Fortinet - Sniffer réseau

Sniffer basic :

Description de la commande :

# diag sniffer packet <interface> <'filter'> <verbose> <count> a

<interface> nom de l’interface ou ‘any’ pour toutes les interfaces.

<’filter’> filtre pour la capture.
‘[[src|dst] host] [ and [src|dst] host] [ and [arp|ip|gre|esp|udp|tcp] [ and port_no]] [ and [arp|ip|gre|esp|udp|tcp] [and port_no]]'

<verbose> niveau de verbosité.

1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

<count> nombre de paquets capturés. Si homis, il faut faire un Ctrl+C pour stopper la capture.

a temps absolue dans la capture.

Exemples :

par défaut

> diagnose sniffer packet any 'port 22'
0.543575 1.1.1.1.22 -> 2.2.2.2.34448: psh 638361745 ack 293590198
0.543589 1.1.1.1.22 -> 2.2.2.2.34448: psh 638361857 ack 293590198
0.543737 2.2.2.2.34448 -> 1.1.1.1.22: ack 638358945
0.543749 1.1.1.1.22 -> 2.2.2.2.34448: psh 638361969 ack 293590198
0.543738 2.2.2.2.34448 -> 1.1.1.1.22: ack 638359729
0.543764 1.1.1.1

verbose

> diagnose sniffer packet any 'port 22' 1 1
interfaces=[any]
filters=[port 22]
1.005527 1.1.1.1.37517 -> 2.2.2.7.22: syn 2823825048
 

> diagnose sniffer packet any 'port 22' 2 1
interfaces=[any]
filters=[port 22]
1.159624 192.168.2.250.3367 -> 192.168.0.169.22: psh 1366981107 ack 176086212
0x0000   4500 0048 fd16 4000 8006 78a5 c0a8 02fa        E..H..@...x.....
0x0010   c0a8 00a9 0d27 0016 517a 79f3 0a7e dcc4        .....'..Qzy..~..
0x0020   5018 fedf 8c2b 0000 7c8c bd38 f5e5 0af6        P....+..|..8....
0x0030   76df add4 d014 d25f 82b3 e2b6 145b 9bb4        v......_.....[..
0x0040   6504 a850 0469 b6bd                            e..P.i..
 

> diagnose sniffer packet any 'port 22' 3 1
interfaces=[any]
filters=[port 22]
0.317691 1.1.1.1.53521 -> 2.2.2.2.22: fin 731606663 ack 2768667455
0x0000   0000 0000 0001 90b1 1c2f fb1d 0800 4508        ........./....E.
0x0010   0034 f7ef 4000 4006 b840 c0a8 0932 c0a8        .4..@.@..@...2..
0x0020   0009 d111 0016 2b9b 6e87 a506 833f 8011        ......+.n....?..
0x0030   00f4 f9c4 0000 0101 080a 5e9f 96d9 efc7        ..........^.....
0x0040   78a6                                           x.
 

> diagnose sniffer packet any 'port 22' 4 1
interfaces=[any]
filters=[port 22]
0.486746 Net8 in 1.1.1.1.60910 -> 2.2.2.3.22: fin 918789060 ack 525061782
 

> diagnose sniffer packet any 'port 22' 5 1
interfaces=[any]
filters=[port 22]
0.421809 Net8 in 1.1.1.1.54727 -> 2.2.2.4.22: syn 4025670350
0x0000   4500 003c 18f7 4000 4006 967d c0a8 0932        E..<..@.@..}...2
0x0010   c0a8 00c5 d5c7 0016 eff2 dace 0000 0000        ................
0x0020   a002 3908 c237 0000 0204 05b4 0402 080a        ..9..7..........
0x0030   5e9f c239 0000 0000 0103 0307                  ^..9........
 

> diagnose sniffer packet any 'port 22' 6 1
interfaces=[any]
filters=[port 22]
0.895918 Net8 in 1.1.1.1.38691 -> 2.2.2.5.22: fin 3587646846 ack 1482496291
0x0000   0000 0000 0001 90b1 1c2f fb1d 0800 4508        ........./....E.
0x0010   0034 d4eb 4000 4006 daa3 c0a8 0932 c0a8        .4..@.@......2..
0x0020   00aa 9723 0016 d5d7 257e 585d 1923 8011        ...#....%~X].#..
0x0030   0139 a338 0000 0101 080a 5e9f cfcb 53b0        .9.8......^...S.
0x0040   c0f2                                           ..

temps absolue

> diagnose sniffer packet any 'port 22' 4 2 a
interfaces=[any]
filters=[port 22]
2015-04-17 05:52:54.849437 Net8 in 1.1.1.1.47156 -> 4.4.4.6.22: fin 1538782504 ack 634199533
2015-04-17 05:52:54.849443 Net7 out 10.10.10.10.47156 -> 4.4.4.6.22: fin 1538782504 ack 634199533

