Method used to view packet loss information if packets cannot be captured on interfaces

0

If you cannot capture packets on firewall interfaces but you want to view packet loss information, you can use the quintuple packet capture statistics function. The operation is as follows:
1. Create an ACL.
[system] acl 3999
[system-acl-adv-3999] rule 5 permit icmp source 10.2.4.2 0 destination 10.2.2.2 0
[system] diagnose
[system-diagnose] firewall statistic acl 3999 enable
3. View quintuple packet capture statistics information.
system-view
[sysname] diagnose
[sysname-diagnose] display firewall statistics acl

********************************************************************************
* Summary of ACL-based packet statistics *
********************************************************************************
SLOT 1 CPU 1 RcvnFrag RcvFrag Forward DisnFrag DisFrag
Obverse(pkts) : 100 0 95 0 0
Reverse(pkts) : 100 0 100 0 0

SLOT 1 CPU 3 RcvnFrag RcvFrag Forward DisnFrag DisFrag
Obverse(pkts) : 2 0 2 0 0
Reverse(pkts) : 1 0 1 0 0

SLOT: 2 Fastforward Discard
Obverse(pkts) : 98 0
Reverse(pkts) : 999 0
Detailed information of discarded packets:

********************************************************************************
* Detailed information of ACL-based packet statistics *
********************************************************************************
Protocol(udp) SourceIp(10.2.4.2) DestinationIp(10.2.2.2)
SourcePort(333) DestinationPort(444) VpnIndex(public)
RcvnFrag RcvFrag Forward DisnFrag DisFrag
Obverse(pkts) : 2 0 2 0 0
Reverse(pkts) : 1 0 1 0 0
Discard detail information:

Protocol(udp) SourceIp(10.2.4.2) DestinationIp(10.2.2.2)
SourcePort(555) DestinationPort(666) VpnIndex(public)
RcvnFrag RcvFrag Forward DisnFrag DisFrag
Obverse(pkts) : 100 0 95 5 0
Reverse(pkts) : 100 0 100 0 0
Discard detail information:
Packet filter packets discarded: 5
Please check the security policy and whether the interface added to a security zone.
4. After locating the problem, run the undo firewall statistics acl command to disable the quintuple packet statistics function to prevent adverse impact on device performance.

Other related questions:
How to view information such as interface status and packet loss
You can run the display this interface command in the interface view to check the physical status, protocol status, traffic statistics, and the number of lost packets on an interface.

Method used to view a captured IPSec-encrypted packet
You can view a captured IPSec-encrypted packet as follows: On the USG firewall, check whether an IPSec packet can be captured. The USG firewall can capture an IPSec packet but you cannot view the protected packet.

Capturing packets to view IPSec encrypted data packets
Capturing packets to view IPSec encrypted data packets Can IPSec packets be captured on the USG? You can capture and view IPSec packets but not protected data packets on the USG.

S series switch packets capture
S series switches (except S1700 switches) support the packet capturing function. This function can be used if you need to capture packets for analysis. Packets that can be captured include service packets and packets sent to the CPU. Configuration example: 1. Capturing service packets [HUAWEI] capture-packet interface gigabitethernet 1/0/1 destination file capture.cap terminal //Information of captured packets is not provided here. 2. Capturing packets sent to the CPU [HUAWEI] capture-packet cpu destination file cfcard:/abc.cap //Information of captured packets is not provided here.

How to check ping packet loss on S series switches
For S series switches (except the S1700), you can run the ping command to check ping packet loss directly. For example: [HUAWEI] ping -c 100 192.168.2.21 PING 192.168.2.21: 56 data bytes, press CTRL_C to break Reply from 192.168.2.21: bytes=56 Sequence=1 ttl=124 time=1 ms ... --- 192.168.2.21 ping statistics --- 100 packet(s) transmitted //Total number of sent packets 91 packet(s) received //Total number of received packets 9.00% packet loss //Packet loss ratio round-trip min/avg/max = 1/1/19 ms You can also perform the following steps to configure traffic statistics collection to check ping packet loss: Configure traffic statistics collection for packets received by a switch. 1. Configure an ACL rule. [HUAWEI] acl number 3000 [HUAWEI-acl-adv-3000] rule permit icmp source 192.168.2.21 0 destination 192.168.2.20 0 [HUAWEI-acl-adv-3000] quit 2. Configure a traffic classifier. [HUAWEI] traffic classifier 3000 [HUAWEI-classifier-3000] if-match acl 3000 [HUAWEI-classifier-3000] quit3. Configure a traffic behavior. [HUAWEI] traffic behavior 3000 [HUAWEI-behavior-3000] statistic enable [HUAWEI-behavior-3000] quit 4. Configure a traffic policy. [HUAWEI] traffic policy 3000 [HUAWEI-trafficpolicy-3000] classifier 3000 behavior 3000 [HUAWEI-trafficpolicy-3000] quit 5. Apply the traffic policy to an interface. [HUAWEI] interface gigabitethernet 0/0/2 [HUAWEI-GigabitEthernet0/0/2] traffic-policy 3000 inbound [HUAWEI-GigabitEthernet0/0/2] quit 6. Check traffic statistics of packets received by the switch. [HUAWEI] display traffic policy statistics interface gigabitethernet 0/0/2 inbound verbose rule-base //The output is omitted. For more information about ping packet loss, see "Ping Failure Troubleshooting" or "S Series Switches packet Loss Troubleshooting" in "Maintenance Topics" in the Huawei S Series Campus Switches Maintenance Guide.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top