05:24:13.466718 Out IP truncated-ip - 10 bytes missing! 192.168.2.1.61206 > resolver1.opendns.com.domain:  2417]
05:24:13.548233  In IP resolver1.opendns.com.domain > 192.168.2.1.61206:  2417* 0/1/0 (101)
05:24:13.553227 Out IP truncated-ip - 10 bytes missing! 192.168.2.1.65054 > resolver1.opendns.com.domain:  2418]
05:24:13.631229  In IP resolver1.opendns.com.domain > 192.168.2.1.65054:  2418* 0/1/0 (101)
05:24:14.657429 Out IP truncated-ip - 13 bytes missing! 192.168.2.1.54908 > resolver1.opendns.com.domain:  2419]
05:24:14.741374  In IP resolver1.opendns.com.domain > 192.168.2.1.54908:  2419 1/0/0 (80)
^C
10 packets received by filter
0 packets dropped by kernel

#### Capture and save real-time packet traffic

user@JunOS> monitor traffic interface ge-0/0/0 write-file GE000    
Address resolution is ON. Use to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes

^C
123 packets received by filter
0 packets dropped by kernel

#### File save at /var partition

user@JunOS> file list detail    

/var/home/user/:
total 40
drwxr-xr-x  2 user  staff        512 Sep 6  05:14 .ssh/
-rw-r--r--  1 user  staff      12946 Sep 6  05:19 GE000

#### Download and rename the file to GE000.pcap for easy open
















#### Display TCPdump ASCII format packet traffic from file

user@JunOS> monitor traffic read-file GE000                        
Reverse lookup for 192.168.2.1 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use to avoid reverse lookups on IP addresses.

