This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 4 and 5
Revision 4 as of 2010-04-01 16:09:22
Size: 4539
Editor: WayneBrassem
Comment:
Revision 5 as of 2010-04-01 16:17:04
Size: 4557
Editor: WayneBrassem
Comment:
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
 * CLI-based packet mirroring - An authorized operator uses the router’s CLI commands to configure and manage packet mirroring. You can mirror traffic related to a specific IP, IPv6, or L2TP interface or traffic related to a particular user. You also use CLI commands to create secure policies that identify the traffic to be mirrored and specify how the mirrored traffic is treated.  * CLI-based packet mirroring An authorized operator uses the router’s CLI commands to configure and manage packet mirroring. You can mirror traffic related to a specific IP, IPv6, or L2TP interface or traffic related to a particular user. You also use CLI commands to create secure policies that identify the traffic to be mirrored and specify how the mirrored traffic is treated.
Line 11: Line 11:
When a packet is mirrored an exact duplicate of the packet is created. In order to prevent this duplicate packet from reaching the original destination it is often necessary to wrap the mirrored packet with a new, routable IP packet header. This new header allows you to redirect the mirrored packet to the intended packet mirror destination. For lawful intercept applications this is commonly the mediation device IP and UDP port. There is a special logical interface on the E Series router called an analyzer port where the router directs mirrored packets that only allows outgoing packets - all incoming traffic is silently ignored. When a packet is mirrored an exact duplicate of the packet is created. In order to prevent this duplicate packet from reaching the original destination it is often necessary to wrap the mirrored packet with a new, routable IP packet header. This new header allows you to redirect the mirrored packet to the intended packet mirror destination. For lawful intercept applications this is commonly the mediation device IP and UDP port. There is a special logical interface on the E Series router called an analyzer port where the router directs mirrored packets that only allows outgoing packets all incoming traffic is silently ignored.
Line 15: Line 15:
All mirrored L2TP session packets are prepended with a UDP/IP header. However, for IP traffic mirroring, the prepend header is optional; the header is added if the mirroring-related Juniper Networks VSAs (VSAs 26-59 and 26-61) are both included in the RADIUS message. For CLI-based mirroring, the '''analyzer-udp-port''' keyword of the mirror analyzer-ip-address command creates the same information contained in the two VSAs. If you do not include the VSAs or the analyzer-udp-port keyword, an IP mirroring action is indicated, and the prepend header is not used. All mirrored L2TP session packets are prepended with a UDP/IP header. However, for IP traffic mirroring, the prepend header is optional; the header is added if the mirroring-related Juniper Networks VSAs (VSAs 26-59 and 26-61) are both included in the RADIUS message. For CLI-based mirroring, the '''analyzer-udp-port''' keyword of the '''mirror analyzer-ip-address''' command creates the same information contained in the two VSAs. If you do not include the VSAs or the '''analyzer-udp-port''' keyword, an IP mirroring action is indicated, and the prepend header is not used.
Line 18: Line 18:

Juniper mirror encapsulation (jmirror)

Juniper E Series routers have the ability to perform packet mirroring. Packet mirroring enables you to automatically send a copy of a packet to an external host for analysis. Packet mirroring has many uses including lawful intercept, traffic debugging and troubleshooting user networking problems.

The E Series JUNOSe software provides two methods that you can use to configure and manage your packet-mirroring environment — CLI-based and RADIUS-based.

  • CLI-based packet mirroring — An authorized operator uses the router’s CLI commands to configure and manage packet mirroring. You can mirror traffic related to a specific IP, IPv6, or L2TP interface or traffic related to a particular user. You also use CLI commands to create secure policies that identify the traffic to be mirrored and specify how the mirrored traffic is treated.
  • RADIUS-based packet mirroring — A RADIUS administrator uses RADIUS attributes to configure packet mirroring of a particular user’s traffic. The router creates dynamic secure policies for the mirroring operation.

When a packet is mirrored an exact duplicate of the packet is created. In order to prevent this duplicate packet from reaching the original destination it is often necessary to wrap the mirrored packet with a new, routable IP packet header. This new header allows you to redirect the mirrored packet to the intended packet mirror destination. For lawful intercept applications this is commonly the mediation device IP and UDP port. There is a special logical interface on the E Series router called an analyzer port where the router directs mirrored packets that only allows outgoing packets — all incoming traffic is silently ignored.

During a packet mirroring session, the router prepends a special UDP/IP header to each mirrored packet that is sent to the analyzer interface. This prepended header is created by the policy-mirroring action, and is used for demultiplexing at the analyzer to sort through the multiple mirrored streams that arrive from different sources.

All mirrored L2TP session packets are prepended with a UDP/IP header. However, for IP traffic mirroring, the prepend header is optional; the header is added if the mirroring-related Juniper Networks VSAs (VSAs 26-59 and 26-61) are both included in the RADIUS message. For CLI-based mirroring, the analyzer-udp-port keyword of the mirror analyzer-ip-address command creates the same information contained in the two VSAs. If you do not include the VSAs or the analyzer-udp-port keyword, an IP mirroring action is indicated, and the prepend header is not used.

History

XXX - add a brief description of PROTO history

Protocol dependencies

  • UDP: jmirror is transported over UDP. No specific port number is used nor assigned.

Example traffic

XXX - Add example decoded traffic for this protocol here (as plain text or Wireshark screenshot).

Wireshark

The PROTO dissector is (fully functional, partially functional, not existing, ... whatever the current state is). Also add info of additional Wireshark features where appropriate, like special statistics of this protocol.

Preference Settings

The jmirror dissector has a UDP port number preference to tell it which on which UDP port to listen for jmirror packets.

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of jmirror display filter fields can be found in the display filter reference

  • Show only the PROTO based traffic:

     jmirror 

Capture Filter

You cannot directly filter jmirror protocols while capturing. However, if you know the UDP port used (see above), you can filter on that one.

  • Capture only the mirror traffic over port (30030):

     udp port 30030 

  • add link to PROTO specification and where to find additional info on the web about it, e.g.:
  • jmirror header - format of jmirror packets

Discussion

jmirror (last edited 2013-02-25 01:51:21 by WayneBrassem)