Supported Platforms
Displaying Packet Headers
Enter the monitor traffic command to display packet headers transmitted through network interfaces with the following syntax:
 | Note: Using the monitor traffic command can degrade system performance. We recommend that you use filtering options—such as count and matching—to minimize the impact to packet throughput on the system. |
Table 1 describes the monitor traffic command options.
Table 1: CLI monitor traffic Command Options
Option | Description |
|---|---|
absolute-sequence | (Optional) Displays the absolute TCP sequence numbers. |
count number | (Optional) Displays the specified number of packet headers. Specify a value from 0 through 100,000. The command quits and exits to the command prompt after this number is reached. |
interface interface-name | (Optional) Displays packet headers for traffic on the specified interface. If an interface is not specified, the lowest numbered interface is monitored. |
layer2-headers | (Optional) Displays the link-layer packet header on each line. |
matching "expression" | (Optional) Displays packet headers that match an expression enclosed in quotation marks (" "). Table 2 through Table 4 list match conditions, logical operators, and arithmetic, binary, and relational operators you can use in the expression. |
no-domain-names | (Optional) Suppresses the display of the domain name portion of the hostname. |
no-promiscuous | (Optional) Specifies not to place the monitored interface in promiscuous mode. In promiscuous mode, the interface reads every packet that reaches it. In nonpromiscuous mode, the interface reads only the packets addressed to it. |
no-resolve | (Optional) Suppresses the display of hostnames. |
no-timestamp | (Optional) Suppresses the display of packet header timestamps. |
print-ascii | (Optional) Displays each packet header in ASCII format. |
print-hex | (Optional) Displays each packet header, except link-layer headers, in hexadecimal format. |
size bytes | (Optional) Displays the number of bytes for each packet that you specify. If a packet header exceeds this size, the displayed packet header is truncated. The default value is 96. |
brief | (Optional) Displays minimum packet header information. This is the default. |
detail | (Optional) Displays packet header information in moderate detail. For some protocols, you must also use the size option to see detailed information. |
extensive | (Optional) Displays the most extensive level of packet header information. For some protocols, you must also use the size option to see extensive information. |
To quit the monitor traffic command and return to the command prompt, press Ctrl-C.
To limit the packet header information displayed by the monitor traffic command, include the matching "expression" option. An expression consists of one or more match conditions listed in Table 2, enclosed in quotation marks (" "). You can combine match conditions by using the logical operators listed in Table 3 (shown in order of highest to lowest precedence).
For example, to display TCP or UDP packet headers, enter:
To compare the following types of expressions, use the relational operators listed in Table 4 (listed from highest to lowest precedence):
- Arithmetic—Expressions that use the arithmetic operators listed in Table 4.
- Binary—Expressions that use the binary operators listed in Table 4.
- Packet data accessor—Expressions that use the following
syntax:protocol [byte-offset <size>]
Replace protocol with any protocol in Table 2. Replace byte-offset with the byte offset, from the beginning of the packet header, to use for the comparison. The optional size parameter represents the number of bytes examined in the packet header—1, 2, or 4 bytes.
For example, the following command displays all multicast traffic:
user@host> monitor traffic matching “ether[0] & 1 !=0”
Table 2: CLI monitor traffic Match Conditions
Match Condition | Description |
|---|---|
| Entity Type | |
host [address | hostname] | Matches packet headers that contain the specified address or hostname. You can preprend any of the following protocol match conditions, followed by a space, to host: arp, ip, rarp, or any of the Directional match conditions. |
network address | Matches packet headers with source or destination addresses containing the specified network address. |
network address mask mask | Matches packet headers containing the specified network address and subnet mask. |
port [port-number | port-name] | Matches packet headers containing the specified source or destination TCP or UDP port number or port name. |
| Directional | |
destination | Matches packet headers containing the specified destination. Directional match conditions can be prepended to any Entity Type match conditions, followed by a space. |
source | Matches packet headers containing the specified source. |
source and destination | Matches packet headers containing the specified source and destination. |
source or destination | Matches packet headers containing the specified source or destination. |
| Packet Length | |
less bytes | Matches packets with lengths less than or equal to the specified value, in bytes. |
greater bytes | Matches packets with lengths greater than or equal to the specified value, in bytes. |
| Protocol | |
arp | Matches all ARP packets. |
ether | Matches all Ethernet frames. |
ether [broadcast | multicast] | Matches broadcast or multicast Ethernet frames. This match condition can be prepended with source or destination. |
ether protocol [address | (\arp | \ip | \rarp) | Matches Ethernet frames with the specified address or protocol type. The arguments arp, ip, and rarp are also independent match conditions, so they must be preceded with a backslash (\) when used in the ether protocol match condition. |
icmp | Matches all ICMP packets. |
ip | Matches all IP packets. |
ip [broadcast | multicast] | Matches broadcast or multicast IP packets. |
ip protocol [address | (\icmp | igrp | \tcp | \udp)] | Matches IP packets with the specified address or protocol type. The arguments icmp, tcp, and udp are also independent match conditions, so they must be preceded with a backslash (\) when used in the ip protocol match condition. |
isis | Matches all IS-IS routing messages. |
rarp | Matches all RARP packets. |
tcp | Matches all TCP packets. |
udp | Matches all UDP packets. |
Table 3: CLI monitor traffic Logical Operators
Logical Operator | Description |
|---|---|
! | Logical NOT. If the first condition does not match, the next condition is evaluated. |
&& | Logical AND. If the first condition matches, the next condition is evaluated. If the first condition does not match, the next condition is skipped. |
|| | Logical OR. If the first condition matches, the next condition is skipped. If the first condition does not match, the next condition is evaluated. |
() | Group operators to override default precedence order. Parentheses are special characters, each of which must be preceded by a backslash (\). |
Table 4: CLI monitor traffic Arithmetic, Binary, and Relational Operators
Operator | Description |
|---|---|
| Arithmetic Operator | |
+ | Addition operator. |
– | Subtraction operator. |
/ | Division operator. |
| Binary Operator | |
& | Bitwise AND. |
* | Bitwise exclusive OR. |
| | Bitwise inclusive OR. |
| Relational Operator | |
<= | A match occurs if the first expression is less than or equal to the second. |
>= | A match occurs if the first expression is greater than or equal to the second. |
< | A match occurs if the first expression is less than the second. |
> | A match occurs if the first expression is greater than the second. |
= | A match occurs if the first expression is equal to the second. |
!= | A match occurs if the first expression is not equal to the second. |
The following is sample output from the monitor traffic command:
Listening on fe-0/0/0, capture size 96 bytes 15:04:16.276780 In arp who-has 193.1.1.1 tell host1.site2.net 15:04:16.376848 In arp who-has host2.site2.net tell host1.site2.net 15:04:16.376887 In arp who-has 193.1.1.2 tell host1.site2.net 15:04:16.601923 In arp who-has 193.1.1.3 tell host1.site2.net
