Sniffer basic :
Description de la commande :
# diag sniffer packet <interface> <'filter'> <verbose> <count> a
<interface> nom de l’interface ou ‘any’ pour toutes les interfaces.
<’filter’> filtre pour la capture.
‘[[src|dst] host] [ and [src|dst] host] [ and [arp|ip|gre|esp|udp|tcp] [ and port_no]] [ and [arp|ip|gre|esp|udp|tcp] [and port_no]]'
<verbose> niveau de verbosité.
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
<count> nombre de paquets capturés.
Si homis, il faut faire un Ctrl+C pour stopper la capture.
a temps absolue dans la capture.
Exemples :
par défaut
> diagnose sniffer packet any 'port 22'
0.543575 1.1 . 1.1 . 22 -> 2.2 . 2.2 . 34448 : psh 638361745 ack 293590198
0.543589 1.1 . 1.1 . 22 -> 2.2 . 2.2 . 34448 : psh 638361857 ack 293590198
0.543737 2.2 . 2.2 . 34448 -> 1.1 . 1.1 . 22 : ack 638358945
0.543749 1.1 . 1.1 . 22 -> 2.2 . 2.2 . 34448 : psh 638361969 ack 293590198
0.543738 2.2 . 2.2 . 34448 -> 1.1 . 1.1 . 22 : ack 638359729
0.543764 1.1 . 1.1
verbose
> diagnose sniffer packet any 'port 22' 1 1
interfaces = [ any ]
filters = [ port 22 ]
1.005527 1.1 . 1.1 . 37517 -> 2.2 . 2.7 . 22 : syn 2823825048
> diagnose sniffer packet any 'port 22' 2 1
interfaces = [ any ]
filters = [ port 22 ]
1.159624 192.168 . 2.250 . 3367 -> 192.168 . 0.169 . 22 : psh 1366981107 ack 176086212
0x0000 4500 004 8 fd16 4000 8006 78 a5 c0a8 02 fa E .. H .. @ ... x .....
0x0010 c0a8 00 a9 0 d27 0016 517 a 79 f3 0 a7e dcc4 ..... '..Qzy..~..
0x0020 5018 fedf 8c2b 0000 7c8c bd38 f5e5 0af6 P....+..|..8....
0x0030 76df add4 d014 d25f 82b3 e2b6 145b 9bb4 v......_.....[..
0x0040 6504 a850 0469 b6bd e..P.i..
> diagnose sniffer packet any ' port 22 ' 3 1
interfaces=[any]
filters=[port 22]
0.317691 1.1.1.1.53521 -> 2.2.2.2.22: fin 731606663 ack 2768667455
0x0000 0000 0000 0001 90b1 1c2f fb1d 0800 4508 ........./....E.
0x0010 0034 f7ef 4000 4006 b840 c0a8 0932 c0a8 .4..@.@..@...2..
0x0020 0009 d111 0016 2b9b 6e87 a506 833f 8011 ......+.n....?..
0x0030 00f4 f9c4 0000 0101 080a 5e9f 96d9 efc7 ..........^.....
0x0040 78a6 x.
> diagnose sniffer packet any ' port 22 ' 4 1
interfaces=[any]
filters=[port 22]
0.486746 Net8 in 1.1.1.1.60910 -> 2.2.2.3.22: fin 918789060 ack 525061782
> diagnose sniffer packet any ' port 22 ' 5 1
interfaces=[any]
filters=[port 22]
0.421809 Net8 in 1.1.1.1.54727 -> 2.2.2.4.22: syn 4025670350
0x0000 4500 003c 18f7 4000 4006 967d c0a8 0932 E..<..@.@..}...2
0x0010 c0a8 00c5 d5c7 0016 eff2 dace 0000 0000 ................
0x0020 a002 3908 c237 0000 0204 05b4 0402 080a ..9..7..........
0x0030 5e9f c239 0000 0000 0103 0307 ^..9........
> diagnose sniffer packet any ' port 22 ' 6 1
interfaces = [ any ]
filters = [ port 22 ]
0.895918 Net8 in 1.1 . 1.1 . 38691 -> 2.2 . 2.5 . 22 : fin 3587646846 ack 1482496291
0x0000 0000 0000 0001 90 b1 1 c2f fb1d 0800 4508 ......... /....E.
0x0010 0034 d4eb 4000 4006 daa3 c0a8 0932 c0a8 .4..@.@......2..
0x0020 00aa 9723 0016 d5d7 257e 585d 1923 8011 ...#....%~X].#..
0x0030 0139 a338 0000 0101 080a 5e9f cfcb 53b0 .9.8......^...S.
0x0040 c0f2 ..
