Sniffer basic :

Description de la commande :

1 # diag sniffer packet <interface> <'filter'> <verbose> <count> a

<interface> nom de l'interface ou 'any' pour toutes les interfaces.

<'filter'> filtre pour la capture.
'[[src|dst] host] [ and [src|dst] host] [ and [arp|ip|gre|esp|udp|tcp] [ and port_no]] [ and [arp|ip|gre|esp|udp|tcp] [and port_no]]'

<verbose> niveau de verbosité.

  • 1: print header of packets
  • 2: print header and data from ip of packets
  • 3: print header and data from ethernet of packets (if available)
  • 4: print header of packets with interface name
  • 5: print header and data from ip of packets with interface name
  • 6: print header and data from ethernet of packets (if available) with intf name

<count> nombre de paquets capturés. Si homis, il faut faire un Ctrl+C pour stopper la capture.

a temps absolue dans la capture.

Exemples :

par défaut

1 > diagnose sniffer packet any 'port 22'
2 0.543575 1.1.1.1.22 -> 2.2.2.2.34448: psh 638361745 ack 293590198
3 0.543589 1.1.1.1.22 -> 2.2.2.2.34448: psh 638361857 ack 293590198
4 0.543737 2.2.2.2.34448 -> 1.1.1.1.22: ack 638358945
5 0.543749 1.1.1.1.22 -> 2.2.2.2.34448: psh 638361969 ack 293590198
6 0.543738 2.2.2.2.34448 -> 1.1.1.1.22: ack 638359729
7 0.543764 1.1.1.1

verbose

 1 > diagnose sniffer packet any 'port 22' 1 1
 2 interfaces=[any]
 3 filters=[port 22]
 4 1.005527 1.1.1.1.37517 -> 2.2.2.7.22: syn 2823825048
 5  
 6 
 7 > diagnose sniffer packet any 'port 22' 2 1
 8 interfaces=[any]
 9 filters=[port 22]
10 1.159624 192.168.2.250.3367 -> 192.168.0.169.22: psh 1366981107 ack 176086212
11 0x0000   4500 0048 fd16 4000 8006 78a5 c0a8 02fa        E..H..@...x.....
12 0x0010   c0a8 00a9 0d27 0016 517a 79f3 0a7e dcc4        .....'..Qzy..~..
13 0x0020   5018 fedf 8c2b 0000 7c8c bd38 f5e5 0af6        P....+..|..8....
14 0x0030   76df add4 d014 d25f 82b3 e2b6 145b 9bb4        v......_.....[..
15 0x0040   6504 a850 0469 b6bd                            e..P.i..
16  
17 
18 > diagnose sniffer packet any 'port 22' 3 1
19 interfaces=[any]
20 filters=[port 22]
21 0.317691 1.1.1.1.53521 -> 2.2.2.2.22: fin 731606663 ack 2768667455
22 0x0000   0000 0000 0001 90b1 1c2f fb1d 0800 4508        ........./....E.
23 0x0010   0034 f7ef 4000 4006 b840 c0a8 0932 c0a8        .4..@.@..@...2..
24 0x0020   0009 d111 0016 2b9b 6e87 a506 833f 8011        ......+.n....?..
25 0x0030   00f4 f9c4 0000 0101 080a 5e9f 96d9 efc7        ..........^.....
26 0x0040   78a6                                           x.
27  
28 
29 > diagnose sniffer packet any 'port 22' 4 1
30 interfaces=[any]
31 filters=[port 22]
32 0.486746 Net8 in 1.1.1.1.60910 -> 2.2.2.3.22: fin 918789060 ack 525061782
33  
34 
35 > diagnose sniffer packet any 'port 22' 5 1
36 interfaces=[any]
37 filters=[port 22]
38 0.421809 Net8 in 1.1.1.1.54727 -> 2.2.2.4.22: syn 4025670350
39 0x0000   4500 003c 18f7 4000 4006 967d c0a8 0932        E..<..@.@..}...2
40 0x0010   c0a8 00c5 d5c7 0016 eff2 dace 0000 0000        ................
41 0x0020   a002 3908 c237 0000 0204 05b4 0402 080a        ..9..7..........
42 0x0030   5e9f c239 0000 0000 0103 0307                  ^..9........
43  
44 
45 > diagnose sniffer packet any 'port 22' 6 1
46 interfaces=[any]
47 filters=[port 22]
48 0.895918 Net8 in 1.1.1.1.38691 -> 2.2.2.5.22: fin 3587646846 ack 1482496291
49 0x0000   0000 0000 0001 90b1 1c2f fb1d 0800 4508        ........./....E.
50 0x0010   0034 d4eb 4000 4006 daa3 c0a8 0932 c0a8        .4..@.@......2..
51 0x0020   00aa 9723 0016 d5d7 257e 585d 1923 8011        ...#....%~X].#..
52 0x0030   0139 a338 0000 0101 080a 5e9f cfcb 53b0        .9.8......^...S.
53 0x0040   c0f2                                           ..

temps absolue

1 > diagnose sniffer packet any 'port 22' 4 2 a
2 interfaces=[any]
3 filters=[port 22]
4 2015-04-17 05:52:54.849437 Net8 in 1.1.1.1.47156 -> 4.4.4.6.22: fin 1538782504 ack 634199533
5 2015-04-17 05:52:54.849443 Net7 out 10.10.10.10.47156 -> 4.4.4.6.22: fin 1538782504 ack 634199533

Exemples de filtres sur le contenu en hexa :

