display soc attack-detect statistics car

Function

The display soc attack-detect statistics car command displays statistics about protocol packets sent to the CPU.

Format

display soc attack-detect statistics car slot slot-id protocol protocol-name [ car-name history { 15-minutes | 60-minutes | 72-hours } ]

display soc attack-detect statistics car slot slot-id

Parameters

Parameter	Description	Value
protocol protocol-name	Specifies the protocols that support CAR, such as 802.1ag, arp, bfd, bgp, telnet-client, telnet-server, tftp.	The supported protocols can be queried using a question mark (?).
car-name	Specifies the type of protocol packet (to be sent to the CPU) on which a CAR action is performed. This parameter corresponds to the CarName field in the command output. One protocol-name corresponds to multiple cpcar-name values.	The value is a string of 1 to 49 case-sensitive characters, spaces not supported.
history	History Statistics information.	-
15-minutes	Displays statistics within the last 15 minutes.	-
60-minutes	Displays statistics within the last 1 hour.	-
72-hours	Displays statistics within the last 72 hours.	-
slot slot-id	Specifies the slot ID of a board.	The value is a string of 1 to 31 case-sensitive characters, spaces not supported.

Views

All views

Default Level

1: Monitoring level

Task Name and Operations

Task Name	Operations
soc	read

Usage Guidelines

Usage Scenario

If a device is being attacked, a large number of packets may be sent to the CPU, causing the CPU overload. To prevent this problem, use CPCAR to limit the rate of packets to be sent to the CPU.

Then the device collects statistics about the number of packets received and discarded by CPCAR, the rate of packets sent to the CPU, and the rate of packets discarded. If the rate of protocol packets sent to the CPU exceeds the threshold, CPCAR discards excess packets and records information about the discarded packets. Therefore, checking CPCAR statistics helps identify the rate of specific protocol packets sent to the CPU. If a large number of specific protocol packets are discarded by CPCAR, and the CPCAR drop rate is high, for example, over 10%, this protocol has exceptions. In CPU overload scenarios, you can determine the protocol being attacked by identifying the CPCAR with the highest packet loss rate. This helps locate the attack. To check CPCAR statistics and identify the protocol with the highest packet loss rate, run the display soc attack-detect statistics car command.

Implementation Procedure

1.Run the display soc attack-detect statistics car slot slot-id protocol protocol-name command to check all CPCAR statistics monitored by the SOC. Identify CarName of the CPCAR with the highest packet loss rate or the largest number of lost packets.

2.Run the display soc attack-detect statistics car slot slot-id protocol protocol-name [ cpcar-name history { 15-minute | 60-minutes | 72-hour } ] command to check the packet loss rate of the protocol packets identified by cpcar-name within a specified period.

3.Run the display soc attack-detect cpu-usage slot slot-id history { 15-minutes | 60-minutes | 72-hours } command to check the CPU usage within the same period. If the CPU usage and packet loss rate within the same period have similar tendencies, the CPU overload is caused by the protocol packets identified by cpcar-name.

To query the protocols whose packets were sent to the CPU within the last 1 minute, run the display soc attack-detect statistics car slot slot-id command. To further query historical statistics about packets of these protocols, run the display soc attack-detect statistics car slot slot-id protocol protocol-name [ cpcar-name history { 15-minutes | 60-minutes | 72-hours }] command.

In VS mode, this command is supported only by the admin VS.

Example

The actual command output varies according to the device. The command output here is only an example.

# Display statistics about protocol packets sent to the CPU on the board in slot 1.

<HUAWEI> display soc attack-detect statistics car slot 1
  ----------------------------------------------------------------------------------------                                          
  CarName                          Pass-Pkt      Drop-Pkt       Pass-Bytes      Drop-Bytes                                          
  tsu-4over6-extprotocolun         25204         0              6754672         0                                                   
  lldp                             4925          0              1586447         0                                                   
  ipv4-arp-reply                   43            0              3010            0                                                   
  ipv4-arp-gratultous              4             0              280             0                                                   
  pst-broadcast                    20552         0              17116704        0                                                   
  ----------------------------------------------------------------------------------------

# Display statistics about ARP packets discarded by CAR on the board in slot 1.

<HUAWEI> display soc attack-detect statistics car slot 1 protocol arp
  ----------------------------------------------------------------------------------------
  CarName                          Pass-Pkt      Drop-Pkt       Pass-Bytes      Drop-Bytes
  ipv4-arp-request                 25204         0              6754672         0
  ipv4-arp-reply                   43            0              3010            0
  ipv4-arp-gratultous              4             0              280             0
  ----------------------------------------------------------------------------------------

**Table 1** Description of the **display soc attack-detect statistics car** command output
Item	Description
CarName	Type of protocol packet (to be sent to the CPU) on which a CAR action is performed.
Pass-Pkt	Number of passed packets.
Drop-Pkt	Number of discarded packets.
Pass-Bytes	Number of passed packet bytes.
Drop-Bytes	Number of discarded packet bytes.