[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring Traffic Sampling

Traffic sampling enables you to copy traffic to a Physical Interface Card (PIC) that performs flow accounting while the router forwards the packet to its original destination. You can configure the router to perform sampling in either of two locations:

The following sections provide configuration instructions for traffic sampling:

Minimum Configuration for Traffic Sampling

To configure traffic sampling on a logical interface, you must perform at least the following tasks:

For more information about firewall filter actions and action modifiers, see the JUNOS Policy Framework Configuration Guide.

Configuring Traffic Sampling

To configure traffic sampling on any logical interface, include the input statement at the [edit forwarding-options sampling] hierarchy level:

input {
family inet {
max-packets-per-second number;
rate number;
run-length number;
}
}

When you use Routing Engine-based sampling, specify the threshold traffic value by including the max-packets-per-second statement. The value is the maximum number of packets to be sampled, beyond which the sampling mechanism begins dropping packets. The range is from 0 through 65,535. A value of 0 instructs the Packet Forwarding Engine not to sample any packets. The default value is 1000.

Note: When you configure active monitoring and specify a Monitoring Services, Adaptive Services, or MultiServices PIC in the output statement, the max-packets-per-second value is ignored.

Specify the sampling rate by setting the values for rate and run-length (see Figure 9).

Figure 9: Configure Sampling Rate

Image h1746.gif

The rate statement specifies the ratio of packets to be sampled. For example, if you configure a rate of 10, x number of packets out of every 10 is sampled, where x=run-length+1. By default, the rate is 0, which means that no traffic is sampled.

The run-length statement specifies the number of matching packets to sample following the initial one-packet trigger event. By default, the run-length is 0, which means that no more traffic is sampled after the trigger event. The range is from 0 through 20. Configuring a run length greater than 0 allows you to sample packets following those already being sampled.

If you do not include the input statement, sampling is disabled.

To collect the sampled packets in a file, include the file statement at the [edit forwarding-options sampling output] hierarchy level. For more information about the output file formats, see Configuring Traffic Sampling Output.

Disabling Traffic Sampling

To explicitly disable traffic sampling on the router, include the disable statement at the [edit forwarding-options sampling] hierarchy level:

disable;

Configuring Traffic Sampling Output

To configure traffic sampling output, include the following statements at the [edit forwarding-options sampling output] hierarchy level:

aggregate-export-interval seconds;
cflowd hostname {
aggregation {
autonomous-system;
destination-prefix;
protocol-port;
source-destination-prefix {
caida-compliant;
}
source-prefix;
}
autonomous-system-type (origin | peer);
label-position {
template template-name;
}
(local-dump | no-local-dump);
port port-number;
source-address address;
version format;
}
file {
disable;
filename filename;
files number;
size bytes;
(stamp | no-stamp);
(world-readable | no-world-readable);
}
flow-active-timeout seconds;
flow-inactive-timeout seconds;
interface interface-name {
engine-id number;
engine-type number;
source-address address;
}

To direct sampled traffic to a flow-monitoring interface, include the interface statement. The engine-id and engine-type statements specify the identity and type numbers of the interface; they are dynamically generated based on the Flexible PIC Concentrator (FPC), PIC, and slot numbers and the chassis type. The source-address statement specifies the traffic source.

To configure flow sampling version 9 output, you need to include the template statement at the [edit forwarding-options sampling output version9] hierarchy level. For information on cflowd, see Enabling Flow Aggregation.

The aggregate-export-interval statement is described in Configuring Discard Accounting, and the flow-active-timeout and flow-inactive-timeout statements are described in Configuring Flow Monitoring.

Traffic sampling results are automatically saved to a file in the /var/tmp directory. To collect the sampled packets in a file, include the file statement at the [edit forwarding-options sampling output] hierarchy level:

file {
disable;
filename filename;
files number;
size bytes;
(stamp | no-stamp);
(world-readable | no-world-readable);
}

Traffic Sampling Output Format

Traffic sampling output is saved to an ASCII text file. The following is an example of the traffic sampling output that is saved to a file in the /var/tmp directory. Each line in the output file contains information for one sampled packet. You can optionally display a timestamp for each line.

