Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Junos CLI Reference CLI Reference M

Junos CLI Reference

keyboard_arrow_up
close
keyboard_arrow_left
Junos CLI Reference
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

monitor traffic

date_range 19-Nov-23
arrow_backward
arrow_forward

Syntax

content_copy zoom_out_map
monitor traffic 
<brief | detail | extensive> 
<absolute-sequence>
<count count> 
<interface interface-name> 
<layer2-headers> 
<matching matching>
<no-domain-names> 
<no-promiscuous> 
<no-resolve> 
<no-timestamp> 
<print-ascii> 
<print-hex> 
<read-file filename>
<resolve-timeout>
<size size> 
<write-file filename>

Description

Display packet headers or packets received and sent from the Routing Engine.

Note:

  • Using the monitor-traffic command can degrade router or switch performance.

  • Delays from DNS resolution can be eliminated by using the no-resolve option.

Note:

This command is not supported on the QFabric system.

Options

none

(Optional) Display packet headers transmitted through fxp0. On a TX Matrix Plus router, display packet headers transmitted through em0.

brief | detail | extensive

(Optional) Display the specified level of output.

absolute-sequence

(Optional) Display absolute TCP sequence numbers.

count count

(Optional) Specify the number of packet headers to display (0 through 1,000,000). The monitor traffic command quits automatically after displaying the number of packets specified.

interface interface-name

(Optional) Specify the interface on which the monitor traffic command displays packet data. If no interface is specified, the monitor traffic command displays packet data arriving on the lowest-numbered interface.

In Junos OS Evolved:

  • If you modify an interface that you are monitoring with the monitor traffic interface command, the monitoring session ends with the message: pcap_loop: read: Device not configured. To continue monitoring the interface, rerun the monitor traffic interface command. However, if the monitored interface is removed, the command session continues, but there will be no packets or errors reported.

  • When you use the command monitor traffic interface interface-name on a logical interface, the output displays all packets received or transmitted on that interface, including Layer 2 traffic. When you use this command on a physical interface, the output only displays packets received and transmitted on the physical interface and does not include traffic from the logical interface.

layer2-headers

(Optional) Display the link-level header on each line.

matching matching

(Optional) Display packet headers that match a regular expression. Use matching expressions to define the level of detail with which the monitor traffic command filters and displays packet data.

no-domain-names

(Optional) Suppress the display of the domain portion of hostnames. With the no-domain-names option enabled, the monitor traffic command displays only team for the hostname team.company.net.

no-promiscuous

(Optional) Do not put the interface into promiscuous mode.

no-resolve

(Optional) Suppress reverse lookup of the IP addresses.

no-timestamp

(Optional) Suppress timestamps on displayed packets.

print-ascii

(Optional) Display each packet in ASCII format.

print-hex

(Optional) Display each packet, except the link-level header, in hexadecimal format.

read-file filename

Read packets from the file specified.

resolve-timeout timeout

(Optional) Amount of time the router or switch waits for each reverse lookup before timing out. You can set the timeout for 1 through 4,294,967,295 seconds. The default is 4 seconds. To display each packet, use the print-ascii, print-hex, or extensive option.

size size

(Optional) Read but do not display up to the specified number of bytes for each packet. When set to brief output, the default packet size is 96 bytes and is adequate for capturing IP, ICMP, UDP, and TCP packet data. When set to detail and extensive output, the default packet size is 1514. The monitor traffic command truncates displayed packets if the matched data exceeds the configured size.

write-file filename

Write packets to the file specified.

Note:

Starting in Junos OS Evolved 20.4R1, the write-file option at the monitor traffic interface hierarchy level takes precedence over the extensive option when you configure them simultaneously. If you try to configure these options at the same time, Junos OS Evolved gives you a warning message that the options are not compatible, and it only runs the monitor traffic interface write-file command.

Additional Information

In the monitor traffic command, you can specify an expression to match by using the matching option and including the expression in quotation marks:

content_copy zoom_out_map
monitor traffic matching "expression"

Replace expression with one or more of the match conditions listed in Table 1.

Table 1: Match Conditions for the monitor traffic Command

Match Type

Condition

Description
Entity

host [address | hostname]

Matches packets that contain the specified address or hostname.

The protocol match conditions arp, ip, or rarp, or any of the directional match conditions can be prepended to the host match condition.

net address

Matches packets with source or destination addresses containing the specified network address.

net address mask mask

Matches packets containing the specified network address and subnet mask.

port (port-number  | port-name)

Matches packets containing the specified source or destination TCP or UDP port number or port name.

