NetScreen ScreenOS troubleshooting 之 Snoop
NetScreen ScreenOS troubleshooting 之 Snoop
snoop:在 防火墙的接口上抓包,可以根据具体接口, 数据包的src-ip,src-port,dst-ip,dst-port, 协议,direction等等要素进行过滤抓包; 主要是 在驱动水平检查一个IP或者ethernet packet是否到达NetScreen.
一、输出重定向
1、debug信息输出到Debug Buffer
debug信息从console重定向到dbuf
set console dbuf
get dbuf info
count: 385, last index: 385, cur index: 0, size: 131072
start: 0, pause: 0
设置dbuf大小
set dbuf size ?
<number> size in kilobytes of debug buffer[from 32 to 4096]
为什么要输出到debug buffer ?
sending debug output to a debug buffer is much less CPU intensive
To send the contents of the debug buffer to a text file on a tftp server
debug信息从dbuf重定向到console
unset console dbuf
get console
2、view & clear the contents of the dbuf
get dbuf stream
get dbuf stream > tftp
clear dbuf
二、ScreenOS snoop
1. 先设置过滤列表snoop filter命令:
ns25-> snoop filter ?
delete delete snoop filter
ethernet snoop specified ethernet
id snoop filter id
ip snoop ip packet
off turn off snoop filter
on turn on snoop filter
tcp snoop tcp packet
udp snoop udp packet
ns25-> snoop filter ip ?
<return>
direction snoop direction
dst-ip snoop filter dst ip
dst-port snoop filter dst port
interface interface name
ip-proto snoop filter ip proto
port src or dst port
src-ip snoop filter src ip
src-port snoop filter src port
<IPv4 Address> IPv4 Address
offset ip offset
snoop filter ip dst-ip 209.131.36.158
2、start snoop
ns25-> snoop
Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n
3、停止snoop
ns25-> snoop off
Snoop off
4、检查抓包结果
ns25-> get dbuf stream
## 2008-04-21 15:53:06 : SCS: <<< ssh_shutdown_conn()
## 2008-04-21 16:48:46 : SCS: <<< ssh_shutdown_conn()
8496711.0: 0(i) len=74:000fe24a01d9->0010db41e220/0800
10.180.22.209 -> 209.131.36.158/1
vhl=45, tos=00, id=39302, frag=0000, ttl=127 tlen=60
icmp:type=8, code=0
00 10 db 41 e2 20 00 0f e2 4a 01 d9 08 00 45 00 ...A.....J....E.
00 3c 99 86 00 00 7f 01 8a 94 0a b4 16 d1 d1 83 .<..............
24 9e 08 00 cd 5b 04 00 7c 00 61 62 63 64 65 66 $....[..|.abcdef
67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
77 61 62 63 64 65 66 67 68 69 wabcdefghi
8496711.0: 6(o) len=74:0010db41e226->00d00312fc00/0800
59.42.52.50 -> 209.131.36.158/1
vhl=45, tos=00, id=39302, frag=0000, ttl=126 tlen=60
icmp:type=8, code=0
00 d0 03 12 fc 00 00 10 db 41 e2 26 08 00 45 00 .........A.&..E.
00 3c 99 86 00 00 7e 01 3d bd 3b 2a 34 32 d1 83 .<....~.=.;*42..
24 9e 08 00 32 68 04 00 16 f4 61 62 63 64 65 66 $...2h....abcdef
67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
77 61 62 63 64 65 66 67 68 69 wabcdefghi
5、 清除防火墙缓存的debug结果:
ns25-> clear dbuf
6、清除防火墙的snoop过滤设置
ns25-> snoop filter delete
All filters removed
三、snoop 流程
1、Set the NetScreen to send snoop output to the debug buffer
set console dbuf
2、Create and verify the desired snoop filters
snoop <options>
snoop info
3、Clear the debug buffer
clear dbuf
4、Enable the snoop
snoop
Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y
5、 After testing, disable the snoop
snoop off
6、View the contents of the debug buffer
get dbuf stream
snoop:在 防火墙的接口上抓包,可以根据具体接口, 数据包的src-ip,src-port,dst-ip,dst-port, 协议,direction等等要素进行过滤抓包; 主要是 在驱动水平检查一个IP或者ethernet packet是否到达NetScreen.
