[j-nsp] "monitor traffic" broken?
harry at juniper.net
Mon Nov 1 15:06:05 EST 2004
Daniel, it looks like this is PR 13559, which is still open. An internal
documentation related PR is also on file. I am not sure in which version
the correction/clarification is expected, however.
As far as only catching 1/2 of the DNS exchange, what interface are you
monitoring for the egress DNS? Monitoring traffic on lo0 should catch
all RE traffic. Is it possible that the outgoing query leaves on one
interface while the reply arrives on the interface being monitored? I
have no ability to test at present.
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> Daniel Roesen
> Sent: Monday, November 01, 2004 10:46 AM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] "monitor traffic" broken?
> On Mon, Nov 01, 2004 at 10:32:58AM -0800, Harry Reynolds wrote:
> > AFAIK protocol based matched at the CLI have been broken
> for some time.
> > This is because the L2 encap is stripped at ingress. You can work
> > around by capturing to a file and then reading back the contents of
> > the file; when writing to a file pseudo L2 headers are
> added back (as
> > I understand). This can be done at a root shell using standard
> > TCPDUMP, or via hidden write-file and read-file CLI switches. Note
> > these are hidden due to concern about someone writing a
> huge file to
> > /var causing a lack of disk space.
> Thanks. Using write/read-file I'm now able to match on host IP etc.
> Unfortunately I'm still seeing only incoming packets, not
> egress DNS queries done by the RE.
> BTW, is there a PR open to get either "monitor traffic" fixed
> or the documentation for the matching stuff removed? :-)
> Best regards,
> CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP:
> 0xA85C8AA0 _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
More information about the juniper-nsp