In place of the numeric port address, you can specify a text synonym, such as bgp  (179), dhcp  (67), or domain  (53) (the port numbers are also listed).

Directional

dst

Matches packets going to the specified destination. This match condition can be prepended to any of the entity type match conditions.

src

Matches packets from a specified source. This match condition can be prepended to any of the entity type match conditions.

src and dst

Matches packets that contain the specified source and destination addresses. This match condition can be prepended to any of the entity type match conditions.

src or dst

Matches packets containing either of the specified addresses. This match condition can be prepended to any of the entity type match conditions.

Packet Length

less value

Matches packets shorter than or equal to the specified value, in bytes.

greater value

Matches packets longer than or equal to the specified value, in bytes.

Protocol

amt

Matches all AMT packets. Use the extensive level of output to decode the inner IGMP packets in addition to the AMT outer packet.

arp

Matches all ARP packets.

ether

Matches all Ethernet packets.

ether (broadcast | multicast)

Matches broadcast or multicast Ethernet frames. This match condition can be prepended withsrc and dst.

ether protocol (address | (arp | ip | rarp))

Matches packets with the specified Ethernet address or Ethernet packets of the specified protocol type. The ether protocol arguments arp, ip, and rarp are also independent match conditions, so they must be preceded by a backslash (\) when used in the ether protocol match condition.

icmp

Matches all ICMP packets.

ip

Matches all IP packets.

ip (broadcast | multicast)

Matches broadcast or multicast IP packets.

ip protocol (address | (icmp | igrp | tcp | udp))

Matches packets with the specified address or protocol type. The ip protocol arguments icmp, tcp, and udp are also independent match conditions, so they must be preceded by a backslash (\) when used in the ip protocol match condition.

isis

Matches all IS-IS routing messages.

proto ip-protocol-number

Matches packets whose headers contain the specified IP protocol number.

rarp

Matches all RARP packets.

tcp

Matches all TCP datagrams.

udp

Matches all UDP datagrams.

To combine expressions, use the logical operators listed in Table 2.

Table 2: Logical Operators for the monitor traffic Command

Logical Operator (Highest to Lowest Precedence)

Description

!

Logical NOT. If the first condition does not match, the next condition is evaluated.

&&

Logical AND. If the first condition matches, the next condition is evaluated. If the first condition does not match, the next condition is skipped.

||

Logical OR. If the first condition matches, the next condition is skipped. If the first condition does not match, the next condition is evaluated.

( )

Group operators to override default precedence order. Parentheses are special characters, each of which must be preceded by a backslash (\).

You can use relational operators to compare arithmetic expressions composed of integer constants, binary operators, a length operator, and special packet data accessors. The arithmetic expression matching condition uses the following syntax:

content_copy zoom_out_map
monitor traffic matching "ether[0] & 1 != 0""arithmetic_expression relational_operator arithmetic_expression"

The packet data accessor uses the following syntax:

content_copy zoom_out_map
protocol [byte-offset <size>]

The optional size field represents the number of bytes examined in the packet header. The available values are1, 2, or 4 bytes. The following sample command captures all multicast traffic:

content_copy zoom_out_map
user@host> monitor traffic matching "ether[0] & 1 != 0"

To specify match conditions that have a numeric value, use the arithmetic and relational operators listed in Table 3.

Note:

Because the Packet Forwarding Engine removes Layer 2 header information before sending packets to the Routing Engine:

  • The monitor traffic command cannot apply match conditions to inbound traffic.

  • The monitor traffic interface command also cannot apply match conditions for Layer 3 and Layer 4 packet data, resulting in the match pipe option (| match) for this command for Layer 3 and Layer 4 packets not working either. Therefore, ensure that you specify match conditions as described in this command summary. For more information about match conditions, see Table 1.

  • The 802.1Q VLAN tag information included in the Layer 2 header is removed from all inbound traffic packets. Because the monitor traffic interface ae[x] command for aggregated Ethernet interfaces (such as ) only shows inbound traffic data, the command does not show VLAN tag information in the output.

Table 3: Arithmetic and Relational Operators for the monitor traffic Command

Arithmetic or Relational Operator

Description
Arithmetic Operator

+

Addition operator.

-

Subtraction operator.

/

Division operator.

&

Bitwise AND.

*

Bitwise exclusive OR.

|

Bitwise inclusive OR.

Relational Operator (Highest to Lowest Precedence)

<=

If the first expression is less than or equal to the second, the packet matches.

