Sniffer basic :
Description de la commande :
1 # diag sniffer packet <interface> <'filter'> <verbose> <count> a
<interface> nom de l'interface ou 'any' pour toutes les interfaces.
<'filter'> filtre pour la capture.
'[[src|dst] host] [ and [src|dst] host] [ and [arp|ip|gre|esp|udp|tcp] [ and port_no]] [ and [arp|ip|gre|esp|udp|tcp] [and port_no]]'
<verbose> niveau de verbosité.
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
<count> nombre de paquets capturés.
Si homis, il faut faire un Ctrl+C pour stopper la capture.
a temps absolue dans la capture.
Exemples :
par défaut
1 > diagnose sniffer packet any 'port 22'
2 0 . 543575 1 . 1 . 1 . 1 . 22 -> 2 . 2 . 2 . 2 . 34448 : psh 638361745 ack 293590198
3 0 . 543589 1 . 1 . 1 . 1 . 22 -> 2 . 2 . 2 . 2 . 34448 : psh 638361857 ack 293590198
4 0 . 543737 2 . 2 . 2 . 2 . 34448 -> 1 . 1 . 1 . 1 . 22 : ack 638358945
5 0 . 543749 1 . 1 . 1 . 1 . 22 -> 2 . 2 . 2 . 2 . 34448 : psh 638361969 ack 293590198
6 0 . 543738 2 . 2 . 2 . 2 . 34448 -> 1 . 1 . 1 . 1 . 22 : ack 638359729
7 0 . 543764 1 . 1 . 1 . 1
verbose
1 > diagnose sniffer packet any 'port 22' 1 1
2 interfaces =[ any ]
3 filters =[ port 22 ]
4 1 . 005527 1 . 1 . 1 . 1 . 37517 -> 2 . 2 . 2 . 7 . 22 : syn 2823825048
5
6
7 > diagnose sniffer packet any 'port 22' 2 1
8 interfaces =[ any ]
9 filters =[ port 22 ]
10 1 . 159624 192 . 168 . 2 . 250 . 3367 -> 192 . 168 . 0 . 169 . 22 : psh 1366981107 ack 176086212
11 0x0000 4500 004 8 fd16 4000 8006 78 a5 c0a8 02 fa E .. H .. @ ... x .....
12 0x0010 c0a8 00 a9 0 d27 0016 517 a 79 f3 0 a7e dcc4 ..... '..Qzy..~..
13 0x0020 5018 fedf 8c2b 0000 7c8c bd38 f5e5 0af6 P....+..|..8....
14 0x0030 76df add4 d014 d25f 82b3 e2b6 145b 9bb4 v......_.....[..
15 0x0040 6504 a850 0469 b6bd e..P.i..
16
17
18 > diagnose sniffer packet any ' port 22 ' 3 1
19 interfaces=[any]
20 filters=[port 22]
21 0.317691 1.1.1.1.53521 -> 2.2.2.2.22: fin 731606663 ack 2768667455
22 0x0000 0000 0000 0001 90b1 1c2f fb1d 0800 4508 ........./....E.
23 0x0010 0034 f7ef 4000 4006 b840 c0a8 0932 c0a8 .4..@.@..@...2..
24 0x0020 0009 d111 0016 2b9b 6e87 a506 833f 8011 ......+.n....?..
25 0x0030 00f4 f9c4 0000 0101 080a 5e9f 96d9 efc7 ..........^.....
26 0x0040 78a6 x.
27
28
29 > diagnose sniffer packet any ' port 22 ' 4 1
30 interfaces=[any]
31 filters=[port 22]
32 0.486746 Net8 in 1.1.1.1.60910 -> 2.2.2.3.22: fin 918789060 ack 525061782
33
34
35 > diagnose sniffer packet any ' port 22 ' 5 1
36 interfaces=[any]
37 filters=[port 22]
38 0.421809 Net8 in 1.1.1.1.54727 -> 2.2.2.4.22: syn 4025670350
39 0x0000 4500 003c 18f7 4000 4006 967d c0a8 0932 E..<..@.@..}...2
40 0x0010 c0a8 00c5 d5c7 0016 eff2 dace 0000 0000 ................
