snoop
command. From a command line interface
(CLI) you can enter snoop ?
to see options for this command.
The command will not provide detailed information on the actions the
firewall is taking on packets flowing through it - for that you need
to use the debug
command - but it will allow you to see
what data is flowing through the firewall.
ns5gt-> snoop ? <return> detail snoop detail configuration filter snoop filter configuration info show snoop information off turn off snoop ns5gt-> snoop info Snoop: OFF Filters Defined: 0, Active Filters 0 Detail: OFF, Detail Display length: 96
By default snoop
sends its output to the dbug buffer rather
than the console. If that setting has been changed, you can use set
console dbuf
to set it to the default value.
The first step in using snoop
is to create a filter so
that you see only the pertinent data, unless you want to see everything.
In the example below, the filter is set to show all data flowing through
the firewall between 72.81.210.154 and 192.168.2.3 in both directions. The
debug buffer, where the data will be captured, is then cleared and snoop is
started.
ns5gt-> snoop filter ip src-ip 72.81.210.154 dst-ip 192.168.2.3 direction both snoop filter added ns5gt-> clear dbuf ns5gt-> snoop Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y
The snoop filter options are as follows:
ns5gt-> snoop filter ? delete delete snoop filter ethernet snoop specified ethernet id snoop filter id ip snoop ip packet off turn off snoop filter on turn on snoop filter tcp snoop tcp packet udp snoop udp packet
The options for setting an IP filter for snoop are as follows:
ns5gt-> snoop filter ip ? <return> direction snoop direction dst-ip snoop filter dst ip dst-port snoop filter dst port interface interface name ip-proto snoop filter ip proto port src or dst port src-ip snoop filter src ip src-port snoop filter src port <a.b.c.d> IP Address offset ip offset
You can view the status of snoop
and see filter information
with snoop info
.
ns5gt-> snoop info Snoop: ON Filters Defined: 1, Active Filters 1 Detail: OFF, Detail Display length: 96 Snoop filter based on: id 1(on): IP src-ip 72.81.210.154 dst-ip 192.168.2.3 dir(B)
You can use get dbuf
to view the information captured in
the debug buffer.
dbuf
get dbuf <arguments> info show debug buffer info mem show debug buffer memory content stream show debug buffer streamThis allows you to view console messages that have been redirected to a debug buffer above.
set dbuf size <size>
Increase the size of the dbuf buffer from the default of 32k.
ns5gt-> get dbuf info count: 6515, last index: 6515, cur index: 0, size: 32768 start: 0, pause: 0 ns5gt-> get dbuf mem ====6515 32 39 36 35 36 37 2e 30 3a 20 32 28 6f 29 3a 30 296567.0:.2(o):0 30 31 30 64 62 37 64 32 38 36 32 2d 3e 30 30 31 010db7d2862->001 37 33 66 34 34 39 37 35 31 2f 30 38 30 30 0d 0a 73f449751/0800.. 20 20 20 20 20 20 20 20 20 20 20 20 20 20 37 32 ..............72 2e 38 31 2e 32 31 30 2e 31 35 34 2d 3e 31 39 32 .81.210.154->192 2e 31 36 38 2e 32 2e 33 2f 36 2c 20 74 6c 65 6e .168.2.3/6,.tlen 3d 35 32 0d 0a 20 20 20 20 20 20 20 20 20 20 20 =52............. <text snipped> ns5gt-> get dbuf stream 296567.0: 2(o):0010db7d2862->00173f449751/0800 72.81.210.154->192.168.2.3/6, tlen=52 vhl=45, tos=00, id=32447, frag=4000, ttl=51 tcp:ports 22->2892, seq=970501524, ack=2243777306, flag=8012/SY N 296568.0: 2(o):0010db7d2862->00173f449751/0800 72.81.210.154->192.168.2.3/6, tlen=61 vhl=45, tos=00, id=32448, frag=4000, ttl=51 tcp:ports 22->2892, seq=970501525, ack=2243777306, flag=5018
When you are paging through the display of the debug buffers contents
after entering the get dbuf mem
or get dbuf stream
,
which can be abbreviated to get db str
, commands, you will see
--- more ---
displayed. If you type q
you can
stop the display of information.
If you want to store the contents of the buffer elsewhere for
analysis, you can send the buffer's contents to a
Trivial
File Transfer Protocol (TFTP) server. In the example, below the
buffer is sent to a file named netscreen.log
on a TFTP server
witth IP address 192.168.0.15. For further information on sending log data
to a TFTP server, see
Send NetScreen Traffic
Log to a TFTP Server.
ns5gt-> get dbuf stream > tftp 192.168.0.15 netscreen.log redirect to 192.168.0.15,netscreen.log !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! tftp transferred records = 65 tftp success!
By default, snoop will only capture the headers of packets, i.e.
