It’s notoriously difficult to obtain packet captures in large networks. Was shown this trick by Juniper’s JTAC when monitor traffic just does not cut it.
I found this especially helpful when troubleshooting Multicast (more specifically an incorrect TTL set on source).
mirror_view
root@redacted> start shell
[vrf:none] root@redacted:/var/home/redacted# su
sh-5.0# mirror_view -port et-0/0/20 -num_packets 200 -max_run_time 50
Selected port : et-0/0/20
Init b' Create MTP SUCESS instName : CliPfe-cpuQ221 Ifd Index : 221\n
Create Input is SUCESS for Input Ifd : 1047\n
Mirror Input Interface et-0/0/20 index : 1047 output index 221\n'
Teardown b' Mirror Deactivate\n Delete MTP SUCESS instName : CliPfe-cpuQ221 Ifd Index : 221\n'
Teardown b' Mirror Deactivate\n Delete MTP SUCESS instName : CliPfe-cpuQ221 Ifd Index : 221\n'
Total packets = 200
Completed decoding of packets.
***********************************************************************************
Completed decoding of packets!
mirrored pcap file = /var/tmp/somedate-da-port-et-0-0-20-mirrored.pcap
decoded pcap file = /var/tmp/somedate-da-port-et-0-0-20-decoded.pcap
decoded sys-hdr file = /var/tmp/somedate-da-port-et-0-0-20-sysheader.sys
***********************************************************************************Monitor Traffic
Monitor traffic still has it’s uses, though it’s not without nuance. I noticed that
monitor traffic et-x no-resolveby itself does not always show all packets that it could (or arguably, should). For a more specific capture, it appears that filtering must be applied. Juniper has provided a DayOne document(linked below) outlining some of the more common filters. I will also document on this page.
As an example, to capture DHCP packets on an IRB interface:
monitor traffic interface irb.100 no-resolve extensive matching "(udp port 67 or udp port 68)"General List of filters (prefix with matching):
# IS-IS Filters
LAN L1 Hello "((ether[21]=15) and iso)"
LAN L2 Hello "((ether[21]=16) and iso)"
P2P Hello "((ether[21]=17) and iso)"
L1 LSP "((ether[21]=18) and iso)"
L2 LSP "((ether[21]=20) and iso)"
L1 CSNP "((ether[21]=24) and iso)"
L2 CSNP "((ether[21]=25) and iso)"
L1 PSNP "((ether[21]=26) and iso)"
L2 PSNP "((ether[21]=17) and iso)"
# LLDP
"(ether[12:2]=0x88cc)"
# DHCPv6
"(udp port 546 or udp port 547)"
# IPv6
IPv6 "(ether proto \ip6 | ether proto 0x86dd | ether[12:2]=0x86dd | ip6)"
ICMPv6 "([ip6] proto 1 | icmp6 | ip6[6]=58)"
ICMPv6 echo "(ip6[40:2]=0x8000)"
ICMPv6 reply "(ip6[40:2]=0x8100)"
IPv6 Router Advertisement "(ip6[40:2]=0x8600)"
# IPv4
IPv4 "(ether proto \ip | ether proto 0x0800 | ether[12:2]=0x0800 | ip)"
ICMP "([ip] proto 1 | icmp | ip[9]=1)"
ICMP echo "(icmp[icmptype]=8 | icmp[0]=8 )"
ICMP reply "(icmp[icmpcode]=0 | icmp[1]=0 )"
ICMP unreachable&DF set "(icmp[0]=3 and icmp[1]=4)"
# Protocols
EIGRP "([ip] proto 88 | ip[9]=88)"
OSPF "([ip] proto 89 | ip[9]=89)"
VRRP "([ip] proto 112 | ip[9]=112)"
GRE "([ip] proto 47 | ip[9]=47)"
RSVP "([ip] proto 46 | ip[9]=46 )"
PIM "([ip] proto 103 | ip[9]=103)"
# Netowkr Access Layer
802.1Q "(ether[12:2]=0x8100)
LLDP "(ether[12:2]=0x88cc)
RARP "(ether proto \rarp | ether proto 0x8035 | ether[12:2]=0x8035)
ARP "(ether proto \arp | ether proto 0x0806 | ether[12:2]=0x0806)
MPLS "(ether proto 0x8847 | ether[12:2]=0x8847 | mpls)
ICMP encapsulated in MPLS "(mpls and icmp)"
- Inbound packets display the full Ethernet (Layer 2) header.
- Outbound IP and MPLS traffic have their Layer 2 headers stripped, so filtering by Ethernet fields only works inbound.
Source: https://www.juniper.net/assets/us/en/local/pdf/books/day-one-poster-monitor-command.pdf
