Snoop 是Juniper防火墙另外一个有效的查错工具,它和debug flow basic的区别是:
snoop类似于在防火墙的接口上抓包,可以根据具体接口, 数据包的方向, 协议等等要素进行过滤抓包; debug flow
basic则对数据包如何穿越防火墙进行分析,将防火墙的对数据包的处理过程显示出来.
Snoop的使用举例如下:
1. 先设置过滤列表,使得防火墙只对需要的数据包进行分析. 即snoop filter命令:
ns208-> snoop filter ?
delete delete snoop filter
ethernet snoop specified ethernet
id snoop filter id
ip snoop ip packet
off turn off snoop filter
on turn on snoop filter
tcp snoop tcp packet
udp snoop udp packet
ns208-> snoop filter ip ?
direction snoop direction
dst-ip snoop filter dst ip
dst-port snoop filter dst port
interface interface name
ip-proto snoop filter ip proto
port src or dst port
src-ip snoop filter src ip
src-port snoop filter src port
IPv4 Address
offset ip offset
ns208-> snoop info
Snoop: OFF
Filters Defined: 2, Active Filters 2
Detail: OFF, Detail Display length: 96
Snoop filter based on:
id 1(on): IP dir(I)
id 2(on): IP dst-ip 172.27.68.1 dir(B)
2. 开启snoop 进行抓包
ns208-> snoop
Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y
3. 发送测试数据包或让小部分流量穿越防火墙
4. 停止snoop
ns208-> snoop off
5. 检查防火墙对所转发的符合过滤条件的数据包的分析结果(非采用上面的filter,而是采用另外的filter):
ns208-> get db stream
1. The packet comes into the Netscreen from the Trusted side client.
55864.0: 0(i):005004bb815f->0010db00ab30/0800
10.0.0.36->10.10.10.14/1, tlen=60
vhl=45, id=31489, frag=0000, ttl=32
2. The packet then leaves the Netscreen, on it’s way to the destination host.
55864.0: 1(o):0010db00ab31->00104bf3d073/0800
10.10.10.10->10.10.10.14/1, tlen=60
vhl=45, id=31489, frag=0000, ttl=31
3. The packet then returns to the Netscreen from the host.
55864.0: 1(i):00104bf3d073->0010db00ab31/0800
10.10.10.14->10.10.10.10/1, tlen=60
vhl=45, id=12289, frag=0000, ttl=128
4. Finally, the packet is returned to the client on the trusted side.
55864.0: 0(o):0010db00ab30->005004bb815f/0800
10.10.10.14->10.0.0.36/1, tlen=60
vhl=45, id=12289, frag=0000, ttl=127
6. 清除防火墙缓存的debug结果:
ns208-> clear db
7. 清除防火墙的snoop过滤设置
ns208-> snoop filter delete
All filters removed
阅读(2801) | 评论(0) | 转发(0) |
