欢迎关注:1,欢迎关注本博客,你可点击右手边的【QQ邮件订阅】订阅本博客!2,本博客推出江湖救急计划,主要为工作中遇到疑难杂症的兄弟提供远程技术支持和分析,如有需要,请在江湖救急计划页面给我留言!

Juniper防火墙下抓包方法

作者:易隐者 发布于:2012-3-16 17:44 Friday 分类:参考资料

debug flow basic

       相对于其他防火墙而言,Juniper防火墙提供许多有效的查错工具,其中之一就是debug flow basic, 应用方式举例如下:
1. 先设置过滤列表,使得防火墙只对需要的数据包进行分析. 即set ffilter命令:
ns208-> set ffilter ?  
dst-ip      flow filter dst ip
dst-port    flow filter dst port
ip-proto    flow filter ip proto
src-ip       flow filter src ip
src-port    flow filter src port
=DBtZ|~4f@ 
ns208-> set ffilter src-ip 192.168.1.10
filter added 
ns208-> get ff
Flow filter based on:
id:0 src ip 192.168.1.10
ns208-> set ffilter src-ip 192.168.1.11
filter added
ns208-> get ff
Flow filter based on:
id:0 src ip 192.168.1.10
id:1 src ip 192.168.1.11
看出来了吗? 设置两次ffilter的结果是两个过滤列表之间是OR的关系. 如果直接设  

set ffilter src-ip 192.168.1.11 dst-ip 194.73.82.242 就是AND的关系了.
2. 开启debug
ns208-> debug flow basic
3. 发送测试数据包或让小部分流量穿越防火墙
4. 停止debug
ns208-> undebug all
5. 检查防火墙对所转发的符合过滤条件的数据包的分析结果: }
ns208-> get db stream
****** 12553.0: packet received [60]****** Packet arrived on the eth1 interface  tF(UJO xk 
ipid = 29503(733f), @d7806910 IP id
packet passed sanity check. I rbyB6. ¬ 
ethernet1:192.168.1.10/1280->194.73.82.242/512,1(8/0) Src IP, Port, Dst IP, port incl Protocol 1
chose interface ethernet1 as incoming nat if. Int eth1 is placed in NAT mode  s<`Nxz@0 
search route to (192.168.1.10->194.73.82.242) in vr trust-vr for vsd-0/flag-0/ifp-null Route lookup in trust-vr 
route 194.73.82.242->1.1.1.2, to ethernet3 route found to gateway 1.1.1.2 exiting interface int eth3 
routed (194.73.82.242, 0.0.0.0) from ethernet1 (ethernet1 in 0) to ethernet3 packet routed
policy search from zone 2-> zone 1 Policy lookup performed from Trust (2) to Untrust (1) 
Permitted by policy 3 matched policy ID 3
choose interface ethernet3 as outgoing phy if choose physical interface eth3
no loop on ifp ethernet3. r4Ok(8f6¬D 
session application type 0, name None, timeout 60sec session time created as 60 seconds for ICMP
service lookup identified service 0. service lookup performed 
existing vector list 1-559ef00.
Session (id:76) created for first pak 1 Create session with ID 76 
route to 1.1.1.2 Routed packet to 1.1.1.2 
arp entry found for 1.1.1.2 Already had ARP entry for 1.1.1.2 
nsp2 wing prepared, ready
cache mac in the session Cached MAC address in the session
flow got session.
flow session id 76 
post addr xlation: 1.1.1.1->194.73.82.242. Translate src address to egress interface IP
packet send out to 0010db103041 through ethernet3 Packet sent out on the wire
6. 清除防火墙缓存的debug结果: 
ns208-> clear db
7. 清除防火墙的过滤设置 
ns208->unset ffilter 0
ns208->get ffilter

Snoop

        Snoop 是Juniper防火墙另外一个有效的查错工具,它和debug flow basic的区别是: snoop类似于在防火墙的接口上抓包,可以根据具体接口, 数据包的方向, 协议等等要素进行过滤抓包; debug flow basic则对数据包如何穿越防火墙进行分析,将防火墙的对数据包的处理过程显示出来. Snoop的使用举例如下: 1. 先设置过滤列表,使得防火墙只对需要的数据包进行分析. 即snoop filter命令: 
ns208-> snoop filterdelete          delete snoop filter >
ethernet        snoop specified ethernet
id            snoop filter id |
ip            snoop ip packet ?YcG
off            turn off snoop filter dwjYU\on            turn on snoop filter
tcp            snoop tcp packet udp            snoop udp packet 7 

