show interfaces flow-statistics

Syntax

Description

Display interfaces flow statistics.

Options

Interface-name —(Optional) Display flow statistics about the specified interface. Following is a list of typical interface names. Replace pim with the PIM slot and port with the port number. For a complete list, see the Interface Naming Conventions.

at-pim/0/port—ATM-over-ADSL or ATM-over-SHDSL interface.
br-pim/0/port—Basic Rate Interface for establishing ISDN connections.
ce1-pim/0/port—Channelized E1 interface.
ct1-pim/0/port—Channelized T1 interface.
dl0—Dialer Interface for initiating ISDN and USB modem connections.
e1-pim/0/port—E1 interface.
e3-pim/0/port—E3 interface.
fe-pim/0/ port—Fast Ethernet interface.
ge-pim/0/port—Gigabit Ethernet interface.
se-pim/0/port—Serial interface.
t1-pim/0/port—T1 (also called DS1) interface.
t3-pim/0/ port—T3 (also called DS3) interface.
wx-slot/0/0—WAN acceleration interface, for the WXC Integrated Services Module (ISM 200).

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show interfaces flow-statistics command. Output fields are listed in the approximate order in which they appear.

Table 1: show interfaces flow-statistics Output Fields
Field Name	Field Description
`Traffic statistics`	Number of packets and bytes transmitted and received on the physical interface.
`Local statistics`	Number of packets and bytes transmitted and received on the physical interface.
`Transit statistics`	Number of packets and bytes transiting the physical interface.
`Flow input statistics`	Statistics on packets received by flow module.
`Flow output statistics`	Statistics on packets sent by flow module.
`Flow error statistics`	Packet drop statistics for the flow module. For further details, see Table 2.

Table 2: Flow Error Statistics (Packet Drop Statistics for the Flow Module)
Error	Error Description
Screen:
Address spoofing	The packet was dropped when the screen module detected address spoofing.
Syn-attack protection	The packet was dropped because of SYN attack protection or SYN cookie protection.
VPN:
Authentication failed	The packet was dropped because the IPsec Encapsulating Security Payload (ESP) or Authentication Header (AH) authentication failed.
No SA for incoming SPI	The packet was dropped because the incoming IPsec packet's security parameter index (SPI) does not match any known SPI.
Security association not active	The packet was dropped because an IPsec packet was received for an inactive SA.
NAT:
Incoming NAT errors	The source NAT rule search failed, an invalid source NAT binding was found, or the NAT allocation failed.
Multiple incoming NAT	Sometimes packets are looped through the system more than once; if source NAT is specified more than once, the packet will be dropped.
Auth:
Multiple user authentications	Sometimes packets are looped through the system more than once. Each time a packet passes through the system, that packet must be permitted by a policy. If the packet matches more than one policy that specifies user authentication, then it will be dropped.
User authentication errors	Packet was dropped because policy requires authentication; however: Only Telnet, FTP, and HTTP traffic can be authenticated. The corresponding authentication entry could not be found, if web-auth is specified. The maximum number of authenticated sessions per user was exceeded.
Flow:
No one interested in self packets	This counter is incremented for one of the following reasons: The outbound interface is a self interface, but the packet is not marked as a to-self packet and the destination address is in a source NAT pool. No service is interested in the to-self packet When a zone has ident-reset service enabled, the TCP RST to IDENT request for port 113 is sent back and this counter is incremented.
No minor session	The packet was dropped because no minor sessions are available and a minor session was requested. Minor sessions are allocated for storing additional TCP state information.
No more sessions	The packet was dropped because there were no more free sessions available.
No route present	The packet was dropped because a valid route was not available to forward the packet. For new sessions, the counter is incremented for one of the following reasons: No valid route was found to forward the packet. A discard or reject route was found. The route could not be added due to lack of memory. The reverse path forwarding check failed for an incoming multicast packet. For existing sessions, the prior route was changed or deleted, or a more specific route was added. The session is rerouted, and this reroute could fail because: A new route could not be found; either the previous route was removed, or the route was changed to discard or reject. Multiple packets may concurrently force rerouting to occur, and only one packet can successfully complete the rerouting process. Other packets will be dropped. The route table was locked for updates by the Routing Engine. Packets that match a new session are retried, whereas packets that match an existing session are not.
No tunnel found	The packet was dropped because a valid tunnel could not be found
No session for a gate	This counter is incremented when a packet is destined for an ALG, and the ALG decides to drop this packet.
No zone or NULL zone binding	The packet was dropped because its incoming interface was not bound to any zone.
Policy denied	The error counter is incremented for one of the following reasons: Source and/or destination NAT has occurred and policy says to drop the packet. Policy specifies user authentication, which failed. Policy was configured to deny this packet.
TCP sequence number out of window	A TCP packet with a sequence number failed the TCP sequence number check that was received.
Counters Not Currently in Use
No parent for a gate	-
Invalid zone received packet	-
No NAT gate	-

Sample Output

show interfaces flow-statistics (Gigabit Ethernet)

Release Information

Command introduced in Junos OS Release 9.2.

ON THIS PAGE