temps absolue
> diagnose sniffer packet any 'port 22' 4 2 a
interfaces = [ any ]
filters = [ port 22 ]
2015 - 04 - 17 05 : 52 : 54.849437 Net8 in 1.1 . 1.1 . 47156 -> 4.4 . 4.6 . 22 : fin 1538782504 ack 634199533
2015 - 04 - 17 05 : 52 : 54.849443 Net7 out 10.10 . 10.10 . 47156 -> 4.4 . 4.6 . 22 : fin 1538782504 ack 634199533
Exemples de filtres sur le contenu en hexa :
Match TTL = 1
# diagnose sniffer packet port2 "ip[8:1] = 0x01"
Match Source IP address = 192.168 . 1.2 :
# diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)"
Match Source MAC = 00 : 09 : 0 f : 89 : 10 :ea
# diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"
Match Destination MAC = 00 : 09 : 0 f : 89 : 10 :ea
# diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"
Match ARP packets only
# diagnose sniffer packet internal "ether proto 0x0806"
TCP or UDP flags can be addressed using the following:
Match packets with RST flag set:
# diagnose sniffer packet internal "tcp[13] & 4 != 0"
Match packets with SYN flag set:
# diagnose sniffer packet internal "tcp[13] & 2 != 0"
Match packets with SYN - ACK flag set:
# diagnose sniffer packet internal "tcp[13] = 18"
Sniffer avancé :
Vérifie si le debug est activé
> diagnose debug info
debug output: disable
console timestamp: disable
console no user log message: disable
zebos debug level: 306783954 ( 0x124926d2 )
CLI debug level: 3
Active le debug logging ( pour la session en cours )
> diag debug enable
> diagnose debug info
debug output: enable
console timestamp: disable
console no user log message: disable
CLI debug level: 3
Affiche la sortie du debug dans la console .
> diag debug flow show console enable
show trace messages on console
Affiche les filtres en cours
> diag debug flow filter
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
paramétrage du filtre
> diagnose debug flow filter addr 1.1 . 1.1
> diagnose debug flow filter
vf: any
proto: any
host addr: 1.1 . 1.1 - 1.1 . 1.1
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
> diagnose debug flow filter port 443
> diagnose debug flow filter
vf: any
proto: any
host addr: 1.1 . 1.1 - 1.1 . 1.1
Host saddr: any
Host daddr: any
port: 443 - 443
sport: any
dport: any
Lancement de la trace sur 2 packets
> diagnose debug flow trace start 2
id = 20085 trace_id = 41 func = print_pkt_detail line = 4373 msg = "vd-root received a packet(proto=6, 2.2.2.2:3563->1.1.1.1:443) from Net2. flag [S], seq 951935798, ack 0, win 65535"
id = 20085 trace_id = 41 func = init_ip_session_common line = 4522 msg = "allocate a new session-04c299b0"
id = 20085 trace_id = 41 func = vf_ip4_route_input line = 1596 msg = "find a route: flags=00000000 gw-1.1.1.1 via Net5"
id = 20085 trace_id = 41 func = fw_forward_handler line = 670 msg = "Allowed by Policy-11:"
id = 20085 trace_id = 42 func = print_pkt_detail line = 4373 msg = "vd-root received a packet(proto=6, 1.1.1.1:443->2.2.2.2:3563) from Net5. flag [S.], seq 1802453605, ack 951935799, win 5840"
id = 20085 trace_id = 42 func = resolve_ip_tuple_fast line = 4432 msg = "Find an existing session, id-04c299b0, reply direction"
id = 20085 trace_id = 42 func = vf_ip4_route_input line = 1596 msg = "find a route: flags=00000000 gw-192.168.2.246 via Net2"
Modification du niveau de debug en CLI ( par défaut : 3 )
> diagnose debug cli < 0 - 8 >
> diagnose debug cli 4
> diagnose debug info
debug output: enable
console timestamp: disable
console no user log message: disable
CLI debug level: 4
Reset du debug
> diagnose debug reset
> diagnose debug info
debug output: enable
console timestamp: disable
console no user log message: disable
CLI debug level: 3
Suppression des filtres
> diag debug flow filter clear
> diagnose debug flow filter
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
Activation du timestamp dans la trace
> diagnose debug flow trace start 2
id = 20085 trace_id = 43 func = print_pkt_detail line = 4373 msg = "vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193081652, ack 1179540658, win 6732"
id = 20085 trace_id = 43 func = resolve_ip_tuple_fast line = 4432 msg = "Find an existing session, id-05e66282, reply direction"
id = 20085 trace_id = 44 func = print_pkt_detail line = 4373 msg = "vd-vsys_hamgmt received a packet(proto=6, 1.1.1.2:35130->1.1.1.1:22) from mgmt1. flag [.], seq 1179540658, ack 193081652, win 145"
id = 20085 trace_id = 44 func = resolve_ip_tuple_fast line = 4432 msg = "Find an existing session, id-05e66282, original direction"
> diagnose debug console timestamp enable
> diagnose debug flow trace start 2
2015 - 04 - 21 07 : 24 : 31 id = 20085 trace_id = 45 func = print_pkt_detail line = 4373 msg = "vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193091828, ack 1179546978, win 6732"
2015 - 04 - 21 07 : 24 : 31 id = 20085 trace_id = 45 func = resolve_ip_tuple_fast line = 4432 msg = "Find an existing session, id-05e66282, reply direction"
2015 - 04 - 21 07 : 24 : 31 id = 20085 trace_id = 46 func = print_pkt_detail line = 4373 msg = "vd-vsys_hamgmt received a packet(proto=6, 1.1.1.1:22->1.1.1.2:35130) from local. flag [.], seq 193091876, ack 1179546978, win 6732"
2015 - 04 - 21 07 : 24 : 31 id = 20085 trace_id = 46 func = resolve_ip_tuple_fast line = 4432 msg = "Find an existing session, id-05e66282, reply direction"
Désactivation du debug
> diagnose debug flow disable
Version condansée :
diag debug enable
diag debug flow show console enable
diagnose debug flow filter addr 1.1 . 1.1
diagnose debug flow trace start 20
diag debug flow trace stop
diag debug reset
diag debug disable