Skip to content

Instantly share code, notes, and snippets.

@tonusoo

tonusoo/Juniper_MX_host-outbound_traffic.png

Last active February 2, 2026 08:03
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tonusoo/69d2bcf0182f544ef57e593d6794b437 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tonusoo/69d2bcf0182f544ef57e593d6794b437 to your computer and use it in GitHub Desktop.
Download ZIP
Host-outbound TCP SYN captured on internal bridge connecting the control- and forwarding-plane on MX-series router || discussion on Packet Pushers Slack group
@tonusoo
Copy link
Author

tonusoo commented Feb 1, 2026

Executed in RE:
ssh routing-instance vr1 192.168.123.1

Received on virbr0:
02:06:0a:99:ff:f5 > 52:54:00:cc:17:2b, ethertype IPv4 (0x0800), length 78: 192.168.123.111.60331 > 192.168.123.1.22: Flags [S], seq 1619526410, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 3551381480 ecr 0,sackOK,eol], length 0

Hex dump of the corresponding packet captured on vfp-int-r1-bud interface:

0000   52 54 00 b8 23 7f 52 54 00 65 99 ef 08 00 45 00   RT..#.RT.e....E.
0010   00 7c a8 79 00 00 40 54 d1 a3 80 00 00 01 80 00   .|.y..@T........
0020   00 10 02 00 00 00 00 00 00 9a 00 54 1a 00 00 00   ...........T....
0030   00 00 00 00 10 09 00 00 01 53 80 00 52 54 00 cc   .........S..RT..
0040   17 2b 02 06 0a 99 ff f5 08 00 45 00 00 40 a8 77   .+........E..@.w
0050   40 00 40 06 1a 7f c0 a8 7b 6f c0 a8 7b 01 eb ab   @.@.....{o..{...
0060   00 16 60 88 03 0a 00 00 00 00 b0 02 ff ff d4 54   ..`............T
0070   00 00 02 04 05 b4 01 03 03 01 01 01 08 0a d3 ad   ................
0080   c7 e8 00 00 00 00 04 02 00 00

Ethernet header:
525400b8237f5254006599ef0800

0x525400b8237f is MAC addr of vFP internal
bridge facing int, 0x5254006599ef is MAC
addr of vCP internal bridge facing int,
0x0800 is Ethertype(IPv4)

IPv4 header:
4500007ca87900004054d1a38000000180000010

0x54 is protocol(TTP), 0x80000001 is src
address 128.0.0.1(v4 addr of vCP internal
bridge facing int) and 0x80000010 is dst
address 128.0.0.16(v4 addr of vFP internal
bridge facing int)

TTP header:
020000000000009a00541a000000000000001009000001538000

First octet(0x02) is type: L2-tx. Fourth octet is
part of TLV containing the queue number(0x00; "show ttp
statistics" on PFE shell), 0x9a(154) is the ifd_output
(ge-0/0/5), 0x00001009 is decoded by 'monitor traffic
interface em1 matching "ip src 128.0.0.1" layer2-headers
extensive' on Junos CLI as "hint(s) [no key lookup]".
0x153(339) seems to be the interface index of
ge-0/0/5.0(IFL)

Ethernet header:
525400cc172b02060a99fff50800

0x525400cc172b is MAC addr of virbr0,
0x02060a99fff5 is MAC addr of vFP ge-0/0/5
and 0x0800 is Ethertype(IPv4)

IPv4 header:
45000040a877400040061a7fc0a87b6fc0a87b01

0x06 is protocol(TCP), 0xc0a87b6f is src
address 192.168.123.111(v4 addr of ge-0/0/5.0)
and 0xc0a87b01 is dst addr 192.168.123.1(v4 addr
of virbr0)

TCP header:
ebab00166088030a00000000b002ffffd4540000020405b4010303010101080ad3adc7e80000000004020000

0xebab is src port 60331, 0x0016 is dst port 22, 0x02 preceding 0xffff(window field) are
TCP flags with only SYN set

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment