Traffic monitoring

Displaying traffic

To display traffic on a given interface:

router{}show traffic INTERFACE [count N] [verbose V] [proto all|PROTO] [without PROTO] [pcap FILTER] [pager] [record FILENAME] [background]
count N
Specify that N packets should be captured. The capture stops when this amount is reached.
verbose V
Specify the verbosity level, between 1 and 3. The higher the level, the more detailed the description of the packet.
proto PROTO
Display only packets for protocol PROTO.
without PROTO
Specify to hide packets for protocol PROTO.

Note

PROTO is to be chosen among all, ip, ip6, arp, rarp, atalk, aarp, decnet, sca, lat, mopdl, moprc, iso, stp, ipx, netbeui, icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp, udp, or tcp.

If not proto or without keyword is specified, all packets are displayed.

pcap FILTER
Specify a filter in pcap syntax. FILTER must be a quoted string.
pager
Display traffic one screenful at a time.
record FILENAME
Specify to record the traffic into a file, in pcap format. Traffic is not displayed on screen.
background
Start capture in background.

You can access the CLI while captured traffic is asynchronously displayed on screen. To stop a background capture, use the show traffic stop command.

This command is mainly useful when capturing traffic to a file.

See Using capture files below for more information.

Capture will stop if one of the following occurs:

  • the amount of packets specified using the count keyword is reached,
  • <Ctrl+C> is pressed while capture is running in foreground,
  • the show traffic stop command is input while traffic is running in background.

Examples

router{}show traffic eth2_0 count 10
tcpdump6: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2_0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:32:28.073096 00:d0:c9:98:93:53 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 10.23.8.108 tell 10.23.8.208
17:32:28.073112 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype ARP (0x0806), length 42: arp reply 10.23.8.108 is-at 00:d0:c9:98:93:bb
17:32:28.073221 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 0
17:32:28.073275 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 0
17:32:29.063225 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 256
17:32:29.063237 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 256
17:32:30.063222 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 512
17:32:30.063230 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 512
17:32:31.063220 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 768
17:32:31.063228 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 768
10 packets captured
10 packets received by filter
0 packets dropped by kernel
router{}
router{}show traffic eth2_0 count 10 verbose 2
tcpdump6: listening on eth2_0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:19:18.227510 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 84) 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 0
17:19:18.227551 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl 255, id 39824, offset 0, flags [none], length: 84) 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 0
17:19:19.224635 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl  64, id 1, offset 0, flags [DF], length: 84) 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 256
17:19:19.224644 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl 255, id 39825, offset 0, flags [none], length: 84) 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 256
17:19:20.224632 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl  64, id 2, offset 0, flags [DF], length: 84) 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 512
17:19:20.224640 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl 255, id 39826, offset 0, flags [none], length: 84) 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 512
17:19:21.224629 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl  64, id 3, offset 0, flags [DF], length: 84) 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 768
17:19:21.224637 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl 255, id 39827, offset 0, flags [none], length: 84) 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 768
<Ctrl+C>
8 packets captured
8 packets received by filter
0 packets dropped by kernel
router{}
router{}show traffic eth2_0 without icmp
tcpdump6: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2_0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:22:22.266644 00:d0:c9:98:93:53 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 10.23.8.109 tell 10.23.8.208
17:22:23.266642 00:d0:c9:98:93:53 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 10.23.8.109 tell 10.23.8.208
17:22:24.266640 00:d0:c9:98:93:53 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 10.23.8.109 tell 10.23.8.208
17:22:33.601770 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype ARP (0x0806), length 42: arp who-has 10.23.8.208 tell 10.23.8.108
17:22:33.601908 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype ARP (0x0806), length 60: arp reply 10.23.8.208 is-at 00:d0:c9:98:93:53
17:22:43.916812 00:d0:c9:98:93:53 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 10.23.8.108 tell 10.23.8.208
17:22:43.916817 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype ARP (0x0806), length 42: arp reply 10.23.8.108 is-at 00:d0:c9:98:93:bb
<Ctrl+C>
7 packets captured
7 packets received by filter
0 packets dropped by kernel
router{}
router{}show traffic eth2_0 pcap "src 10.23.3.203"
tcpdump6: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2_0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:24:28.100948 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 0
17:24:29.097947 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 256
17:24:30.097945 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 512
17:24:31.097943 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 768
<Ctrl+C>
4 packets captured
4 packets received by filter
0 packets dropped by kernel
router{}

Using pcap filtering

Show traffic output displays all packets going in and out of a given interface.

This output may sometimes be confusing, even using the proto and without keywords.

To select the precise traffic to monitor, use the pcap keyword. This keyword allows defining a filter in the libpcap format. Only packets matching this filter are displayed.

