Re: [j-nsp] Capturing/displaying contents of incoming packets
On 04/15/2012 09:01 AM, Daniel Roesen wrote: On Fri, Apr 13, 2012 at 04:17:51PM +0100, Phil Mayers wrote: On 13/04/12 16:11, Jose Madrid wrote: Why not just use monitor interface? I have used it in the past and its a tcp-dump like output. That just shows control-plane packets. And only those control-plane packets which go from/to the routing engine. Packets handled by distributed PPM on the linecards won't show up. E.g. BFD, LACP, ... Interesting. I didn't know that (but then we don't have any distributed Juniper kit at the mo). Useful to know, but not useful for it to be that way ;o) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Capturing/displaying contents of incoming packets
On 4/16/2012 4:35 AM, Phil Mayers wrote: On 04/15/2012 09:01 AM, Daniel Roesen wrote: On Fri, Apr 13, 2012 at 04:17:51PM +0100, Phil Mayers wrote: On 13/04/12 16:11, Jose Madrid wrote: Why not just use monitor interface? I have used it in the past and its a tcp-dump like output. That just shows control-plane packets. And only those control-plane packets which go from/to the routing engine. Packets handled by distributed PPM on the linecards won't show up. E.g. BFD, LACP, ... Interesting. I didn't know that (but then we don't have any distributed Juniper kit at the mo). Useful to know, but not useful for it to be that way ;o) On at least some combinations of hardware/software you can disable PFE PPM processing, which at least leaves you with some decent visibility for intermediate-system to intermediate-system basic connectivity troubleshooting. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Capturing/displaying contents of incoming packets
On Fri, Apr 13, 2012 at 04:17:51PM +0100, Phil Mayers wrote: On 13/04/12 16:11, Jose Madrid wrote: Why not just use monitor interface? I have used it in the past and its a tcp-dump like output. That just shows control-plane packets. And only those control-plane packets which go from/to the routing engine. Packets handled by distributed PPM on the linecards won't show up. E.g. BFD, LACP, ... Best regards, Daniel PS: ah, and JUNOS also forgets to count those packets, and forgets to obey to the host-outbound-traffic CoS config so distributed LACP/BFD/whateverdistributedPPMhandles goes into wrong egress queue. Workaround: configure ppm centralized, but also lose the scaling... -- CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Capturing/displaying contents of incoming packets
Here is a full link to what Saku is referring to: http://juniper.cluepon.net/Remote_port-mirror --- Ben Boyd b...@sinatranetwork.com http://about.me/benboyd On Apr 12, 2012, at 7:02 PM, Saku Ytti wrote: Setup GRE tunnel towards your *nix box (no need to config tunnel in *nix) and mirror packets to the tunnel. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Capturing/displaying contents of incoming packets
Tom, Why not just use monitor interface? I have used it in the past and its a tcp-dump like output. http://www.juniper.net/techpubs/en_US/junos10.2/topics/reference/command-summary/monitor-interface.html On Fri, Apr 13, 2012 at 10:56 AM, Ben Boyd b...@sinatranetwork.com wrote: Here is a full link to what Saku is referring to: http://juniper.cluepon.net/Remote_port-mirror --- Ben Boyd b...@sinatranetwork.com http://about.me/benboyd On Apr 12, 2012, at 7:02 PM, Saku Ytti wrote: Setup GRE tunnel towards your *nix box (no need to config tunnel in *nix) and mirror packets to the tunnel. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- It has to start somewhere, it has to start sometime. What better place than here? What better time than now? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Capturing/displaying contents of incoming packets
On 13/04/12 16:11, Jose Madrid wrote: Tom, Why not just use monitor interface? I have used it in the past and its a tcp-dump like output. That just shows control-plane packets. Remote mirroring shows data-plane packets too. Which is appropriate will, of course, depend on your needs. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Capturing/displaying contents of incoming packets
Hi all, I am trying to debug some stubborn circuits that just dont seem to want to work. I can see incoming packets being recorded on both interfaces (10GE, both on the same router), but I cannot ping across either link. Ive verified with the owner of the router at the other end and we are using the correct subnets, and the same interface configuration, but neither of us can ping the other. I am interested to try and work out what is in the packets that are coming in to work out if they belong to the routers they are supposed to at the opposite end of each link, or where they are from. Im wondering if there is some way to output the details like a TCP dump, or capture to a pcap file which can be read by Wireshark et al? The later seems possible on certain models, but not the gear in question here, an MX960 with DPCEs. The rate of packets is extremely low, as in 1 or 2 packets a minute, but would potentially reveal a lot to me at this stage. Unfortunately theres a bit of an air (and sea) gap between me and the router in question, so any form of local troubleshooting is out of the question at the moment. Thanks, Tom ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Capturing/displaying contents of incoming packets
On (2012-04-12 23:23 +0100), Tom Storey wrote:
Im wondering if there is some way to output the details like a TCP
dump, or capture to a pcap file which can be read by Wireshark et al?
The later seems possible on certain models, but not the gear in
question here, an MX960 with DPCEs.
Setup GRE tunnel towards your *nix box (no need to config tunnel in *nix) and
mirror packets to the tunnel.
Something to this effect
interfaces {
gr-1/0/0 {
unit 1 {
tunnel {
source your_loopback;
destination your_nix_pc;
}
family inet {
127.0.0.42/31;
}
family inet6 {
address fe80::42/127;
}
}
}
}
forwarding-options {
port-mirroring {
input {
rate 1;
}
family inet {
output {
interface gr-1/0/0.1;
}
}
family inet6 {
output {
interface gr-1/0/0.1;
}
}
}
}
Then in firewall config 'then port-mirror;' for what ever you want to mirror.
I suggest using tshark in your NIX box, rather than tcpdump, as you can see
actual useful packet, not just the top GRE. And you can use display filters
matches to capture only interesting packets
--
++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