Exemples de filtres sur le contenu en hexa :

Match TTL = 1
# diagnose sniffer packet port2 "ip[8:1] = 0x01"

Match Source IP address = 192.168.1.2:
# diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)"

Match Source MAC = 00:09:0f:89:10:ea
# diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"

Match Destination MAC = 00:09:0f:89:10:ea
# diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"

Match ARP packets only
# diagnose sniffer packet internal "ether proto 0x0806"

TCP or UDP flags can be addressed using the following:

Match packets with RST flag set:
# diagnose sniffer packet internal "tcp[13] & 4 != 0"

Match packets with SYN flag set:
# diagnose sniffer packet internal "tcp[13] & 2 != 0"

Match packets with SYN-ACK flag set:
# diagnose sniffer packet internal "tcp[13] = 18"

Sniffer avancé :

Vérifie si le debug est activé
> diagnose debug info
debug output:           disable
console timestamp:      disable
console no user log message:    disable
zebos debug level:      306783954 (0x124926d2)
CLI debug level:        3


Active le debug logging (pour la session en cours)
> diag debug enable

> diagnose debug info
debug output:           enable
console timestamp:      disable
console no user log message:    disable
CLI debug level:        3


Affiche la sortie du debug dans la console.
> diag debug flow show console enable 
show trace messages on console

Affiche les filtres en cours
> diag debug flow filter 
        vf: any
        proto: any
        Host addr: any
        Host saddr: any
        Host daddr: any
        port: any
        sport: any
        dport: any

paramétrage du filtre
> diagnose debug flow filter addr 1.1.1.1

> diagnose debug flow filter
        vf: any
        proto: any
        host addr: 1.1.1.1-1.1.1.1
        Host saddr: any
        Host daddr: any
        port: any
        sport: any
        dport: any

> diagnose debug flow filter port 443

> diagnose debug flow filter
        vf: any
        proto: any
        host addr: 1.1.1.1-1.1.1.1
        Host saddr: any
        Host daddr: any
        port: 443-443
        sport: any
        dport: any


Lancement de la trace sur 2 packets
> diagnose debug flow trace start 2
id=20085 trace_id=41 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 2.2.2.2:3563->1.1.1.1:443) from Net2. flag [S], seq 951935798, ack 0, win 65535"
id=20085 trace_id=41 func=init_ip_session_common line=4522 msg="allocate a new session-04c299b0"
id=20085 trace_id=41 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-1.1.1.1 via Net5"
id=20085 trace_id=41 func=fw_forward_handler line=670 msg="Allowed by Policy-11:"
id=20085 trace_id=42 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 1.1.1.1:443->2.2.2.2:3563) from Net5. flag [S.], seq 1802453605, ack 951935799, win 5840"
id=20085 trace_id=42 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-04c299b0, reply direction"
id=20085 trace_id=42 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.2.246 via Net2"

Modification du niveau de debug en CLI (par défaut : 3)
> diagnose debug cli <0-8>

> diagnose debug cli 4

> diagnose debug info
debug output:           enable
console timestamp:      disable
console no user log message:    disable
CLI debug level:        4


Reset du debug
> diagnose debug reset

> diagnose debug info
debug output:           enable
console timestamp:      disable
console no user log message:    disable
CLI debug level:        3


Suppression des filtres
> diag debug flow filter clear

> diagnose debug flow filter
        vf: any
        proto: any
        Host addr: any
        Host saddr: any
        Host daddr: any
        port: any
        sport: any
        dport: any

Activation du timestamp dans la trace
> diagnose debug flow trace start 2
id=20085 trace_id=43 func=print_pkt_detail line=4373 msg="vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193081652, ack 1179540658, win 6732"
id=20085 trace_id=43 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-05e66282, reply direction"
id=20085 trace_id=44 func=print_pkt_detail line=4373 msg="vd-vsys_hamgmt received a packet(proto=6, 1.1.1.2:35130->1.1.1.1:22) from mgmt1. flag [.], seq 1179540658, ack 193081652, win 145"
id=20085 trace_id=44 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-05e66282, original direction"

> diagnose debug console timestamp enable

> diagnose debug flow trace start 2
2015-04-21 07:24:31 id=20085 trace_id=45 func=print_pkt_detail line=4373 msg="vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193091828, ack 1179546978, win 6732"
2015-04-21 07:24:31 id=20085 trace_id=45 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-05e66282, reply direction"
2015-04-21 07:24:31 id=20085 trace_id=46 func=print_pkt_detail line=4373 msg="vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193091876, ack 1179546978, win 6732"
2015-04-21 07:24:31 id=20085 trace_id=46 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-05e66282, reply direction"


Désactivation du debug
> diagnose debug flow disable

Version condansée :

diag debug enable
diag debug flow show console enable
diagnose debug flow filter addr 1.1.1.1
diagnose debug flow trace start 20


diag debug flow trace stop
diag debug reset
diag debug disable