The filter argument is a quoted expression, consisting of one or more primitives, to be chosen among the following:

dst host HOST
True if the IP destination field of the packet is HOST, which may be either an address or DNS resolvable name.
src host HOST
True if the IP source field of the packet is HOST.
host HOST
True if either the IP source or destination of the packet is HOST.
ether dst EHOST
True if the Ethernet destination address is EHOST.
ether src EHOST
True if the Ethernet source address is EHOST.
ether host EHOST

True if either the Ethernet source or destination address is EHOST.

Note

For all the above ether primitives, EHOST must be a valid Ethernet address, that is, six octets separated by colons, e.g. 00:d0:c9:98:93:52.

dst net NET
True if the IP destination address of the packet has a network number of NET.
src net NET
True if the IP source address of the packet has a network number of NET.
net NET
True if either the IP source or destination address of the packet has a network number of NET.
net NET mask MASK
True if the Ip address matches NET with the specific netmask. May be qualified with src or dst.
net NET/LEN
True if the Ip address matches NET with a netmask LEN bits wide. May be qualified with src or dst.

Note

For all the above net primitives, NET must be a network number, e.g. 192.168.0.

MASK must be an Ip address mask, e.g. 255.255.255.0.

dst port PORT

True if the packet is IP / TCP or IP / UDP and has a destination port value of PORT. The port must be a number.

Use of a port number may be ambiguous when a protocol is not specified. For example, dst port 513 will print both TCP/login traffic and UDP/who traffic, and port domain will print both TCP/domain and UDP/domain traffics.

src port PORT
True if the packet has a source port value of PORT.
port PORT

True if either the source or destination port of the packet is PORT.

Note

Any of the above port expressions can be prepended with the keywords tcp or udp, as in: tcp src port PORT, which matches only TCP packets whose source port is PORT.

less LENGTH
True if the packet has a length less than or equal to LENGTH. This is equivalent to: len <= LENGTH.
greater LENGTH
True if the packet has a length greater than or equal to LENGTH. This is equivalent to: len >= LENGTH.
ip proto PROTOCOL

True if the packet is an IP packet of protocol type PROTOCOL.

Protocol can be a number, or one of the names icmp, udp, or tcp.

Note

These identifiers are also keywords and must be escaped via a double backslash, as in ip proto \icmp.

ether broadcast

True if the packet is an ethernet broadcast packet.

The ether keyword is optional.

ip broadcast

True if the packet is an IP broadcast packet.

It checks for both the all-zeroes and all-ones broadcast conventions, and looks up the local subnet mask.

ether multicast

True if the packet is an ethernet multicast packet.

The ether keyword is optional.

ip multicast
True if the packet is an IP multicast packet.
ether proto PROTOCOL

True if the packet is of ether type PROTOCOL.

PROTOCOL can be a number, or a name like ip, arp, or rarp.

Note

These identifiers are also keywords and must be escaped via a double backslash.

ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui
Abbreviations for: ether proto PROTO.
tcp, udp, icmp
Abbreviations for: ip proto PROTO or ip6 proto PROTO.
vlan [VLANID]

True if the packet is an IEEE 802.1Q VLAN packet.

If VLANID is specified, packets must be tagged with the specified ID.

Note

The first vlan keyword encountered in the expression changes the decoding offsets for the remainder of the expression, on the assumption that the packet is a VLAN packet.

EXPR RELOP EXPR

True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and EXPR is an arithmetic expression, composed of integer constants (expressed in standard C syntax), the normal binary operators +, -, *, /, &, |, a length operator, and special packet data accessors (see below).

Note

About special packet data accessors

To access data inside the packet, use the following syntax: PROTO [ EXPR : SIZE ].

PROTO
One of ether, ip, arp, rarp, tcp, udp, or icmp, and indicates the protocol layer for the index operation.

The byte offset, relative to the indicated protocol layer, is given by EXPR.

SIZE
Optional. Indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword len, gives the length of the packet.

Examples

ether[0] & 1 != 0 catches all multicast traffic.

ip[0] & 0xf != 5 catches all IP packets with options.

ip[6:2] & 0x1fff = 0 catches only unfragmented datagrams and frag zero of fragmented datagrams. This check is implicitly applied to the TCP and UDP index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment.

Finally, primitives may be combined using:

(, )
A parenthesized group of primitives and operators.
not
Negation
and
Concatenation
or
Alternation

Negation has highest precedence. Alternation and concatenation have equal precedence and associate from left to right.

Note

Explicit and tokens, not juxtaposition, are required for concatenation.

If an identifier is given without a keyword, the most recent keyword is assumed.

Examples

router{}show traffic eth1_0 pcap "host myhost"
router{}show traffic eth1_0 pcap "src aston"
router{}show traffic eth1_0 pcap "dst net 10.0.0"
router{}show traffic eth1_0 pcap "dst port ssh"
router{}show traffic eth1_0 pcap "tcp port 21"
router{}show traffic eth1_0 pcap "src aston and not port ftp and not port ftp-data"

router{}show traffic eth1_0 pcap "not host castor and pollux"

is a shortcut for

router{}show traffic eth1_0 pcap "not host castor and host pollux"

which should not be confused with

router{}show traffic eth1_0 pcap "not (host castor or pollux)"

Using capture files

Capturing and reading traffic using capture files

Traffic may be recorded to a file for later analysis (for example using a graphical tool), using the record keyword.