>=

If the first expression is greater than or equal to the second, the packet matches.

<

If the first expression is less than the second, the packet matches.

>

If the first expression is greater than the second, the packet matches.

=

If the compared expressions are equal, the packet matches.

!=

If the compared expressions are unequal, the packet matches.

Required Privilege Level

trace

maintenance

Output Fields

When you enter this command, you are provided feedback on the status of your request.

Sample Output

monitor traffic count

content_copy zoom_out_map
user@host> monitor traffic count 2
listening on fxp0
04:35:49.814125  In my-server.home.net.1295 > my-server.work.net.telnet: . ack
4122529478 win 16798 (DF)
04:35:49.814185 
Out my-server.work.net.telnet > my-server.home.net.1295: P
1:38(37) ack 0 win 17680 (DF) [tos 0x10]

monitor traffic detail count

content_copy zoom_out_map
user@host> monitor traffic detail count 2              
listening on fxp0
04:38:16.265864  In my-server.home.net.1295 > my-server.work.net.telnet: . ack 4122529971 win 17678 (DF) (ttl 121, id 6812)
04:38:16.265926 
Out my-server.work.net.telnet.telnet > my-server.home.net.1295: P 1:38(37) ack 0 win 17680 (DF) [tos 0x10]  (ttl 6)

monitor traffic extensive (Absolute Sequence)

content_copy zoom_out_map
user@host> monitor traffic extensive no-domain-names no-resolve no-timestamp count 20 matching "tcp" absolute-sequence              
listening on fxp0
 In 203.0.113.193.179 > 192.168.4.227.1024: . 4042780859:4042780859(0) 
ack 1845421797 win 16384 <nop,nop,timestamp 4935628 965951> [tos 0xc0]  (ttl )
 In 203.0.113.193.179 > 192.168.4.227.1024: P 4042780859:4042780912(53) 
ack 1845421797 win 16384 
<nop,nop,timestamp 4935628 965951>: 
BGP [|BGP UPDAT) 
In 192.168.4.227.1024 > 203.0.113.193.179: 
P 1845421797:1845421852(55) ack 4042780912 win 16384 <nop,nop,timestamp 965951 4935628>: BGP [|BGP UPDAT)
...

monitor traffic extensive (Relative Sequence)

content_copy zoom_out_map
user@host> monitor traffic extensive no-domain-names no-resolve no-timestamp count 20 matching "tcp"              
listening on fxp0
 In 172.24.248.221.1680 > 192.168.4.210.23: . 396159737:396159737(0) 
ack 1664980689 win 17574 (DF) (ttl 121, id 50003)
Out 192.168.4.210.23 > 172.24.248.221.1680: P 1:40(39) 
ack 0 win 17680 (DF) [tos 0x10]  (ttl 64, id 5394)
 In 203.0.113.193.179 > 192.168.4.227.1024: P 4042775817:4042775874(57) 
ack 1845416593 win 16384 <nop,nop,timestamp 4935379 965690>: BGP [|BGP UPDAT)
...

monitor traffic extensive count

content_copy zoom_out_map
                                 monitor traffic extensive count 5 no-domain-names no-resolve              
listening on fxp013:18:17.406933  
In 192.168.4.206.2723610880 > 172.17.28.8.2049: 
40 null (ttl 64, id 38367)13:18:17.407577  
In 172.17.28.8.2049 > 192.168.4.206.2723610880: 
reply ok 28 null (ttl 61, id 35495)13:18:17.541140  
In 0:e0:1e:42:9c:e0 0:e0:1e:42:9c:e0 9000 60: 
0000 0100 0000 0000 
0000 0000 0000 0000  
0000 0000 0000 0000 
0000 0000 0000 0000  
0000 0000 0000 0000 
0000 0000 000013:18:17.591513
In 172.24.248.156.4139 > 192.168.4.210.23: 
3556964918:3556964918(0) 
ack 295526518 win 17601 (DF) 
(ttl 121, id 14)13:18:17.591568 
Out 192.168.4.210.23 > 
172.24.248.156.4139: P 1:40(39) 
ack 0 win 17680 (DF) [tos 0x10]  
(ttl 64, id 52376)

monitor traffic interface

content_copy zoom_out_map
user@host> monitor traffic interface fxp0     
listening on fxp0.0
18:17:28.800650  In server.home.net.723 > host1-0.lab.home.net.log 
18:17:28.800733 Out host2-0.lab.home.net.login > server.home.net.7 
18:17:28.817813  In host30.lab.home.net.syslog > host40.home0
18:17:28.817846  In host30.lab.home.net.syslog > host40.home0
...

