Randy, Works fine for me with "port 179 AND host ::ffff:222.77.14.229". I would recommend using the "-e" option to display the src and dst mac addresses.
Since the tcpdump on juniper platform usually catches only packets routed to the RE, tcpdump shouldn't catch many packets and you should be good with the "port 179" only. Gustavo. On Sat, May 5, 2012 at 6:46 PM, Randy Bush <ra...@psg.com> wrote: > i am getting a lot of these on my seattle internet exchange interface > > May 4 00:18:39 rpd[1485]: rv_listen_accept: Connection attempt from > unconfigured session: ::Ffff:222.77.14.229+40604 > May 4 00:23:36 rpd[1485]: rv_listen_accept: Connection attempt from > unconfigured session: ::ffff:222.77.14.229+20885 > May 4 00:23:38 rpd[1485]: rv_listen_accept: Connection attempt from > unconfigured session: ::ffff:222.77.14.229+38407 > May 4 00:28:35 rpd[1485]: rv_listen_accept: Connection attempt from > unconfigured session: ::ffff:222.77.14.229+47648 > May 4 00:28:37 rpd[1485]: rv_listen_accept: Connection attempt from > unconfigured session: ::ffff:222.77.14.229+43036 > May 4 00:33:35 rpd[1485]: rv_listen_accept: Connection attempt from > unconfigured session: ::ffff:222.77.14.229+11306 > May 4 00:33:37 rpd[1485]: rv_listen_accept: Connection attempt from > unconfigured session: ::ffff:222.77.14.229+21558 > > that looks like a mapped ipv4 address, except that 222.77.14.229 is > chinanet fujian address and chinanet is not at the six as far as i can > tell > > i wanna do a tcpdump to find the MAC of the other party. but i can not > make sense of ::ffff:222.77.14.229 so i can put it in a tcpdump > expression > > tcpdump -n -i fe-0/3/2.0 -XX port 179 host ????? > > any clues? _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp