NetScreen Snoop Command

A useful tool for troubleshooting data flow problems through a NetScreen firewall is the snoop command. From a command line interface (CLI) you can enter snoop ? to see options for this command. The command will not provide detailed information on the actions the firewall is taking on packets flowing through it - for that you need to use the debug command - but it will allow you to see what data is flowing through the firewall. 
ns5gt-> snoop ?
<return>
detail               snoop detail configuration
filter               snoop filter configuration
info                 show snoop information
off                  turn off snoop
ns5gt-> snoop info
Snoop: OFF
Filters Defined: 0, Active Filters 0
Detail: OFF, Detail Display length: 96

By default snoop sends its output to the dbug buffer rather than the console. If that setting has been changed, you can use set console dbuf to set it to the default value.

The first step in using snoop is to create a filter so that you see only the pertinent data, unless you want to see everything. In the example below, the filter is set to show all data flowing through the firewall between 72.81.210.154 and 192.168.2.3 in both directions. The debug buffer, where the data will be captured, is then cleared and snoop is started.

ns5gt-> snoop filter ip src-ip 72.81.210.154 dst-ip 192.168.2.3 direction both
snoop filter added
ns5gt-> clear dbuf
ns5gt-> snoop
Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y

The snoop filter options are as follows:

ns5gt-> snoop filter ?
delete               delete snoop filter
ethernet             snoop specified ethernet
id                   snoop filter id
ip                   snoop ip packet
off                  turn off snoop filter
on                   turn on snoop filter
tcp                  snoop tcp packet
udp                  snoop udp packet

The options for setting an IP filter for snoop are as follows:

ns5gt-> snoop filter ip ?
<return>
direction            snoop direction
dst-ip               snoop filter dst ip
dst-port             snoop filter dst port
interface            interface name
ip-proto             snoop filter ip proto
port                 src or dst port
src-ip               snoop filter src ip
src-port             snoop filter src port
<a.b.c.d>            IP Address
offset               ip offset

You can view the status of snoop and see filter information with snoop info.

ns5gt-> snoop info
Snoop: ON
Filters Defined: 1, Active Filters 1
Detail: OFF, Detail Display length: 96
Snoop filter based on:
id 1(on): IP src-ip 72.81.210.154 dst-ip 192.168.2.3 dir(B)

You can use get dbuf to view the information captured in the debug buffer.

dbuf 

get dbuf <arguments>
info        show debug buffer info
mem         show debug buffer memory content
stream      show debug buffer stream

This allows you to view console messages that have been redirected to a debug buffer above.

set dbuf size <size>

Increase the size of the dbuf buffer from the default of 32k.

ns5gt-> get dbuf info
count: 6515, last index: 6515, cur index: 0, size: 32768
start: 0, pause: 0
ns5gt-> get dbuf mem
====6515
32 39 36 35 36 37 2e 30 3a 20 32 28 6f 29 3a 30     296567.0:.2(o):0
30 31 30 64 62 37 64 32 38 36 32 2d 3e 30 30 31     010db7d2862->001
37 33 66 34 34 39 37 35 31 2f 30 38 30 30 0d 0a     73f449751/0800..
20 20 20 20 20 20 20 20 20 20 20 20 20 20 37 32     ..............72
2e 38 31 2e 32 31 30 2e 31 35 34 2d 3e 31 39 32     .81.210.154->192
2e 31 36 38 2e 32 2e 33 2f 36 2c 20 74 6c 65 6e     .168.2.3/6,.tlen
3d 35 32 0d 0a 20 20 20 20 20 20 20 20 20 20 20     =52.............
<text snipped>
ns5gt-> get dbuf stream
296567.0: 2(o):0010db7d2862->00173f449751/0800
              72.81.210.154->192.168.2.3/6, tlen=52
              vhl=45, tos=00, id=32447, frag=4000, ttl=51
              tcp:ports 22->2892, seq=970501524, ack=2243777306, flag=8012/SY
N

296568.0: 2(o):0010db7d2862->00173f449751/0800
              72.81.210.154->192.168.2.3/6, tlen=61
              vhl=45, tos=00, id=32448, frag=4000, ttl=51
	      tcp:ports 22->2892, seq=970501525, ack=2243777306, flag=5018

When you are paging through the display of the debug buffers contents after entering the get dbuf mem or get dbuf stream, which can be abbreviated to get db str, commands, you will see --- more --- displayed. If you type q you can stop the display of information.

If you want to store the contents of the buffer elsewhere for analysis, you can send the buffer's contents to a Trivial File Transfer Protocol (TFTP) server. In the example, below the buffer is sent to a file named netscreen.log on a TFTP server witth IP address 192.168.0.15. For further information on sending log data to a TFTP server, see Send NetScreen Traffic Log to a TFTP Server.

ns5gt-> get dbuf stream > tftp 192.168.0.15 netscreen.log
redirect to 192.168.0.15,netscreen.log
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
tftp transferred records = 65
tftp success!

By default, snoop will only capture the headers of packets, i.e. 96 bytes. It won't capture the entire packet. If you want to capture the entire packet, you will need to use snoop detail len, where len specifies the amount of data in bytes you wish to capture for each packet, e.g., snoop detail len 256 to capture the first 256 bytes of packets..

ns5gt-> snoop detail ?
<return>
len                  snoop detail length
off                  turn off snoop detail
ns5gt-> snoop detail len ?
<number>             packet length to display (range: 1 - 1514)

If you just use snoop detail, you will get the default length of 96 bytes. So specify the maximum length, if you want to capture the entire packet.

ns5gt-> snoop info
Snoop: OFF
Filters Defined: 0, Active Filters 0
Detail: ON, Detail Display length: 96
ns5gt-> snoop detail
ns5gt-> snoop info
Snoop: OFF
Filters Defined: 0, Active Filters 0
Detail: ON, Detail Display length: 96
ns5gt-> snoop detail len 1514
ns5gt-> snoop info
Snoop: OFF
Filters Defined: 0, Active Filters 0
Detail: ON, Detail Display length: 1514

If you wish to remove the filters you've created you can use the command snoop filter delete. You can disable snoop with snoop off.

ns5gt-> snoop off
Snoop off
ns5gt-> snoop info
Snoop: OFF
Filters Defined: 1, Active Filters 1
Detail: OFF, Detail Display length: 96
Snoop filter based on:
id 1(on): IP src-ip 72.81.210.154 dst-ip 192.168.2.3 dir(B)
ns5gt-> snoop filter delete
All filters removed
ns5gt-> snoop info
Snoop: OFF
Filters Defined: 0, Active Filters 0
Detail: OFF, Detail Display length: 96

If you want to delete only a specific filter rather than all filters you can use snoop filter id <number> delete where <number> is the filter id.

ns5gt-> snoop info
Snoop: OFF
Filters Defined: 2, Active Filters 2
Detail: ON, Detail Display length: 96
Snoop filter based on:
id 1(on): IP src-ip 192.168.2.3 dir(B)
id 2(on): IP src-ip 192.168.2.3 proto 17 dir(B)
ns5gt-> snoop filter id 1 delete
Filter id 1 removed
ns5gt-> snoop info
Snoop: OFF
Filters Defined: 1, Active Filters 1
Detail: ON, Detail Display length: 96
Snoop filter based on:
id 1(on): IP src-ip 192.168.2.3 proto 17 dir(B)

If I was interested in any UDP traffic from source address 72.81.210.154 to any destination address on port 27900, I could clear the debug buffer of any data already in it, delete any existing filters, and set the filter as shown below. The IP protocol number for UDP is 17, so I use that value for ip-proto to filter on just UDP traffic.

ns5gt-> snoop filter delete
All filters removed
ns5gt-> clear dbuf
ns5gt-> snoop filter ip src-ip 72.81.210.154 dst-port 27900 ip-proto 17
snoop filter added
ns5gt-> snoop info
Snoop: OFF
Filters Defined: 1, Active Filters 1
Detail: OFF, Detail Display length: 96
Snoop filter based on:
id 1(on): IP src-ip 72.81.210.154 dst-port 27900 proto 17 dir(B)
ns5gt-> snoop
Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y
ns5gt-> get dbuf stream
305728.0: 1(i):001d70cce905->0010db7d2861/0800
              72.81.210.154->10.45.13.244/17, tlen=35
              vhl=45, tos=00, id=35246, frag=0000, ttl=52
              udp:ports 3040->27900, len=15

ns5gt-> get dbuf mem
====209
33 30 35 37 32 38 2e 30 3a 20 31 28 69 29 3a 30     305728.0:.1(i):0
30 31 64 37 30 63 63 65 39 30 35 2d 3e 30 30 31     01d70cce905->001
30 64 62 37 64 32 38 36 31 2f 30 38 30 30 0d 0a     0db7d2861/0800..
20 20 20 20 20 20 20 20 20 20 20 20 20 20 37 32     ..............72
2e 38 31 2e 32 31 30 2e 31 35 34 2d 3e 31 30 2e     .81.210.154->10.
34 35 2e 31 33 2e 32 34 34 2f 31 37 2c 20 74 6c     45.13.244/17,.tl
65 6e 3d 33 35 0d 0a 20 20 20 20 20 20 20 20 20     en=35...........
20 20 20 20 20 76 68 6c 3d 34 35 2c 20 74 6f 73     .....vhl=45,.tos
3d 30 30 2c 20 69 64 3d 33 35 32 34 36 2c 20 66     =00,.id=35246,.f
72 61 67 3d 30 30 30 30 2c 20 74 74 6c 3d 35 32     rag=0000,.ttl=52
0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20     ................
75 64 70 3a 70 6f 72 74 73 20 33 30 34 30 2d 3e     udp:ports.3040->
32 37 39 30 30 2c 20 6c 65 6e 3d 31 35 0d 0a 0d     27900,.len=15...
0a                                                  .

Scripts to allow you to view NetScreen snoop packet capture information wtih other sniffer tools, such as WireShark, formerly known as Ethereal, are available at NetScreen snoop output to pcap [not tested].

If you need to see how the firewall is processing packets and applying policies to them, you can use the debugging commands instead.

References:

  1. Netscreen Snoop Command
    Scribd
  2. ScreenOS Hidden Commands Revealed
    By: Stephen Gill
    Version: 4.01
    Published: December 10, 2002
    Stephen Gill's home on cymru.com.
  3. NetScreen snoop output to pcap
    By: Florent
    Date: January 11, 2006
    NETwork Security Consortium
  4. ScreenOS: Analyze traffic
    By: Earthbreaker
    Date: February 21, 2009
    Codesnake

Valid HTML 4.01 Transitional

Created: April 11, 2009