96 bytes. It won't capture the entire packet. If you want to capture the
entire packet, you will need to use snoop detail len
,
where len
specifies the amount of data in bytes
you wish to capture for each packet, e.g., snoop detail len
256
to capture the first 256 bytes of packets..
ns5gt-> snoop detail ? <return> len snoop detail length off turn off snoop detail ns5gt-> snoop detail len ? <number> packet length to display (range: 1 - 1514)
If you just use snoop detail
, you will get the default
length of 96 bytes. So specify the maximum length, if you want to capture
the entire packet.
ns5gt-> snoop info Snoop: OFF Filters Defined: 0, Active Filters 0 Detail: ON, Detail Display length: 96 ns5gt-> snoop detail ns5gt-> snoop info Snoop: OFF Filters Defined: 0, Active Filters 0 Detail: ON, Detail Display length: 96 ns5gt-> snoop detail len 1514 ns5gt-> snoop info Snoop: OFF Filters Defined: 0, Active Filters 0 Detail: ON, Detail Display length: 1514
If you wish to remove the filters you've created you can use the command
snoop filter delete
. You can disable snoop with
snoop off
.
ns5gt-> snoop off Snoop off ns5gt-> snoop info Snoop: OFF Filters Defined: 1, Active Filters 1 Detail: OFF, Detail Display length: 96 Snoop filter based on: id 1(on): IP src-ip 72.81.210.154 dst-ip 192.168.2.3 dir(B) ns5gt-> snoop filter delete All filters removed ns5gt-> snoop info Snoop: OFF Filters Defined: 0, Active Filters 0 Detail: OFF, Detail Display length: 96
If you want to delete only a specific filter rather than all filters
you can use snoop filter id <number> delete
where
<number>
is the filter id.
ns5gt-> snoop info Snoop: OFF Filters Defined: 2, Active Filters 2 Detail: ON, Detail Display length: 96 Snoop filter based on: id 1(on): IP src-ip 192.168.2.3 dir(B) id 2(on): IP src-ip 192.168.2.3 proto 17 dir(B) ns5gt-> snoop filter id 1 delete Filter id 1 removed ns5gt-> snoop info Snoop: OFF Filters Defined: 1, Active Filters 1 Detail: ON, Detail Display length: 96 Snoop filter based on: id 1(on): IP src-ip 192.168.2.3 proto 17 dir(B)
If I was interested in any
UDP traffic
from source address 72.81.210.154 to any destination address on port 27900, I
could clear the debug buffer of any data already in it, delete any existing
filters, and set the filter as shown below. The
IP protocol
number for UDP is 17, so I use that value for ip-proto
to filter on just UDP traffic.
ns5gt-> snoop filter delete All filters removed ns5gt-> clear dbuf ns5gt-> snoop filter ip src-ip 72.81.210.154 dst-port 27900 ip-proto 17 snoop filter added ns5gt-> snoop info Snoop: OFF Filters Defined: 1, Active Filters 1 Detail: OFF, Detail Display length: 96 Snoop filter based on: id 1(on): IP src-ip 72.81.210.154 dst-port 27900 proto 17 dir(B) ns5gt-> snoop Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y ns5gt-> get dbuf stream 305728.0: 1(i):001d70cce905->0010db7d2861/0800 72.81.210.154->10.45.13.244/17, tlen=35 vhl=45, tos=00, id=35246, frag=0000, ttl=52 udp:ports 3040->27900, len=15 ns5gt-> get dbuf mem ====209 33 30 35 37 32 38 2e 30 3a 20 31 28 69 29 3a 30 305728.0:.1(i):0 30 31 64 37 30 63 63 65 39 30 35 2d 3e 30 30 31 01d70cce905->001 30 64 62 37 64 32 38 36 31 2f 30 38 30 30 0d 0a 0db7d2861/0800.. 20 20 20 20 20 20 20 20 20 20 20 20 20 20 37 32 ..............72 2e 38 31 2e 32 31 30 2e 31 35 34 2d 3e 31 30 2e .81.210.154->10. 34 35 2e 31 33 2e 32 34 34 2f 31 37 2c 20 74 6c 45.13.244/17,.tl 65 6e 3d 33 35 0d 0a 20 20 20 20 20 20 20 20 20 en=35........... 20 20 20 20 20 76 68 6c 3d 34 35 2c 20 74 6f 73 .....vhl=45,.tos 3d 30 30 2c 20 69 64 3d 33 35 32 34 36 2c 20 66 =00,.id=35246,.f 72 61 67 3d 30 30 30 30 2c 20 74 74 6c 3d 35 32 rag=0000,.ttl=52 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ................ 75 64 70 3a 70 6f 72 74 73 20 33 30 34 30 2d 3e udp:ports.3040-> 32 37 39 30 30 2c 20 6c 65 6e 3d 31 35 0d 0a 0d 27900,.len=15... 0a .
Scripts to allow you to view NetScreen snoop packet capture information wtih other sniffer tools, such as WireShark, formerly known as Ethereal, are available at NetScreen snoop output to pcap [not tested].
If you need to see how the firewall is processing packets and applying policies to them, you can use the debugging commands instead.
References:
Created: April 11, 2009