05:18:39.789704  In arp who-has 192.168.2.1 tell 192.168.2.2
05:18:39.789824 Out arp reply 192.168.2.1 is-at b0:c6:9a:88:bc:0
05:18:39.790066  In arp who-has 192.168.2.1 tell 192.168.2.2
05:18:39.790142 Out arp reply 192.168.2.1 is-at b0:c6:9a:88:bc:0
05:18:48.860994  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: S 2260686473:2260686473(0) win 14600
05:18:48.861399 Out IP truncated-ip - 4 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: S 3351285066:3351285066(0) ack 2260686474 win 65535
05:18:48.863352  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 1 win 229
05:18:49.585193 Out IP truncated-ip - 13 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 1:22(21) ack 1 win 33304
05:18:49.587609  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 22 win 229
05:18:49.587958  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 1:33(32) ack 22 win 229
05:18:49.607246 Out IP truncated-ip - 664 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 22:694(672) ack 33 win 33304
05:18:49.609655  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 33:1305(1272) ack 694 win 274
05:18:49.711867 Out IP 192.168.2.1.ssh > 192.168.2.2.54091: . ack 1305 win 33304
05:18:49.719612  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 1305:1577(272) ack 694 win 274
05:18:49.821451 Out IP 192.168.2.1.ssh > 192.168.2.2.54091: . ack 1577 win 33304
05:18:50.183006 Out IP truncated-ip - 840 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 694:1542(848) ack 1577 win 33304
05:18:50.222911  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 1542 win 319
05:18:50.225260  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 1577:1593(16) ack 1542 win 319
05:18:50.327305 Out IP 192.168.2.1.ssh > 192.168.2.2.54091: . ack 1593 win 33304
05:18:50.329381  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 1593:1641(48) ack 1542 win 319
05:18:50.330990 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 1542:1590(48) ack 1641 win 33304
05:18:50.333051  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 1590 win 319
05:18:50.334057  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 1641:1705(64) ack 1590 win 319
05:18:50.349270 Out IP truncated-ip - 72 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 1590:1670(80) ack 1705 win 33304
05:18:50.351785  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 1705:1801(96) ack 1670 win 319
05:18:50.354383 Out IP truncated-ip - 72 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 1670:1750(80) ack 1801 win 33304
05:18:50.392789  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 1750 win 319
05:18:52.847791  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 1801:1945(144) ack 1750 win 319
05:18:52.858921 Out IP truncated-ip - 24 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 1750:1782(32) ack 1945 win 33304
05:18:52.860991  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 1782 win 319
05:18:52.861950  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 1945:2009(64) ack 1782 win 319
05:18:52.878068 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 1782:1830(48) ack 2009 win 33304
05:18:52.881020  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 2009:2521(512) ack 1830 win 319
05:18:52.893289 Out IP truncated-ip - 104 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 1830:1942(112) ack 2521 win 33304
05:18:52.906101 Out IP truncated-ip - 88 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 1942:2038(96) ack 2521 win 33304
05:18:52.908097  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2038 win 319
05:18:53.628505 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2038:2086(48) ack 2521 win 33304
05:18:53.662747  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2086 win 319
05:18:54.515455  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 2521:2569(48) ack 2086 win 319
05:18:54.519759 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2086:2134(48) ack 2569 win 33304
05:18:54.521963  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2134 win 319
05:18:54.523145 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2134:2182(48) ack 2569 win 33304
05:18:54.524950  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2182 win 319
05:18:54.526354 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2182:2230(48) ack 2569 win 33304
05:18:54.534863  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2230 win 319
05:18:55.161062  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 2569:2617(48) ack 2230 win 319
05:18:55.162720 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2230:2278(48) ack 2617 win 33304
05:18:55.164984  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2278 win 319
05:18:55.271291  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 2617:2665(48) ack 2278 win 319
05:18:55.272852 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2278:2326(48) ack 2665 win 33304
05:18:55.274950  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2326 win 319
05:18:55.439346  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 2665:2713(48) ack 2326 win 319
05:18:55.441130 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2326:2374(48) ack 2713 win 33304
05:18:55.443187  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2374 win 319
05:18:55.615082  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 2713:2761(48) ack 2374 win 319
05:18:55.620381 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2374:2422(48) ack 2761 win 33304
05:18:55.622860  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2422 win 319
05:18:55.945081  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 2761:2809(48) ack 2422 win 319
05:18:55.947109 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2422:2470(48) ack 2809 win 33304
05:18:55.948743  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2470 win 319
05:18:56.087113  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 2809:2857(48) ack 2470 win 319
05:18:56.088908 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2470:2518(48) ack 2857 win 33304
05:18:56.090994  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2518 win 319
05:18:56.228964  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 2857:2905(48) ack 2518 win 319
05:18:56.238439 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2518:2566(48) ack 2905 win 33304
05:18:56.240500  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2566 win 319
05:18:56.617310  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 2905:2953(48) ack 2566 win 319
05:18:56.619017 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2566:2614(48) ack 2953 win 33304
05:18:56.621140  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2614 win 319
05:18:56.724604  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 2953:3001(48) ack 2614 win 319
05:18:56.726683 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2614:2662(48) ack 3001 win 33304
05:18:56.734494  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2662 win 319
05:18:56.790282  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 3001:3049(48) ack 2662 win 319
05:18:56.792131 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2662:2710(48) ack 3049 win 33304
05:18:56.794314  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2710 win 319
05:18:56.871488  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 3049:3097(48) ack 2710 win 319
05:18:56.873043 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2710:2758(48) ack 3097 win 33304
05:18:56.875460  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2758 win 319
05:18:56.999019  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 3097:3145(48) ack 2758 win 319
05:18:57.008729 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2758:2806(48) ack 3145 win 33304
05:18:57.010786  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2806 win 319
05:18:57.014512 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2806:2854(48) ack 3145 win 33304
05:18:57.016499  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2854 win 319
05:18:57.069738 Out IP truncated-ip - 10 bytes missing! 192.168.2.1.50043 > resolver1.opendns.com.domain:  50735+[|domain]
05:18:57.153962  In IP resolver1.opendns.com.domain > 192.168.2.1.50043:  50735* 0/1/0 (101)
05:18:57.167438 Out IP truncated-ip - 88 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2854:2950(96) ack 3145 win 33304
05:18:57.169605  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 2950 win 319
05:18:57.172397 Out IP truncated-ip - 184 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 2950:3142(192) ack 3145 win 33304
05:18:57.174411  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3142 win 346
05:18:57.323085 Out IP truncated-ip - 120 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 3142:3270(128) ack 3145 win 33304
05:18:57.325114  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3270 win 372
05:18:57.326457 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 3270:3318(48) ack 3145 win 33304
05:18:57.328881  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3318 win 372
05:18:57.330019 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 3318:3366(48) ack 3145 win 33304
05:18:57.332024  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3366 win 372
05:18:58.537156  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 3145:3193(48) ack 3366 win 372
05:18:58.538923 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 3366:3414(48) ack 3193 win 33304
05:18:58.540886  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3414 win 372
05:18:58.879534  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 3193:3241(48) ack 3414 win 372
05:18:58.881627 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 3414:3462(48) ack 3241 win 33304
05:18:58.883659  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3462 win 372
05:18:59.029543  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 3241:3289(48) ack 3462 win 372
05:18:59.031534 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 3462:3510(48) ack 3289 win 33304
05:18:59.033547  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3510 win 372
05:18:59.223213  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 3289:3337(48) ack 3510 win 372
05:18:59.225076 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 3510:3558(48) ack 3337 win 33304
05:18:59.227292  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3558 win 372
05:18:59.359297  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 3337:3385(48) ack 3558 win 372
05:18:59.366296 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 3558:3606(48) ack 3385 win 33304
05:18:59.371670  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3606 win 372
05:18:59.380601 Out IP truncated-ip - 40 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 3606:3654(48) ack 3385 win 33304
05:18:59.400950  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3654 win 372
05:18:59.403784 Out IP truncated-ip - 104 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 3654:3766(112) ack 3385 win 33304
05:18:59.404299 Out IP truncated-ip - 56 bytes missing! 192.168.2.1.ssh > 192.168.2.2.54091: P 3766:3830(64) ack 3385 win 33304
05:18:59.407265  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3766 win 372
05:18:59.407722  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3830 win 372
05:18:59.408015  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 3385:3417(32) ack 3830 win 372
05:18:59.409197  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: P 3417:3481(64) ack 3830 win 372
05:18:59.409426 Out IP 192.168.2.1.ssh > 192.168.2.2.54091: . ack 3481 win 33256
05:18:59.413096  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: F 3481:3481(0) ack 3830 win 372
05:18:59.413348 Out IP 192.168.2.1.ssh > 192.168.2.2.54091: . ack 3482 win 33304
05:18:59.415694 Out IP 192.168.2.1.ssh > 192.168.2.2.54091: F 3830:3830(0) ack 3482 win 33304
05:18:59.426199  In IP 192.168.2.2.54091 > 192.168.2.1.ssh: . ack 3831 win 372

user@JunOS>

1 comment:

Unknown said...

But this is for control plane data, not data plane..