一、输出重定向
1、debug信息输出到Debug Buffer
debug信息从console重定向到dbuf
set console dbuf
get dbuf info
count: 385, last index: 385, cur index: 0, size: 131072
start: 0, pause: 0
设置dbuf大小
set dbuf size ?
<number> size in kilobytes of debug buffer[from 32 to 4096]
为什么要输出到debug buffer ?
sending debug output to a debug buffer is much less CPU intensive
To send the contents of the debug buffer to a text file on a tftp server
debug信息从dbuf重定向到console
unset console dbuf
get console
2、view & clear the contents of the dbuf
get dbuf stream
get dbuf stream > tftp
clear dbuf
二、ScreenOS snoop
1. 先设置过滤列表snoop filter命令:
ns25-> snoop filter ?
delete delete snoop filter
ethernet snoop specified ethernet
id snoop filter id
ip snoop ip packet
off turn off snoop filter
on turn on snoop filter
tcp snoop tcp packet
udp snoop udp packet
ns25-> snoop filter ip ?
<return>
direction snoop direction
dst-ip snoop filter dst ip
dst-port snoop filter dst port
interface interface name
ip-proto snoop filter ip proto
port src or dst port
src-ip snoop filter src ip
src-port snoop filter src port
<IPv4 Address> IPv4 Address
offset ip offset
snoop filter ip dst-ip 209.131.36.158
2、start snoop
ns25-> snoop
Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n
3、停止snoop
ns25-> snoop off
Snoop off
4、检查抓包结果
ns25-> get dbuf stream
## 2008-04-21 15:53:06 : SCS: <<< ssh_shutdown_conn()
## 2008-04-21 16:48:46 : SCS: <<< ssh_shutdown_conn()
8496711.0: 0(i) len=74:000fe24a01d9->0010db41e220/0800
10.180.22.209 -> 209.131.36.158/1
vhl=45, tos=00, id=39302, frag=0000, ttl=127 tlen=60
icmp:type=8, code=0
00 10 db 41 e2 20 00 0f e2 4a 01 d9 08 00 45 00 ...A.....J....E.
00 3c 99 86 00 00 7f 01 8a 94 0a b4 16 d1 d1 83 .<..............
24 9e 08 00 cd 5b 04 00 7c 00 61 62 63 64 65 66 $....[..|.abcdef
67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
77 61 62 63 64 65 66 67 68 69 wabcdefghi
8496711.0: 6(o) len=74:0010db41e226->00d00312fc00/0800
59.42.52.50 -> 209.131.36.158/1
vhl=45, tos=00, id=39302, frag=0000, ttl=126 tlen=60
icmp:type=8, code=0
00 d0 03 12 fc 00 00 10 db 41 e2 26 08 00 45 00 .........A.&..E.
00 3c 99 86 00 00 7e 01 3d bd 3b 2a 34 32 d1 83 .<....~.=.;*42..
24 9e 08 00 32 68 04 00 16 f4 61 62 63 64 65 66 $...2h....abcdef
67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
77 61 62 63 64 65 66 67 68 69 wabcdefghi
5、 清除防火墙缓存的debug结果:
ns25-> clear dbuf
6、清除防火墙的snoop过滤设置
ns25-> snoop filter delete
All filters removed
三、snoop 流程
1、Set the NetScreen to send snoop output to the debug buffer
set console dbuf
2、Create and verify the desired snoop filters
snoop <options>
snoop info
3、Clear the debug buffer
clear dbuf
4、Enable the snoop
snoop
Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y
5、 After testing, disable the snoop
snoop off
6、View the contents of the debug buffer
get dbuf stream