41 0x0020 a002 3908 c237 0000 0204 05b4 0402 080a ..9..7..........
42 0x0030 5e9f c239 0000 0000 0103 0307 ^..9........
43
44
45 > diagnose sniffer packet any ' port 22 ' 6 1
46 interfaces =[ any ]
47 filters =[ port 22 ]
48 0 . 895918 Net8 in 1 . 1 . 1 . 1 . 38691 -> 2 . 2 . 2 . 5 . 22 : fin 3587646846 ack 1482496291
49 0x0000 0000 0000 0001 90 b1 1 c2f fb1d 0800 4508 ........./.... E .
50 0x0010 0034 d4eb 4000 4006 daa3 c0a8 0932 c0a8 . 4 .. @ . @ ...... 2 ..
51 0x0020 00 aa 9723 0016 d5d7 257 e 585 d 1923 8011 ... #....%~X].#..
52 0x0030 013 9 a338 0000 0101 080 a 5 e9f cfcb 53 b0 . 9 . 8 ......^... S .
53 0x0040 c0f2 ..
temps absolue
1 > diagnose sniffer packet any 'port 22' 4 2 a
2 interfaces =[ any ]
3 filters =[ port 22 ]
4 2015 - 04 - 17 05 : 52 : 54 . 849437 Net8 in 1 . 1 . 1 . 1 . 47156 -> 4 . 4 . 4 . 6 . 22 : fin 1538782504 ack 634199533
5 2015 - 04 - 17 05 : 52 : 54 . 849443 Net7 out 10 . 10 . 10 . 10 . 47156 -> 4 . 4 . 4 . 6 . 22 : fin 1538782504 ack 634199533
Exemples de filtres sur le contenu en hexa :
1 Match TTL = 1
2 # diagnose sniffer packet port2 "ip[8:1] = 0x01"
3
4 Match Source IP address = 192 . 168 . 1 . 2 :
5 # diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)"
6
7 Match Source MAC = 00 : 09 : 0 f : 89 : 10 :ea
8 # diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"
9
10 Match Destination MAC = 00 : 09 : 0 f : 89 : 10 :ea
11 # diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"
12
13 Match ARP packets only
14 # diagnose sniffer packet internal "ether proto 0x0806"
15
16 TCP or UDP flags can be addressed using the following :
17
18 Match packets with RST flag set :
19 # diagnose sniffer packet internal "tcp[13] & 4 != 0"
20
21 Match packets with SYN flag set :
22 # diagnose sniffer packet internal "tcp[13] & 2 != 0"
23
24 Match packets with SYN - ACK flag set :
25 # diagnose sniffer packet internal "tcp[13] = 18"
Sniffer avancé :
1 V é rifie si le debug est activ é
2 > diagnose debug info
3 debug output : disable
4 console timestamp : disable
5 console no user log message : disable
6 zebos debug level : 306783954 ( 0x124926d2 )