The column headers are repeated after each group of 1000 packets. 

# Apr  7 15:48:50  
Time                    Dest           Src Dest Src Proto TOS Pkt Intf  IP   TCP
                        addr          addr port port          len num frag flags
Apr 7 15:48:54 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0
Apr 7 15:48:55 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0
Apr 7 15:48:56 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0
Apr 7 15:48:57 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0
Apr 7 15:48:58 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0

To set the timestamp option for the file my-sample, enter the following:

[edit forwarding-options sampling output file]
user@host# set filename my-sample files 5 size 2m world-readable stamp;

Whenever you toggle the timestamp option, a new header is included in the file. If you set the stamp option, the Time field is displayed. 

# Apr  7 15:48:50
# Time            Dest        Src  Dest   Src Proto  TOS   Pkt  Intf    IP   TCP
#                 addr       addr  port  port              len   num  frag flags
# Feb  1 20:31:21
#                 Dest        Src  Dest   Src Proto  TOS   Pkt  Intf    IP   TCP
#                 addr       addr  port  port              len   num  frag flags

Tracing Traffic Sampling Operations

Tracing operations track all traffic sampling operations and record them in a log file in the /var/log directory. By default, this file is named /var/log/sampled. The default file size is 128K, and 10 files are created before the first one gets overwritten.

To trace traffic sampling operations, include the traceoptions statement at the [edit forwarding-options sampling] hierarchy level:

traceoptions {
file filename <files number <size bytes> <world-readable | no-world-readable>;

Traffic Sampling Examples

The following sections provide examples of configuring traffic sampling:

Example: Sampling a Single SONET Interface

The following configuration gathers statistical sampling information from a small percentage of all traffic on a single SONET/SDH interface and collects it in a file named sonet-samples.txt.

Create the filter:

[edit firewall family inet]
filter {
input sample-sonet {
then {
sample;
accept;
}
}
}

Apply the filter to the SONET/SDH interface:

[edit interfaces]
so-0/0/1 {
unit 0 {
family inet {
filter {
input sample-sonet;
}
address 10.127.68.254/32 {
destination 172.16.74.7;
}
}
}
}

Finally, configure traffic sampling:

[edit forwarding-options]
sampling {
input {
family inet {
rate 100;
run-length 2;
}
}
output {
file {
filename sonet-samples.txt;
files 40;
size 5m;
}
}
}

Example: Sampling All Traffic from a Single IP Address

The following configuration gathers statistical information about every packet entering the router on a specific Gigabit Ethernet port originating from a single source IP address of 172.16.92.31, and collects it in a file named samples-172-16-92-31.txt.

Create the filter:

[edit firewall family inet]
filter one-ip {
term get-ip {
from {
source-address 172.16.92.31;
}
then {
sample;
accept;
}
}
}

Apply the filter to the Gigabit Ethernet interface:

[edit interfaces]
ge-4/1/1 {
unit 0 {
family inet {
filter {
input one-ip;
}
address 10.45.92.254;
}
}
}

Finally, gather statistics on all the candidate samples; in this case, gather all statistics:

[edit forwarding-options]
sampling {
input {
family inet {
rate 1;
}
}
output {
file {
filename samples-172-16-92-31.txt;
files 100;
size 100k;
}
}
}

Example: Sampling All FTP Traffic

The following configuration gathers statistical information about a moderate percentage of packets using the FTP data transfer protocol in the output path of a specific T3 interface, and collects the information in a file named t3-ftp-traffic.txt.

Create a filter:

[edit firewall family inet]
filter ftp-stats {
term ftp-usage {
from {
destination-port [ftp ftp-data];
}
then {
sample;
accept;
}
}
}

Apply the filter to the T3 interface:

[edit interfaces]
t3-7/0/2 {
unit 0 {
family inet {
filter {
input ftp-stats;
}
address 10.35.78.254/32 {
destination 10.35.78.4;
}
}
}
}

Finally, gather statistics on 10 percent of the candidate samples:

[edit forwarding-options]
sampling {
input {
family inet {
rate 10;
}
}
output {
file {
filename t3-ftp-traffic.txt;
files 50;
size 1m;
}
}
}
[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]