ns208-> snoop filter ip
direction        snoop direction
dst-ip          snoop filter dst ip dst-port        snoop filter dst port
interface        interface name
ip-proto        snoop filter ip proto a port          src or dst port Pv
src-ip          snoop filter src ip 1)TEIsrc-port        snoop filter src port
    IPv4 Address 
offset          ip offset UqDqF
ns208-> snoop info
Snoop: OFF
Filters Defined: 2, Active Filters 2
Detail: OFF, Detail Display length: 96 EE
Snoop filter based on: id 1(on): IP dir(I) qc
id 2(on): IP dst-ip 172.27.68.1 dir(B) :WdL
RHtx3{S/ 
2. 开启snoop 进行抓包 YC
ns208-> snoopStart Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y
3. 发送测试数据包或让小部分流量穿越防火墙
 4. 停止snoop ns208-> snoop off
5. 检查防火墙对所转发的符合过滤条件的数据包的分析结果(非采用上面的filter,而是采用另外的filter): 
ns208-> get db stream 5Y =M <ZEC&NBSP; q#I>m¬u=JJ 
          1.    The packet comes into the Netscreen from the Trusted side client.            55864.0: 0(i):005004bb815f->0010db00ab30/0800    D *MoEd 
            10.0.0.36->10.10.10.14/1, tlen=60    vhl=45, id=31489, frag=0000, ttl=32
          2.    The packet then leaves the Netscreen, on it’s way to the destination host.      55864.0: 1(o):0010db00ab31->00104bf3d073/0800            10.10.10.10->10.10.10.14/1, tlen=60 uS
            vhl=45, id=31489, frag=0000, ttl=31 r
          3.    The packet then returns to the Netscreen from the host. &W          55864.0: 1(i):00104bf3d073->0010db00ab31/0800 |_+% 'XtU 
              10.10.10.14->10.10.10.10/1, tlen=60 |yxLm              vhl=45, id=12289, frag=0000, ttl=128 
          4.    Finally, the packet is returned to the client on the trusted side. -
          55864.0: 0(o):0010db00ab30->005004bb815f/0800 4 /W|~=y            10.10.10.14->10.0.0.36/1, tlen=60 
            vhl=45, id=12289, frag=0000, ttl=127 6,19usXw:M 
6. 清除防火墙缓存的debug结果:ns208-> clear db W7. 清除防火墙的snoop过滤设置 
ns208-> snoop filter delete   
All filters removed

阅读全文>>

标签: debug 防火墙 抓包 Juniper snoop

评论(0) 引用(0) 浏览(10458)

Hillstone防火墙抓包方法

作者:易隐者 发布于:2012-3-10 17:51 Saturday 分类:参考资料

debug

通过Debug定位NBC策略匹配问题相关说明如下:

使用注意:
         Debug功能开启后,有可能会产生CPU使用率高或设备打印输出大量信息,引起设备无法管理。
         请仔细理解Debug功能后,再使用相关调试功能。
         使用过程中,可以双击ESC关闭Debug功能;当设备开启Debug后无法管理设备,您也可以选择重启设备,设备重启后会自动关闭Debug功能
相关命令介绍:
         Debug dp filter src-ip X.X.X.X         //配置debug需要定位分析的源IP地址
         Show dp-filter                     //确认上一条配置的debug 数据转发过滤条件是否正确,如果配置错误可以使用“undebug dp filter id ”删除后重新配置
         debug dp policy lookup              //开启设备策略查找调试功能
         show debug                                                    //确认已经开启的设备调试功能
         clear logging debug                //清除历史调试打印信息
show logging debug                //查看debug打印日志
使用举例:
         设备配置了很多的NBC策略,目前发现172.20.10.68这个源IP没有达到客户城的NBC策略功能,现要求查看172.20.10.68访问某URL时匹配的NBC策略名称。
相应的调试过程如下(红色为输入的命令):
SG6000-1(M)# debug dp filter src-ip 172.20.10.68
assigned id: 1
SG6000-1(M)# show dp-filter
---------------------------------------------------------------
vrouter name:trust-vr
---------------------------------------------------------------
id: 1
src-ip: 172.20.10.68 vrouter: trust-vr
---------------------------------------------------------------
SG6000-1(M)# debug dp policy lookup
SG6000-1(M)# show debug
dp:
  policy:
    lookup, enabled
SG6000-1(M)# clear logging debug
SG6000-1(M)# show logging debug
2011-05-24 10:00:32, DEBUG@FLOW: core 1 (sys up 0x169795ff ms): Pak src zone tru
st, dst zone untrust, prot 6, dst-port 80.
Auth-user id 0
Policy 37 matches, ===PERMIT=== (此处显示匹配了防火墙第37条策略,行为允许)
nbc match rule = 139\163mail   (此处显示匹配了NBC的“139\163mail”这条策略)