7 CLI debug level : 3
8
9
10 Active le debug logging ( pour la session en cours )
11 > diag debug enable
12
13 > diagnose debug info
14 debug output : enable
15 console timestamp : disable
16 console no user log message : disable
17 CLI debug level : 3
18
19
20 Affiche la sortie du debug dans la console .
21 > diag debug flow show console enable
22 show trace messages on console
23
24 Affiche les filtres en cours
25 > diag debug flow filter
26 vf : any
27 proto : any
28 Host addr : any
29 Host saddr : any
30 Host daddr : any
31 port : any
32 sport : any
33 dport : any
34
35 param é trage du filtre
36 > diagnose debug flow filter addr 1 . 1 . 1 . 1
37
38 > diagnose debug flow filter
39 vf : any
40 proto : any
41 host addr : 1 . 1 . 1 . 1 - 1 . 1 . 1 . 1
42 Host saddr : any
43 Host daddr : any
44 port : any
45 sport : any
46 dport : any
47
48 > diagnose debug flow filter port 443
49
50 > diagnose debug flow filter
51 vf : any
52 proto : any
53 host addr : 1 . 1 . 1 . 1 - 1 . 1 . 1 . 1
54 Host saddr : any
55 Host daddr : any
56 port : 443 - 443
57 sport : any
58 dport : any
59
60
61 Lancement de la trace sur 2 packets
62 > diagnose debug flow trace start 2
63 id = 20085 trace_id = 41 func = print_pkt_detail line = 4373 msg = "vd-root received a packet(proto=6, 2.2.2.2:3563->1.1.1.1:443) from Net2. flag [S], seq 951935798, ack 0, win 65535"
64 id = 20085 trace_id = 41 func = init_ip_session_common line = 4522 msg = "allocate a new session-04c299b0"
65 id = 20085 trace_id = 41 func = vf_ip4_route_input line = 1596 msg = "find a route: flags=00000000 gw-1.1.1.1 via Net5"
66 id = 20085 trace_id = 41 func = fw_forward_handler line = 670 msg = "Allowed by Policy-11:"
67 id = 20085 trace_id = 42 func = print_pkt_detail line = 4373 msg = "vd-root received a packet(proto=6, 1.1.1.1:443->2.2.2.2:3563) from Net5. flag [S.], seq 1802453605, ack 951935799, win 5840"
68 id = 20085 trace_id = 42 func = resolve_ip_tuple_fast line = 4432 msg = "Find an existing session, id-04c299b0, reply direction"
69 id = 20085 trace_id = 42 func = vf_ip4_route_input line = 1596 msg = "find a route: flags=00000000 gw-192.168.2.246 via Net2"
70
71 Modification du niveau de debug en CLI ( par d é faut : 3 )
72 > diagnose debug cli < 0 - 8 >
73
74 > diagnose debug cli 4
75
76 > diagnose debug info
77 debug output : enable
78 console timestamp : disable
79 console no user log message : disable
80 CLI debug level : 4
81
82
83 Reset du debug
84 > diagnose debug reset
85
86 > diagnose debug info
87 debug output : enable
88 console timestamp : disable
89 console no user log message : disable
90 CLI debug level : 3
91
92
93 Suppression des filtres
94 > diag debug flow filter clear
95
96 > diagnose debug flow filter
97 vf : any
98 proto : any
99 Host addr : any
100 Host saddr : any
101 Host daddr : any
102 port : any
103 sport : any
104 dport : any
105
106 Activation du timestamp dans la trace
107 > diagnose debug flow trace start 2
108 id = 20085 trace_id = 43 func = print_pkt_detail line = 4373 msg = "vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193081652, ack 1179540658, win 6732"
109 id = 20085 trace_id = 43 func = resolve_ip_tuple_fast line = 4432 msg = "Find an existing session, id-05e66282, reply direction"
110 id = 20085 trace_id = 44 func = print_pkt_detail line = 4373 msg = "vd-vsys_hamgmt received a packet(proto=6, 1.1.1.2:35130->1.1.1.1:22) from mgmt1. flag [.], seq 1179540658, ack 193081652, win 145"
111 id = 20085 trace_id = 44 func = resolve_ip_tuple_fast line = 4432 msg = "Find an existing session, id-05e66282, original direction"
112
113 > diagnose debug console timestamp enable
114
115 > diagnose debug flow trace start 2
116 2015 - 04 - 21 07 : 24 : 31 id = 20085 trace_id = 45 func = print_pkt_detail line = 4373 msg = "vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193091828, ack 1179546978, win 6732"
117 2015 - 04 - 21 07 : 24 : 31 id = 20085 trace_id = 45 func = resolve_ip_tuple_fast line = 4432 msg = "Find an existing session, id-05e66282, reply direction"
118 2015 - 04 - 21 07 : 24 : 31 id = 20085 trace_id = 46 func = print_pkt_detail line = 4373 msg = "vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193091876, ack 1179546978, win 6732"
119 2015 - 04 - 21 07 : 24 : 31 id = 20085 trace_id = 46 func = resolve_ip_tuple_fast line = 4432 msg = "Find an existing session, id-05e66282, reply direction"
120
121
122 D é sactivation du debug
123 > diagnose debug flow disable
Version condansée :
1 diag debug enable
2 diag debug flow show console enable
3 diagnose debug flow filter addr 1 . 1 . 1 . 1
4 diagnose debug flow trace start 20
5
6
7 diag debug flow trace stop
8 diag debug reset
9 diag debug disable