monitor traffic interface (Junos OS Evolved)

In this example, ae0 is a physical interface and ae0.1 is a logical interface.

content_copy zoom_out_map
user@host> monitor traffic interface ae0    
reading from file -, link-type EN10MB (Ethernet)
17:51:30.691523 LLDP, length 441: host.example.com
17:51:32.296133 LLDP, length 445: host.example.com
17:51:33.029399 LLDP, length 445: host.example.com
17:51:33.523333 LLDP, length 445: host.example.com
...
user@host> monitor traffic interface ae0.1    
reading from file -, link-type EN10MB (Ethernet)
17:51:20.932958 IP 10.1.1.2 > 10.1.1.1: ICMP echo request, id 33378, seq 4, length 64
17:51:20.933273 IP 10.1.1.1 > 10.1.1.2: ICMP echo reply, id 33378, seq 4, length 64
17:51:21.933840 IP 10.1.1.2 > 10.1.1.1: ICMP echo request, id 33378, seq 5, length 64
17:51:21.934147 IP 10.1.1.1 > 10.1.1.2: ICMP echo reply, id 33378, seq 5, length 64
...

monitor traffic matching

content_copy zoom_out_map
user@host> monitor traffic matching "net 192.168.1.0/24"
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on fxp0, capture size 96 bytes

Reverse lookup for 192.168.1.255 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use no-resolve to avoid reverse lookups on IP addresses.

21:55:54.003511  In IP truncated-ip - 18 bytes missing! 
192.168.1.17.netbios-ns > 192.168.1.255.netbios-ns: UDP, length 50
21:55:54.003585 Out IP truncated-ip - 18 bytes missing! 
192.168.1.17.netbios-ns > 192.168.1.255.netbios-ns: UDP, length 50
21:55:54.003864  In arp who-has 192.168.1.17 tell 192.168.1.9
...

monitor traffic (TX Matrix Plus Router)

content_copy zoom_out_map
user@host> monitor traffic
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on em0, capture size 96 bytes

04:11:59.862121 Out IP truncated-ip - 25 bytes missing! 
summit-em0.example.net.syslog > sv-log-01.example.net.syslog: 
SYSLOG kernel.info, length: 57
04:11:59.862303 
Out IP truncated-ip - 25 bytes missing! 
summit-em0.example.net.syslog > 
sv-log-02.example.net.syslog: SYSLOG kernel.info, length: 57
04:11:59.923948  
In IP aj-em0.example.net.65235 > 
summit-em0.example.net.telnet: . 
ack 1087492766 win 33304 <nop,nop,timestamp 42366734 993490>
04:11:59.923983 Out IP truncated-ip - 232 bytes missing! 
summit-em0.example.net.telnet > aj-em0.example.net.65235: P 1:241(240) ack 0 win 33304 
<nop,nop,timestamp 993590 42366734>
04:12:00.022900  
In IP aj-em0.exmaple.net.65235 > 
summit-em0.example.net.telnet: . ack 241 win 33304 <nop,nop,timestamp 42366834 993590>
04:12:00.141204  
In IP truncated-ip - 40 bytes missing! 
ipg-lnx-shell1.example.net.46182 > summit-em0.example.net.telnet: P 2950530356:2950530404(48) ack 485494987 win 63712 
<nop,nop,timestamp 1308555294 987086>
04:12:00.141345 
Out IP summit-em0.example.net.telnet > 
ipg-lnx-shell1.example.net.46182: P 1:6(5) 
ack 48 win 33304 
<nop,nop,timestamp 993809 1308555294>
04:12:00.141572  
In IP ipg-lnx-shell1.example.net.46182 > 
summit-em0.example.net.telnet: . 
ack 6 win 63712 
<nop,nop,timestamp 1308555294 993809>
04:12:00.141597 
Out IP summit-em0.example.net.telnet > 
ipg-lnx-shell1.example.net.46182: P 6:10(4) ack 48 win 33304 
<nop,nop,timestamp 993810 1308555294>
04:12:00.141821  
In IP ipg-lnx-shell1.example.net.46182 > 
summit-em0.exmaple.net.telnet: . 
ack 10 win 63712 <nop,nop,timestamp 1308555294 993810>
04:12:00.141837 Out IP truncated-ip - 2 bytes missing! 
summit-em0.example.net.telnet > 
ipg-lnx-shell1.example.net.46182: P 10:20(10) ack 48 win 33304 
<nop,nop,timestamp 993810 1308555294>
04:12:00.142072  
In IP ipg-lnx-shell1.example.net.46182 > 
summit-em0.example.net.telnet: . ack 20 win 63712 
<nop,nop,timestamp 1308555294 993810>
04:12:00.142089 Out IP summit-em0.example.net.telnet > 
ipg-lnx-shell1.example.net.46182: P 20:28(8) ack 48 win 33304 <nop,nop,timestamp 993810 1308555294>
04:12:00.142321  
In IP ipg-lnx-shell1.exmample.net.46182 > 
summit-em0.englab.example.net.telnet: . 
ack 28 win 63712 <nop,nop,timestamp 1308555294 993810>
04:12:00.142337 
Out IP truncated-ip - 1 bytes missing! 
summit-em0.example.net.telnet > 
ipg-lnx-shell.example.net.46182: P 28:37(9) ack 48 win 33304 <nop,nop,timestamp 993810 1308555294>
...