Traffic files are in libpcap format, which is recognized by most common traffic capture and analysis tools.

To start capturing to a file:

router{}show traffic INTERFACE record FILENAME [count N] [verbose V] [proto all|PROTO] [without PROTO] [pcap FILTER] [pager] background

When capturing to a file, traffic is not displayed on screen, so the common use is to specify the background keyword at the end of the command line, to be able to access the CLI while traffic is being recorded.

Other parameters may be specified as described at the beginning of this chapter.

To stop a capture running in background, use the following command.

router{}show traffic stop

To read a previously recorded capture file:

router{}show traffic file TRAFFICFILE [verbose INT] [proto PROTO] [without PROTO] [pcap FILTER]
file TRAFFICFILE
specifies a previously recorded file (using the record keyword), from which traffic should be read.

Other parameters may be specified as described at the beginning of this chapter.

Examples

router{}show traffic eth2_0 record mycapture.pcap background
router{}tcpdump6: listening on eth2_0, link-type EN10MB (Ethernet), capture size 65535 bytes

router{}show traffic stop
router{}
12 packets captured
12 packets received by filter
0 packets dropped by kernel

router{}show traffic file mycapture.pcap
reading from file /tmp/capture/mycapture.pcap, link-type EN10MB (Ethernet)
11:32:32.220963 00:d0:c9:98:93:53 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.23.8.108 tell 10.23.8.208
11:32:32.220978 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype ARP (0x0806), length 42: arp reply 10.23.8.108 is-at 00:d0:c9:98:93:bb
11:32:32.221088 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 0
11:32:32.221115 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 0
11:32:33.210967 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 256
11:32:33.210975 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 256
11:32:34.210965 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 512
11:32:34.210973 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 512
11:32:35.210963 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype IPv4 (0x0800), length 98: IP 10.23.8.208 > 10.23.8.108: icmp 64: echo request seq 768
11:32:35.210971 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype IPv4 (0x0800), length 98: IP 10.23.8.108 > 10.23.8.208: icmp 64: echo reply seq 768
11:32:37.212666 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype ARP (0x0806), length 42: arp who-has 10.23.8.208 tell 10.23.8.108
11:32:37.212833 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype ARP (0x0806), length 60: arp reply 10.23.8.208 is-at 00:d0:c9:98:93:53
router{}show traffic file mycapture.pcap pcap "arp"
reading from file /tmp/capture/mycapture.pcap, link-type EN10MB (Ethernet)
11:32:32.220963 00:d0:c9:98:93:53 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.23.8.108 tell 10.23.8.208
11:32:32.220978 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype ARP (0x0806), length 42: arp reply 10.23.8.108 is-at 00:d0:c9:98:93:bb
11:32:37.212666 00:d0:c9:98:93:bb > 00:d0:c9:98:93:53, ethertype ARP (0x0806), length 42: arp who-has 10.23.8.208 tell 10.23.8.108
11:32:37.212833 00:d0:c9:98:93:53 > 00:d0:c9:98:93:bb, ethertype ARP (0x0806), length 60: arp reply 10.23.8.208 is-at 00:d0:c9:98:93:53
router{}

Managing capture files

To display the list of capture files stored on Turbo IPsec, use the following command from the root context:

router{}display traffic-file

To export a capture file:

router{}export traffic-file TRAFFICFILE URL
TRAFFICFILE
Name of an existing local file.
URL
URL of the remote destination file. TFTP, FTP or SCP protocols can be used to export files. The remote file name must be specified in the URL when using FTP of TFTP. The remote file name is optional with SCP.

To import a capture file:

router{}import traffic-file URL [FILENAME]
URL
URL of the remote file. TFTP, FTP or SCP protocols can be used to export files. The remote file name must be specified in the URL.
FILENAME
Name of the local file. This argument is optional. If it is not specified, the local file name will be the same as the remote one.

To delete a capture file:

router{}delete traffic-file TRAFFICFILE

Examples

router{}display traffic-file
eth1_0.pcap
eth2_0.pcap
router{}export traffic-file eth1_0.pcap ftp://user:passwd@host/path/eth1.pcap
router{}delete traffic-file eth1_0.cap
router{}display traffic-file
eth2_0.pcap
router{}
router{}import traffic-file ftp://user:passwd@host/path/eth1.pcap eth1_0.cap
importing file ftp://user:passwd@host/path/eth1.pcap.cap
router{}display traffic-file
eth1_0.pcap
eth2_0.pcap

router{}