monitor security packet-drop
语法
monitor security packet-drop <source-prefix> <destination-prefix> <source-port> <destination-port> <ingress-interface-name> <protocol> <logical-system-name> <count-number>
描述
在不提交配置的情况下显示丢包信息,以便跟踪和监控流量。此命令输出将显示在屏幕上,直到您按 Ctrl+c 或直到安全设备收集请求的丢包次数。该命令包括各种筛选器,用于根据您的要求生成输出字段。
您可以使用命令 monitor security packet-drop | append /var/log/filename.log 将数据包口袋记录保存到文件中。
选项
| source-prefix | 显示给定源 IP 或源前缀地址的丢包信息。 |
| destination-prefix | 显示给定目标 IP 或源前缀地址的丢包信息。 |
| source-port | 显示给定源端口的丢包信息。 |
| destination-port | 显示给定目标端口的丢包信息。 |
| ingress-interface-name | 显示给定入口接口地址的丢包信息。 |
| protocol | 显示给定协议号的丢包信息。 |
| logical-system-name | 显示逻辑系统名称的丢包信息。 |
| count-number | 显示给定计数的丢包信息。 范围:1 到 8000 默认值:50 |
所需权限级别
视图
示例输出
监控安全丢包
当配置设置为默认 IDP 安全策略时,使用命令 set security idp idp-policy IDP_Default rulebase-ips rule 1 then action drop-packet,将为命令显示 monitor security packet-drop 以下类型的输出。
user@host> monitor security packet-drop
Starting packet drop: 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:IDP drop SLL packet
当配置设置为丢弃连接操作时,将为命令显示 monitor security packet-drop 以下类型的输出。
user@host> monitor security packet-drop
Starting packet drop: 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:Malformed IPV6 header in IPv4 tunnel 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:Bad TCP headers
独立于 IPS 策略的丢包输出。
user@host> monitor security packet-drop
Starting packet drop: 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:IDP drop SLL packet 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:Malformed IPV6 header in IPv4 tunnel 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:Bad TCP headers 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:Overflow drops 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:Sequence number wrap around errors 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:IDP Policy Initn failed 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:Flow Rejected
user@host> monitor security packet-drop
Starting packet drop: 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:IDP Rule Action Drop Packet ICMP:INFO:ECHO-REQUEST 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:IDP Rule Action Close-Client-And-Server ICMP:INFO:ECHO-REQUEST 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:IDP Rule Action Close-Server ICMP:INFO:ECHO-REQUEST 14:46:45.511471:LSYS-ID-00 4.0.0.1/19895-->5.0.0.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:IDP Rule Action Close-Client ICMP:INFO:ECHO-REQUEST
使用过滤器监控安全丢包
user@host> monitor security packet-drop source-prefix 192.0.2.1 destination-prefix 192.151.100.1 proto icmp
14:46:45.511471:LSYS-ID-00 192.0.2.1/19895-->192.151.100.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:IDP Rule Action Close-Server ICMP:INFO:ECHO-REQUEST 14:46:45.511471:LSYS-ID-00 192.0.2.1/19895-->192.151.100.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:IDP Rule Action Close-Client ICMP:INFO:ECHO-REQUEST
监控安全丢包计数 2
user@host> monitor security packet-drop count 2
14:46:45.511471:LSYS-ID-00 192.0.2.1/19895-->192.151.100.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:IDP Rule Action Close-Server ICMP:INFO:ECHO-REQUEST 14:46:45.511471:LSYS-ID-00 192.0.2.1/19895-->192.151.100.1/1;icmp,ipid-0,ge-0/0/0.0,Dropped by IDP:IDP Rule Action Close-Server ICMP:INFO:ECHO-REQUEST
监控安全丢包 |append /var/log/abcd.log
user@host> monitor security packet-drop | append /var/log/abcd.log
^C[abort] Wrote 7 lines of output to '/var/log/abcd.log'
显示日志abcd.log
user@host> show log abcd.log
Starting packet drop: 07:35:36.742809:LSYS-ID-00 192.0.2.1/2198-->192.151.100.1/1;icmp,ipid-16088,ge-0/0/2.0,Dropped by POLICY:Denied by Policy: default-policy-logical-system-00 07:35:37.640858:LSYS-ID-00 192.0.2.1/2198-->192.151.100.1/2;icmp,ipid-52440,ge-0/0/2.0,Dropped by POLICY:Denied by Policy: default-policy-logical-system-00 07:35:38.665155:LSYS-ID-00 192.0.2.1/2198-->192.151.100.1/3;icmp,ipid-28633,ge-0/0/2.0,Dropped by POLICY:Denied by Policy: default-policy-logical-system-00 07:35:39.689185:LSYS-ID-00 192.0.2.1/2198-->192.151.100.1/4;icmp,ipid-47577,ge-0/0/2.0,Dropped by POLICY:Denied by Policy: default-policy-logical-system-00 07:35:40.712870:LSYS-ID-00 192.0.2.1/2198-->192.151.100.1/5;icmp,ipid-44762,ge-0/0/2.0,Dropped by POLICY:Denied by Policy: default-policy-logical-system-00 07:35:41.797742:LSYS-ID-00 192.0.2.1/2198-->192.151.100.1/6;icmp,ipid-16859,ge-0/0/2.0,Dropped by POLICY:Denied by Policy: default-policy-logical-system-00
发布信息
在 Junos OS 21.1R1 版中引入的命令。
在 Junos OS 21.2R2 版中将签名添加到丢包原因中。