monitor traffic (QFX3500 Switch)

content_copy zoom_out_map
user@switch> monitor traffic
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on me4, capture size 96 bytes
Reverse lookup for 172.22.16.246 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
16:35:32.240873 Out IP truncated-ip - 112 bytes missing! labqfx-me0.example.net.ssh > 
172.22.16.246.telefinder: P 4200727624:4200727756(132) ack 2889954831 win 65535
16:35:32.240900 Out IP truncated-ip - 176 bytes missing! labqfx-me0.example.net.ssh > 
172.22.16.246.telefinder: P 132:328(196) ack 1 win 65535
...

monitor traffic matching icmp

content_copy zoom_out_map
user@host> monitor traffic matching "icmp" no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on me0, capture size 96 bytes

09:23:17.728737  In IP 172.19.10.9 > 10.10.211.93: ICMP echo request, id 1, seq 322, length 40
09:23:17.728780 Out IP 10.10.211.93 > 172.19.10.9: ICMP echo reply, id 1, seq 322, length 40
09:23:18.735848  In IP 172.19.10.9 > 10.10.211.93: ICMP echo request, id 1, seq 323, length 40
09:23:18.735891 Out IP 10.10.211.93 > 172.19.10.9: ICMP echo reply, id 1, seq 323, length 40
09:23:19.749732  In IP 172.19.10.9 > 10.10.211.93: ICMP echo request, id 1, seq 324, length 40
09:23:19.749775 Out IP 10.10.211.93 > 172.19.10.9: ICMP echo reply, id 1, seq 324, length 40
09:23:20.749747  In IP 172.19.10.9 > 10.10.211.93: ICMP echo request, id 1, seq 325, length 40
09:23:20.749791 Out IP 10.10.211.93 > 172.19.10.9: ICMP echo reply, id 1, seq 325, length 40
...

monitor traffic matching IP protocol number

content_copy zoom_out_map
user@host> monitor traffic matching "proto 89" no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on me0, capture size 96 bytes

13:06:14.700311  In IP truncated-ip - 16 bytes missing! 10.94.211.254 > 224.0.0.
5: OSPFv2, Hello, length 56
13:06:16.067010  In IP truncated-ip - 20 bytes missing! 10.94.211.102 > 224.0.0.
5: OSPFv2, Hello, length 60
13:06:16.287566  In IP truncated-ip - 20 bytes missing! 10.94.211.142 > 224.0.0.
5: OSPFv2, Hello, length 60
13:06:20.758500  In IP truncated-ip - 16 bytes missing! 10.200.211.254 > 224.0.0
.5: OSPFv2, Hello, length 56
13:06:24.309882  In IP truncated-ip - 20 bytes missing! 10.94.211.102 > 224.0.0.
5: OSPFv2, Hello, length 60
13:06:24.396699  In IP truncated-ip - 16 bytes missing! 10.94.211.254 > 224.0.0.
5: OSPFv2, Hello, length 56
13:06:25.067386  In IP truncated-ip - 20 bytes missing! 10.94.211.142 > 224.0.0.
5: OSPFv2, Hello, length 60
13:06:29.499988  In IP truncated-ip - 16 bytes missing! 10.200.211.254 > 224.0.0
.5: OSPFv2, Hello, length 56
13:06:32.858753  In IP truncated-ip - 20 bytes missing! 10.94.211.102 > 224.0.0.
5: OSPFv2, Hello, length 60
...

monitor traffic matching arp

content_copy zoom_out_map
user@host> monitor traffic matching “arp” no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on me0, capture size 96 bytes

