Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

show services stateful-firewall conversations

Syntax

show services stateful-firewall conversations<brief | extensive | terse> <application-protocol protocol> <destination-port destination-port> <destination-prefix destination-prefix> <interface interface-name> <limit number><pgcp> <protocol protocol> <service-set service-set><source-port source-port> <source-prefix source-prefix>

Release Information

Command introduced before Junos OS Release 7.4.

pgcp option introduced in Junos OS Release 8.4.

Description

Display information about stateful firewall conversations.

Options

none

Display standard information about all stateful firewall conversations.

brief | extensive | terse

(Optional) Display the specified level of output.

application-protocol protocol

(Optional) Display information about one of the following application protocols:

  • bootp—Bootstrap protocol
  • dce-rpc—Distributed Computing Environment-Remote Procedure Call protocols
  • dce-rpc-portmap—Distributed Computing Environment-Remote Procedure Call protocols portmap service
  • dns—Domain Name System protocol
  • exec—Exec
  • ftp—File Transfer Protocol
  • h323—H.323 standards
  • icmp—Internet Control Message Protocol
  • iiop—Internet Inter-ORB Protocol
  • login—Login
  • netbios—NetBIOS
  • netshow—NetShow
  • realaudio—RealAudio
  • rpc—Remote Procedure Call protocol
  • rpc-portmap—Remote Procedure Call protocol portmap service
  • rtsp—Real-Time Streaming Protocol
  • shell—Shell
  • sip—Session Initiation Protocol
  • snmp—Simple Network Management Protocol
  • sqlnet—SQLNet
  • tftp—Trivial File Transfer Protocol
  • traceroute—Traceroute
  • winframe—WinFrame
destination-port destination-port

(Optional) Display information for a particular destination port. The range of values is 0 to 65535.

destination-prefix destination-prefix

(Optional) Display information for a particular destination prefix.

interface interface-name

(Optional) Display information about a particular interface. On M Series and T Series routers, the interface-name can be sp-fpc/pic/port or rspnumber. On J Series routers, the interface-name is sp-pim/0/port.

limit number

(Optional) Maximum number of entries to display.

pgcp

(Optional) Display information about stateful firewall conversations for Packet Gateway Control Protocol (PGCP) flows.

protocol protocol

(Optional) Display information about one of the following IP types:

  • number—Numeric protocol value from 0 to 255
  • ah—IPsec Authentication Header protocol
  • egp—An exterior gateway protocol
  • esp—IPsec Encapsulating Security Payload protocol
  • gre—A generic routing encapsulation protocol
  • icmp—Internet Control Message Protocol
  • igmp—Internet Group Management Protocol
  • ipip—IP-within-IP Encapsulation Protocol
  • ospf—Open Shortest Path First protocol
  • pim—Protocol Independent Multicast protocol
  • rsvp—Resource Reservation Protocol
  • sctp—Stream Control Protocol
  • tcp—Transmission Control Protocol
  • udp—User Datagram Protocol
service-set service-set

(Optional) Display information for the specific service set.

source-port source-port

(Optional) Display information for a particular source port. The range of values is 0 to 65535.

source-prefix source-prefix

(Optional) Display information for a particular source prefix.

Required Privilege Level

view

List of Sample Output

show services stateful-firewall conversations
show services stateful-firewall conversations destination-port

Output Fields

Table 1 lists the output fields for the show services stateful-firewall conversations command. Output fields are listed in the approximate order in which they appear.

Table 1: show services stateful-firewall conversations Output Fields

Field Name

Field Description

Interface

Name of an adaptive services interface.

Service set

Name of a service set. Individual empty service sets are not displayed, but if no service set has any flows, a flow table header is printed for each service set.

Conversation

Information about a group of related flows.

  • ALG Protocol—Application-level gateway protocol.
  • Number of initiators—Number of flows that initiated a session.
  • Number of responders—Number of flows that responded in a session.

Flow or Flow Prot

Protocol used for this flow.

Source

Source prefix of the flow, in the format source-prefix-port.

Destination

Destination prefix of the flow.

State

Status of the flow:

  • Drop—Drop all packets in the flow without response.
  • Forward—Forward the packet in the flow without looking at it.
  • Reject—Drop all packets in the flow with response.
  • Watch—Inspect packets in the flow.

Dir

Direction of the flow: input (I) or output (O).

Source NAT

Original and translated source IPv4 or IPv6 addresses are displayed if Network Address Translation (NAT) is configured on this particular flow or conversation.

Frm Count

Number of frames in the flow.

Destin NAT

Original and translated destination IPv4 or IPv6 addresses are displayed if NAT is configured on this particular flow or conversation.

Byte count

Number of bytes forwarded in the flow.

TCP established

Whether a TCP connection was established: Yes or No.

TCP window size

Negotiated TCP connection window size, in bytes.

TCP acknowledge

TCP acknowledgment sequence number.

TCP tickle

Whether TCP inquiry mode is on (enabled or disabled) and the time remaining to send the next inquiry, in seconds.

Master flow

Flow that initiated the conversation.

TImeout

Lifetime of the flow, in seconds.

Sample Output

show services stateful-firewall conversations

user@host> show services stateful-firewall conversations 
Interface: sp-1/3/0, Service set: green
Conversation: ALG Protocol: any, Number of initiators: 1,         
Number of responders: 1

Flow                                                
Prot     Source                 Dest               State      Dir   Frm count
TCP      10.58.255.50:33005->   10.58.255.178:23   Forward    I      13
  Source NAT     10.58.255.50:33005->    10.59.16.100:4000
  Destin NAT     10.58.255.178:23  ->         0.0.0.0:4000
Byte count:          918
TCP established, TCP window size: 65535, TCP acknowledge: 2502627025
TCP tickle enabled, 0 seconds,
Master flow, Timeout: 30 seconds
TCP     10.58.255.178:23   ->    10.59.16.100:4000 Forward    O        8

show services stateful-firewall conversations destination-port

user@host> show services stateful-firewall conversations destination-port 21 
Interface: sp-0/3/0, Service set: svc_set_trust

Interface: sp-0/3/0, Service set: svc_set_untrust
Conversation: ALG protocol: ftp
  Number of initiators: 1, Number of responders: 1
Flow                                                State    Dir       Frm count
TCP         10.50.10.2:2143  ->     10.50.20.2:21    Watch    O               0
TCP         10.50.20.2:21    ->     10.50.10.2:2143  Watch    I               0
TCP         10.50.20.2:21    ->     10.50.10.2:2143  Watch    I               0

Published: 2013-03-14

Supported Platforms

Published: 2013-03-14

Previous Page Next Page