 1 Match TTL = 1
 2 # diagnose sniffer packet port2 "ip[8:1] = 0x01"
 3 
 4 Match Source IP address = 192.168.1.2:
 5 # diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)"
 6 
 7 Match Source MAC = 00:09:0f:89:10:ea
 8 # diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"
 9 
10 Match Destination MAC = 00:09:0f:89:10:ea
11 # diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"
12 
13 Match ARP packets only
14 # diagnose sniffer packet internal "ether proto 0x0806"
15 
16 TCP or UDP flags can be addressed using the following:
17 
18 Match packets with RST flag set:
19 # diagnose sniffer packet internal "tcp[13] & 4 != 0"
20 
21 Match packets with SYN flag set:
22 # diagnose sniffer packet internal "tcp[13] & 2 != 0"
23 
24 Match packets with SYN-ACK flag set:
25 # diagnose sniffer packet internal "tcp[13] = 18"

Sniffer avancé :

  1 Vérifie si le debug est activé
  2 > diagnose debug info
  3 debug output:           disable
  4 console timestamp:      disable
  5 console no user log message:    disable
  6 zebos debug level:      306783954 (0x124926d2)
  7 CLI debug level:        3
  8 
  9 
 10 Active le debug logging (pour la session en cours)
 11 > diag debug enable
 12 
 13 > diagnose debug info
 14 debug output:           enable
 15 console timestamp:      disable
 16 console no user log message:    disable
 17 CLI debug level:        3
 18 
 19 
 20 Affiche la sortie du debug dans la console.
 21 > diag debug flow show console enable 
 22 show trace messages on console
 23 
 24 Affiche les filtres en cours
 25 > diag debug flow filter 
 26         vf: any
 27         proto: any
 28         Host addr: any
 29         Host saddr: any
 30         Host daddr: any
 31         port: any
 32         sport: any
 33         dport: any
 34 
 35 paramétrage du filtre
 36 > diagnose debug flow filter addr 1.1.1.1
 37 
 38 > diagnose debug flow filter
 39         vf: any
 40         proto: any
 41         host addr: 1.1.1.1-1.1.1.1
 42         Host saddr: any
 43         Host daddr: any
 44         port: any
 45         sport: any
 46         dport: any
 47 
 48 > diagnose debug flow filter port 443
 49 
 50 > diagnose debug flow filter
 51         vf: any
 52         proto: any
 53         host addr: 1.1.1.1-1.1.1.1
 54         Host saddr: any
 55         Host daddr: any
 56         port: 443-443
 57         sport: any
 58         dport: any
 59 
 60 
 61 Lancement de la trace sur 2 packets
 62 > diagnose debug flow trace start 2
 63 id=20085 trace_id=41 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 2.2.2.2:3563->1.1.1.1:443) from Net2. flag [S], seq 951935798, ack 0, win 65535"
 64 id=20085 trace_id=41 func=init_ip_session_common line=4522 msg="allocate a new session-04c299b0"
 65 id=20085 trace_id=41 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-1.1.1.1 via Net5"
 66 id=20085 trace_id=41 func=fw_forward_handler line=670 msg="Allowed by Policy-11:"
 67 id=20085 trace_id=42 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 1.1.1.1:443->2.2.2.2:3563) from Net5. flag [S.], seq 1802453605, ack 951935799, win 5840"
 68 id=20085 trace_id=42 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-04c299b0, reply direction"
 69 id=20085 trace_id=42 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.2.246 via Net2"
 70 
 71 Modification du niveau de debug en CLI (par défaut : 3)
 72 > diagnose debug cli <0-8>
 73 
 74 > diagnose debug cli 4
 75 
 76 > diagnose debug info
 77 debug output:           enable
 78 console timestamp:      disable
 79 console no user log message:    disable
 80 CLI debug level:        4
 81 
 82 
 83 Reset du debug
 84 > diagnose debug reset
 85 
 86 > diagnose debug info
 87 debug output:           enable
 88 console timestamp:      disable
 89 console no user log message:    disable
 90 CLI debug level:        3
 91 
 92 
 93 Suppression des filtres
 94 > diag debug flow filter clear
 95 
 96 > diagnose debug flow filter
 97         vf: any
 98         proto: any
 99         Host addr: any
100         Host saddr: any
101         Host daddr: any
102         port: any
103         sport: any
104         dport: any
105 
106 Activation du timestamp dans la trace
107 > diagnose debug flow trace start 2
108 id=20085 trace_id=43 func=print_pkt_detail line=4373 msg="vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193081652, ack 1179540658, win 6732"
109 id=20085 trace_id=43 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-05e66282, reply direction"
110 id=20085 trace_id=44 func=print_pkt_detail line=4373 msg="vd-vsys_hamgmt received a packet(proto=6, 1.1.1.2:35130->1.1.1.1:22) from mgmt1. flag [.], seq 1179540658, ack 193081652, win 145"
111 id=20085 trace_id=44 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-05e66282, original direction"
112 
113 > diagnose debug console timestamp enable
114 
115 > diagnose debug flow trace start 2
116 2015-04-21 07:24:31 id=20085 trace_id=45 func=print_pkt_detail line=4373 msg="vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193091828, ack 1179546978, win 6732"
117 2015-04-21 07:24:31 id=20085 trace_id=45 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-05e66282, reply direction"
118 2015-04-21 07:24:31 id=20085 trace_id=46 func=print_pkt_detail line=4373 msg="vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193091876, ack 1179546978, win 6732"
119 2015-04-21 07:24:31 id=20085 trace_id=46 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-05e66282, reply direction"
120 
121 
122 Désactivation du debug
123 > diagnose debug flow disable

Version condansée :

1 diag debug enable
2 diag debug flow show console enable
3 diagnose debug flow filter addr 1.1.1.1
4 diagnose debug flow trace start 20
5 
6 
7 diag debug flow trace stop
8 diag debug reset
9 diag debug disable