[j-nsp] Missing bytes on traffic monitoring (Maximum 60 bytes)

Richard A Steenbergen ras at e-gerbil.net
Mon Jun 8 01:53:54 EDT 2009


On Mon, Jun 08, 2009 at 12:51:52AM +0700, Nugroho WH Adisubrata wrote:
> Hi All,
> I try to do monitoring a specific interfaces using command "monitor traffic
> interface <IFD>"
> I saw a lot of missing byte in the IP packet such as SSH, ICMP, OSPF hello
> packet, etc across these links (More than 1 links).
> I use Junos 9.1R4.4 on M120 and GE Interfaces with MTU 4484.
> 
> The sample log is:
> 
> optimus at prime> ping 2.2.2.2 size 33
> 
> 00:31:25.042381 Out IP truncated-ip - 1 bytes missing! 1.1.1.1 > 2.2.2.2:
> ICMP echo request, id 27828, seq 2, length 41
> 00:31:25.797269 Out IP truncated-ip - 24 bytes missing! 1.1.1.1 > 224.0.0.5:
> OSPFv2, Hello, length 48
> 
> The maximum IP packet without "IP Truncate is only 32 byte". If I put 33
> bytes, I saw 1 bytes missing as shown in the log above above, and so on.
> With 32 bytes ICMP packet, the total packet is 32+28 (20 IP header + 8 ICMP
> header) = 60 bytes max.

Add "extensive" to your monitor traffic, see if you can get a complete
copy of the packet it doesn't like. IIRC this message (the one with "%d
bytes missing" specifically) only happens if the length in the IP header
doesn't agree with the length of the original packet as it was presented
to tcpdump (so regardless of snaplen). Also, does this happen only on
output packets?

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list