ns5xp-> snoop filter ip port 3389 snoop filter ip port 3389 ns5xp-> snoop snoop Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y y ns5xp->
I cleared the debugging buffer where the filtered data would be stored.
ns5xp-> clear dbuf clear dbuf ns5xp->
Then I attempted to make an RDP connection to the Microsoft Windows
system from a Ubuntu Linux system using
rdesktop
. The system failed to connect every time I attempted to establish
an RDP connection from the Linux system to the Microsoft Windows system.
I was attempting to
tunnel
the RDP connection to the Microsoft Windows system via an SSH connection to
another Linux system, which I had created with
ssh -L 3389:192.168.0.2:3389 jdoe@example.com, so I was
expecting that the RDP traffic would traverse the tunnel to example.com
and be sent from there to the Microsoft Windows system's IP address. But the
connectivity always failed.
$ rdesktop -0 127.0.0.1 Autoselected keyboard map en-us ERROR: Connection closed
When I examined the buffer on the Netscreen firewall, nothing was logged in the buffer. I.e., the filter did not capture any activity.
ns5xp-> get dbuf info get dbuf info count: 0, last index: 0, cur index: 0, size: 32768 start: 0, pause: 0 ns5xp-> get dbuf stream get dbuf stream ns5xp-> get dbuf mem get dbuf mem ns5xp->
I double-checked the filter to make sure it was active and looking for activity on port 3389; it was set properly.
ns5xp-> snoop info snoop info Snoop: ON Filters Defined: 1, Active Filters 1 Detail: OFF, Detail Display length: 96 Snoop filter based on: id 1(on): IP port 3389 dir(B) ns5xp-> get dbuf info get dbuf info count: 0, last index: 0, cur index: 0, size: 32768 start: 0, pause: 0 ns5xp->
Then I realized that I had specified the wrong IP address when I had
created the tunnel over SSH for the RDP traffic. I had mistakenly used
the IP address of the router/firewall rather than the IP address of the
Microsoft Windows system behind it, forgetting that it wasn't performing
network address translation (NAT). When I disconnected
the SSH session and established a new session with the correct IP
address, i.e. using ssh -L 3389:172.16.22.5:3389 jdoe@example.com,
I was able to esbablish the RDP connection via the SSH tunnel and
observe traffic on port 3389 was being seen by the firewall with the
"get dbuf info", "get dbuf stream", and "get dbuf mem" commands.
ns5xp-> get dbuf info
get dbuf info
count: 32768, last index: 24257, cur index: 24258, size: 32768
start: 24258, pause: 0
ns5xp-> get dbuf stream
get dbuf stream
g=4000, ttl=128
tcp:ports 3389->57005, seq=3447249398, ack=2372863626, flag=8010
95271.0: 2(i):f8bc129b78cc->0010db0c7dd2/0800
192.168.0.5->172.16.22.5/6, tlen=1500
vhl=45, tos=00, id=21231, frag=4000, ttl=128
tcp:ports 3389->57005, seq=3447250846, ack=2372863626, flag=8010
95271.0: 2(i):f8bc129b78cc->0010db0c7dd2/0800
192.168.0.5->172.16.22.5/6, tlen=1500
vhl=45, tos=00, id=21232, frag=4000, ttl=128
tcp:ports 3389->57005, seq=3447252294, ack=2372863626, flag=8018
95271.0: 2(i):f8bc129b78cc->0010db0c7dd2/0800
192.168.0.5->172.16.22.5/6, tlen=1500
vhl=45, tos=00, id=21233, frag=4000, ttl=128
tcp:ports 3389->57005, seq=3447253742, ack=2372863626, flag=8010
95271.0: 2(i):f8bc129b78cc->0010db0c7dd2/0800
192.168.0.5->172.16.22.5/6, tlen=1500
vhl=45, tos=00, id=21234, frag=4000, ttl=128
tcp:ports 3389->57005, seq=3447255190, ack=2372863626, flag=8010
--- more --- q
95271.0: 2(i):f8bc129b78cc->0010db0c7dd2/0800
192.168.0.5->172.16.22.5/6, tlen=1500
vhl=45, tos=00, id=21235, frag=4000, ttl=128
tcp:ports 3389->57005, seq=3447256638, ack=2372863626, flag=8010
95271.0: 2(i):f8bc129b78cc->0010db0c7dd2/0800
192.168.0.5->172.16.22.5/6, tlen=1500
vhl=45, tos=00, id=21236, frag=4000, ttl=128
tcp:ports 3389->57005, seq=3447258086, ack=2372863626, flag=8010
95271.0: 2(i):f8bc129b78cc->0010db0c7dd2/0800
192.168.0.5->172.16.22.5/6, tlen=1500
vhl=45, tos=00, id=21237, frag=4000, ttl=128
tcp:ports 3389->57005, seq=3447259534, ack=2372863626, flag=8010
95271.0: 2(i):f8bc129b78cc->0010db0c7dd2/0800
192.168.0.5->172.16.22.5/6, tlen=1500
ns5xp->
ns5xp-> get dbuf mem
get dbuf mem
====32768
3d 30 30 2c 20 69 64 3d 32 31 32 34 36 2c 20 66 =00,.id=21246,.f
72 61 67 3d 34 30 30 30 2c 20 74 74 6c 3d 31 32 rag=4000,.ttl=12
38 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 8...............
20 74 63 70 3a 70 6f 72 74 73 20 33 33 38 39 2d .tcp:ports.3389-
3e 35 37 30 30 35 2c 20 73 65 71 3d 33 34 34 37 >57005,.seq=3447
32 37 32 35 36 36 2c 20 61 63 6b 3d 32 33 37 32 272566,.ack=2372
38 36 33 36 32 36 2c 20 66 6c 61 67 3d 38 30 31 863626,.flag=801
30 0d 0a 0d 0a 39 35 32 37 31 2e 30 3a 20 32 28 0....95271.0:.2(
69 29 3a 66 38 62 63 31 32 39 62 37 38 63 63 2d i):f8bc129b78cc-
3e 30 30 31 30 64 62 30 63 37 64 64 32 2f 30 38 >0010db0c7dd2/08
30 30 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 00..............
20 20 31 39 32 2e 31 36 38 2e 30 2e 35 2d 3e 31 ..192.168.0.5->1
37 32 2e 31 36 2e 32 32 2e 35 2f 36 2c 20 74 6c 72.16.22.5/6,.tl
65 6e 3d 31 35 30 30 0d 0a 20 20 20 20 20 20 20 en=1500.........
20 20 20 20 20 20 20 76 68 6c 3d 34 35 2c 20 74 .......vhl=45,.t
6f 73 3d 30 30 2c 20 69 64 3d 32 31 32 34 37 2c os=00,.id=21247,
20 66 72 61 67 3d 34 30 30 30 2c 20 74 74 6c 3d .frag=4000,.ttl=
31 32 38 0d 0a 20 20 20 20 20 20 20 20 20 20 20 128.............
20 20 20 74 63 70 3a 70 6f 72 74 73 20 33 33 38 ...tcp:ports.338
39 2d 3e 35 37 30 30 35 2c 20 73 65 71 3d 33 34 9->57005,.seq=34
34 37 32 37 34 30 31 34 2c 20 61 63 6b 3d 32 33 47274014,.ack=23
--- more --- q
37 32 38 36 33 36 32 36 2c 20 66 6c 61 67 3d 38 72863626,.flag=8
30 31 38 0d 0a 0d 0a 39 35 32 37 31 2e 30 3a 20 018....95271.0:.
ns5xp->