2011-05-24 10:00:32, DEBUG@FLOW: core 2 (sys up 0x1697962d ms): Pak src zone tru
st, dst zone untrust, prot 6, dst-port 80.
Auth-user id 0
Policy 37 matches, ===PERMIT===
nbc match rule = 139\163mail

SG6000-1(M)# undebug all               (此处非常重要,一定要在Debug使用完成后,关闭所有Debug功能)
SG6000-1(M)# undebug dp filter id 1
SG6000-1(M)# show debug
SG6000-1(M)# show dp-filter
---------------------------------------------------------------
vrouter name:trust-vr
---------------------------------------------------------------
[ FAQ88 ] 如何通过Debug定位NBC策略匹配问题? - FAQ Information   Updated today (24 May 2011)

snoop

Snoop的语法应该跟juniper的差不多,暂无详细的相关资料。

阅读全文>>

标签: debug 防火墙 抓包 snoop Hillstone

评论(0) 引用(0) 浏览(24272)

Solaris系统下的抓包工具——Snoop

作者:易隐者 发布于:2012-2-16 17:29 Thursday 分类:参考资料

        Snoop 的使用需要root权限。Snoop 是Solaris 系统中自带的工具,是一个用于显示网络通讯的程序,它可捕获IP 包并将其显示或保存到指定文件(限超级用户使用snoop)。

       Snoop 可将捕获的包以一行的形式加以总结或用多行加以详细的描述(有调用不同的参数–v -V来实现). 在总结方式下(-V ) , 将仅显示最高层的相关协议, 例如一个NFS 包将仅显示NFS 信息, 其低层的RPC, UDP, IP, Ethernet 帧信息将不会显示, 但是当加上相应的参数(-v ), 这些信息都能被显示出来。

        参数简介:
[ -a ] # Listen to packets on audio
[ -d device ] # settable to le?, ie?, bf?, tr?
[ -s snaplen ] # Truncate packets
[ -c count ] # Quit after count packets
[ -P ] # Turn OFF promiscuous mode
[ -D ] # Report dropped packets
[ -S ] # Report packet size
[ -i file ] # Read previously captured packets
[ -o file ] # Capture packets in file
[ -n file ] # Load addr-to-name table from file
[ -N ] # Create addr-to-name table
[ -t r|a|d ] # Time: Relative, Absolute or Delta
[ -v ] # Verbose packet display
[ -V ] # Show all summary lines
[ -p first[,last] ] # Select packet(s) to display
[ -x offset[,length] ] # Hex dump from offset for length
[ -C ] # Print packet filter code

