juniper防火墙(SSG and SRX)排障抓包命令
一、Screen OS抓包
debug:跟蹤防火墻對數據包的處理過程
1. Set ffilter src-ip x.x.x.x dst-ip x.x.x.x dst-port xx
設置過濾列表,定義捕獲包的范圍
2、clear dbuf
清除防火墻內存中緩存的分析包
3、debug flow basic
開啟debug數據流跟蹤功能
4、發送測試數據包或讓小部分流量穿越防火墻
5、undebug all
關閉所有debug功能
6、get dbuf stream
檢查防火墻對符合過濾條件數據包的分析結果
7、unset ffilter
清除防火墻debug過濾列表
8、clear dbuf
清除防火墻緩存的debug信息
9、get debug
查看當前debug設置
?
?
Snoop:捕獲進出防火墻的數據包,與Sniffer嗅包軟件功能類似
1. Snoop filter ip src-ip x.x.x.x dst-ip x.x.x.x dst-port xx
設置過濾列表,定義捕獲包的范圍
2、clear dbuf
清除防火墻內存中緩存的分析包
3、snoop
開啟snoop功能捕獲數據包
4、發送測試數據包或讓小部分流量穿越防火墻
5、snoop off
停止snoop
6、get db stream
檢查防火墻對符合過濾條件數據包的分析結果
7、snoop filter delete
清除防火墻snoop過濾列表
8、clear dbuf
清除防火墻緩存的debug信息
9、snoop info
查看snoop設置
?
?
?
?
?
?
?
?
?
?
?
?
二、SRX 抓包
debug:跟蹤防火墻對數據包的處理過程
SRX對應ScreenOS debug flow basic跟蹤報文處理路徑的命令:
set security flow traceoptions flag basic-datapath 開啟SRX基本報文處理Debug
set security flow traceoptions file filename.log?? 將輸出信息記錄到指定文件中
set security flow traceoptions file filename.log? size <file-size> 設置該文件大小,缺省128k
set security flow traceoptions packet-filter filter1 destination-prefix 5.5.5.2 設置報文跟蹤過濾器
run file show filename.log 查看該Log輸出信息
?
?
?
?
捕獲進出防火墻的數據包
開啟抓包功能參數設置
edit forwarding-options
set packet-capture maximum-capture-size 500? //Specify in bytes the maximum size of each packet to capture in each file—for example, 500. The range is between 68 and 1500, and the default is 68 bytes.
set packet-capture file filename pcap-file? ?//Specify the target filename for the packet capture file—for example, pcap-file. For each physical interface, the interface name is automatically suffixed to the filename—for example, pcap-file.fe-0.0.1.
set packet-capture file files 100?? // Specify the maximum number of files to capture—for example, 100. The range is between 2 and 10,000, and the default is 10 files. In the Files box, type 100
?
set packet-capture file size 1024? // Specify the maximum size of each file in bytes—for example, 1024. The range is between 1,024 and 104,857,600, and the default is 512,000 bytes. In the Size box, type 1024.
?
set packet-capture file world-readable? // Specify if all users have permission to read the packet capture files.
Configuring Packet Capture on an Interface
edit interfaces fe-0/0/1
set unit 0 family inet sampling input output
Configuring a Firewall Filter for Packet Capture
edit firewall
set firewall filter dest-all term dest-term from destination-address 192.168.1.1/32
set firewall filter dest-all term dest-term then sample accept
set interfaces fe-0/0/1 unit 0 family inet filter output dest-all
Disabling Packet Capture
edit forwarding-options
set packet-capture disable
轉載于:https://blog.51cto.com/359539/693176
總結
以上是生活随笔為你收集整理的juniper防火墙(SSG and SRX)排障抓包命令的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 提高网站访问速度的34条军规(2)
- 下一篇: linux 常用查看网络连接方法及脚本