11:57:54.664501  In arp who-has 10.10.213.109 (00:1f:d5:f3:28:30) tell 10.10.213.31
11:57:56.828387  In arp who-has 10.10.213.233 (00:24:9d:06:77:4f) tell 10.10.213.31
11:58:01.735803  In arp who-has 10.10.213.251 (88:e0:f4:1d:41:40) tell 10.10.213.31
11:58:04.663241  In arp who-has 10.10.213.254 tell 10.94.211.170
11:58:28.488191  In arp who-has 10.10.213.149 (00:e0:91:c2:ff:8d) tell 10.10.213.31
11:58:41.858612  In arp who-has 10.10.213.148 tell 10.94.211.254
11:58:42.621533  In arp who-has 10.10.213.254 (5f:5e:ac:79:49:81) tell 10.10.213.31
11:58:44.533391  In arp who-has 10.10.213.186 tell 10.94.211.254
11:58:45.170405  In arp who-has 10.10.213.186 tell 10.94.211.254
11:58:45.770512  In arp who-has 10.10.213.186 tell 10.94.211.254

monitor traffic matching port

content_copy zoom_out_map
user@host> monitor traffic matching “port 22” no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on me0, capture size 96 bytes

13:14:19.108089  In IP 192.0.2.22.56714 > 10.19.300.05.22: S 2210742342:2210742342(0) win 65535 <mss 1360,nop,wscale 7,nop,nop,sackOK>
13:14:19.108165 Out IP 10.19.300.05.22 > 192.0.2.22.56714: S 23075150:23075150(0) ack 2210742343 win 65535 <mss 1460,nop,wscale 1,sackOK,eol>
13:14:19.136883  In IP 192.0.2.22.56714 > 10.19.300.05.22: . ack 1 win 32768
13:14:19.231364 Out IP truncated-ip - 1 bytes missing! 10.19.300.05.22 > 172.29.102.9.56714: P 1:22(21) ack 1 win 33320
13:14:19.260174  In IP truncated-ip - 10 bytes missing! 192.0.2.22.56714 > 10.94.211.93.22: P 1:31(30) ack 22 win 32767
13:14:19.284865 Out IP truncated-ip - 964 bytes missing! 10.19.300.05.22 > 172.29.102.9.56714: P 22:1006(984) ack 31 win 33320
13:14:19.314549  In IP truncated-ip - 652 bytes missing! 192.0.2.22.56714 > 10.94.211.93.22: P 31:703(672) ack 1006 win 32760
13:14:19.414135 Out IP 10.19.300.05.22 > 192.0.2.22.56714: . ack 703 win 33320
13:14:19.443858  In IP 192.0.2.22.56714 > 10.19.300.05.22: P 703:719(16) ack 1006 win 32760
13:14:19.467379 Out IP truncated-ip - 516 bytes missing! 10.19.300.05.22 > 172.29.102.9.56714: P 1006:1542(536) ack 719 win 33320
13:14:19.734097  In IP 192.0.2.22.56714 > 10.19.300.05.22: . ack 1542 win 32768
13:14:19.843574  In IP truncated-ip - 508 bytes missing! 192.0.2.22.56714 > 10.94.211.93.22: P 719:1247(528) ack 1542 win 32768
...

monitor traffic read-files

content_copy zoom_out_map
user@host> monitor traffic read-file tcpdump_20_7_18.pcap
15:20:42.597413 Out IP 128.0.0.1.6234 > 128.0.0.17.37217: . ack 1416364513 win 65535 <nop,nop,timestamp 2494269906 347794433>
15:20:42.597424 Out IP 128.0.0.1.6234 > 128.0.0.16.49400: . ack 3549610340 win 65535 <nop,nop,timestamp 2494269906 347799892>
15:20:42.598214 Out IP truncated-ip - 32 bytes missing! 128.0.0.1.6234 > 128.0.0.16.49400: P 0:40(40) ack 1 win 65535 <nop,nop,timestamp 2494269907 347799892>
                         0001 0000 0020 0000

monitor traffic write-file

content_copy zoom_out_map
user@host> monitor traffic write-file filename
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on em1, capture size 96 bytes

^C
955 packets received by filter
0 packets dropped by kernel

Release Information

Command introduced before Junos OS Release 7.4.

Options read-file and write-file introduced in Junos OS Release 19.1R1.

arrow_backward PREVIOUS monitor stop (JDM)
NEXT arrow_forward monitor-timer
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top