       由于snoop 的使用非常灵活, 希望能通过下面一些例子的学习来其常见用法。

1. 监听所有以本机为源和目的的包并将其显示出来.
# snoop
2. 监听所有以主机A为源和目的的包并将其显示出来. ( A为主机名, 下同)
- 2 -
# snoop A
3. 监听所有A和B之间的包并将其保存到文件file.
# snoop -o file A B
4. 显示文件file 中指定的包(99-108)
# snoop - i file -p 99,108
99 0.0027 boutique ->; sunroof NFS C GETATTR FH=8E6C
100 0.0046 sunroof ->; boutique NFS R GETATTR OK
101 0.0080 boutique ->; sunroof NFS C RENAME FH=8E6C MTra00192
to .nfs08
102 0.0102 marmot ->; viper NFS C LOOKUP FH=561E screen.r.13.i386
103 0.0072 viper ->; marmot NFS R LOOKUP No such file or directory
104 0.0085 bugbomb ->; sunroof RLOGIN C PORT=1023 h
105 0.0005 kandinsky ->; sparky RSTAT C Get Statistics
106 0.0004 beeblebrox ->; sunroof NFS C GETATTR FH=0307
107 0.0021 sparky ->; kandinsky RSTAT R
108 0.0073 office ->; jeremiah NFS C READ FH=2584 at 40960 for 8192
5. 详细查看文件file 中第101 个包:
# snoop - i file - v -p101
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 101 arrived at 16:09:53.59
ETHER: Packet size = 210 bytes
ETHER: Destination = 8:0:20:1:3d:94, Sun
ETHER: Sou5rce = 8:0:69:1:5f:e, Silicon Graphics
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: ..0. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 196 bytes
IP: Identification 19846
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = more fragments
?
- 3 -
?
6. 查看主机A和主机B之间的NFS 包(命令中的and 和or 为相应的逻辑运
算)
# snoop - i file rpc nfs and A and B
1 0.0000 A ->; B NFS C GETATTR FH=8E6C
2 0.0046 B ->; A NFS R GETATTR OK
3 0.0080 A ->; B NFS C RENAME FH=8E6C MTra00192 to .nfs08
7. 将这些符合条件的包保存到另一文件file2 中:
# snoop - i file -o file2 rpc nfs A B
8. 监听主机A和主机B间所有TCP 80 端口或UDP80端口的包
# snoop A and B and (tcp or udp) and port 80
9. 监听所有的广播包
# snoop broadcast
Using device /dev/hme (promiscuous mode)
10.10.10.50 ->; BROADCAST UDP D=177 S=2541 LEN=35
10.10.10.50 ->; BROADCAST UDP D=177 S=2541 LEN=35
10.10.10.50 ->; BROADCAST UDP D=177 S=2541 LEN=35
10. 监听所有的多播包, 并显示详细内容.
#snoop –v multicast
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 12:33:2.16
ETHER: Packet size = 69 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = 0:4:76:46:8f:50,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
- 4 -
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 55 bytes
IP: Identification = 14658
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 128 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = ed38
IP: Source address = 10.10.10.50, 10.10.10.50
IP: Destination address = 255.255.255.255, BROADCAST
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 2541
UDP: Destination port = 177
UDP: Length = 35
UDP: Checksum = 8E35
UDP:
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 2 arrived at 12:33:12.16
ETHER: Packet size = 69 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = 0:4:76:46:8f:50,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 55 bytes
IP: Identification = 14985
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 128 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = ebf1
IP: Source address = 10.10.10.50, 10.10.10.50
- 5 -
IP: Destination address = 255.255.255.255, BROADCAST
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 2541
UDP: Destination port = 177
UDP: Length = 35
UDP: Checksum = 8E35
UDP:
11.监听所有的NTP 协议包
# snoop |grep – i NTP
Using device /dev/hme (promiscuous mode)
ts1 ->; 224.0.1.1 NTP broadcast (Tue Jul 23 12:48:50 2002)
ts1 ->; 224.0.1.1 NTP broadcast (Tue Jul 23 12:49:54 2002)
ts1 ->; 224.0.1.1 NTP broadcast (Tue Jul 23 12:50:58 2002)
ts1 ->; 224.0.1.1 NTP broadcast (Tue Jul 23 12:52:02 2002)
ts1 ->; 224.0.1.1 NTP broadcast (Tue Jul 23 12:53:06 2002)
ts1 ->; 224.0.1.1 NTP broadcast (Tue Jul 23 12:54:10 2002)
这里我们也可看到NTP server 每隔约一分钟即向多播地址广播一次.

Snoop抓包命令使用

格式1:
snoop -x 54 -ta tcp port <smsICP监听的端口> from (sp的ip)
例子 带端口抓包)
snoop -x 54 -ta tcp port 7890 host 221.130.45.142 |tee a.log
例子 不带端口抓包)
snoop -x 54 -ta host 211.94.131.202|tee 2005020900.log
snoop -x 54 -ta tcp port 7890 |tee a.log

================================================================
Solaris内置的IP抓包工具 SNOOP
学习TCP/IP协议的朋友,可以使用Solaris中的snoop,Linux中的tcpdump,Windows中的 EtherReal进行抓包分析。
这里,介绍Solaris中的snoop命令。
登陆Solaris shell环境,使用 snoop -c5 ,看看返回了什么?
--------------------------------------------------------------------------------
Using device /dev/bge0 (promiscuous mode)
           ? -> *            ETHER Type=BEBE (Unknown), size = 80 bytes
           ? -> (multicast) ETHER Type=4009 (Unknown), size = 80 bytes
           ? -> (multicast) ETHER Type=4009 (Unknown), size = 95 bytes
           ? -> *            ETHER Type=BEBE (Unknown), size = 80 bytes
           ? -> *            ETHER Type=BEBE (Unknown), size = 80 bytes
5 packets captured
--------------------------------------------------------------------------------

返回的时5个IP包的信息。
试试 snoop -c1 -x0,可以返回5个IP包的详细码流。
--------------------------------------------------------------------------------
Using device /dev/bge0 (promiscuous mode)
           ? -> *            ETHER Type=BEBE (Unknown), size = 80 bytes
           0: 0003 baa7 070a 0000 baa7 0707 bebe 0100    ................
          16: 01e3 2020 202c 2047 534d 425f 6464 6d5f    ..   , GSMB_ddm_
          32: 315f ffff ffff ffff 0000 bbeb f2cd 0806    1_..............
          48: 0001 0800 0604 0001 0000 bbeb f2cd 0a64    ...............d
          64: 0187 ffff ffff ffff 0a64 01be 0000 0000    .........d......
1 packets captured
--------------------------------------------------------------------------------

试试 snoop -c1 -v,可以返回IP头解析。
--------------------------------------------------------------------------------
Using device /dev/bge0 (promiscuous mode)

阅读全文>>

标签: 抓包 snoop Solaris

评论(0) 引用(0) 浏览(11520)

Powered by 易隐者 基于emlog 皖ICP备12002343号-1