本文共 8775 字，大约阅读时间需要 29 分钟。

Debugging on the Netscreen wasn’t all the obvious to me. Because I don’t always work on Netscreens here is a note to myself to remember how to do it.

Netscreen ScreenOS debug and show to do it right

Get logged into CLI on the box.

Do a ‘get debug’ to check if there are any debugs currently running.

netscreen(M)-> get debug flow
: basic
netscreen(M)->

This tells that there is a ‘flow basic’ debug already running. To turn it off press ‘escape’ key.

netscreen(M)-> All debug off
netscreen(M)->

The Netscreen OS uses the idea of flow filters to define interesting traffic. Makes sense, because a firewall doesn’t just handle packets, it really handles flow for inspection but the flow is actually made up of packets.

So now we need to set some flow filters:

netscreen(M)-> set ff src-ip 192.168.1.10
filter added
netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 195.232.226.225
id:1 src ip 195.232.226.226
id:2 src ip 192.168.1.10
netscreen(M)->

You can see that a ‘get ff’ will display for the flow filter you have created. Note that you have many entries in the flow filter.

netscreen(M)-> set ff ?
dst-ip flow filter dst ip
dst-port flow filter dst port
ip-proto flow filter ip proto
src-ip flow filter src ip
src-port flow filter src port
netscreen(M)->

If you need to the clear the filter…..

netscreen(M)-> unset ff
filter 0 removed
netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 195.232.226.226
id:1 src ip 192.168.1.10
netscreen(M)-> unset ff
filter 0 removed
netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 192.168.1.10
netscreen(M)->

You get the idea, I’m sure.

So let turn on debug

netscreen(M)-> debug flow basic

and check which debugs are turned on.

netscreen(M)-> get debug
flow: basic
netscreen(M)->

The Netscreen stores the debug in some sort of buffer and we can display the buffer with this command

netscreen(M)-> get db str
76:192.168.1.2/8411->192.168.200.25/1c36,6,40
****** 93412.0: packet received [40]******
ipid = 50294(c476), @e00c6918
packet passed sanity check.
flow packet already have session.
flow session id 286622
vsd 0 is active
flow_tcp_fin_vector()
post addr xlation: 10.33.248.81->10.102.151.20.
update policy out counter info. packet send out to 00000c07ac1f through ethernet2/1
**st: e00fd118: c477:192.168.1.2/8417->192.168.200.25/1c36,6,40
****** 93412.0: packet received [40]******
ipid = 50295(c477), @e00fd118
packet passed sanity check.
flow packet already have session.
flow session id 286652
vsd 0 is active
Got ack, 192.168.1.2(33815)->192.168.200.25(7222), natpflag 0x200400, nspflag 0x1801, 0x1800, timeout=900
transfer packet to hardware.
**st: e00cd118: c49a:192.168.1.2/8417->192.168.200.25/1c36,6,40
****** 93412.0: packet received [40]******
ipid = 50330(c49a), @e00cd118
packet passed sanity check.
flow packet already have session.
flow session id 286652
vsd 0 is active
flow_tcp_fin_vector()
post addr xlation: 10.33.248.81->10.102.151.20.
update policy out counter info. packet send out to 00000c07ac1f through ethernet2/1
**st: e009f918: c49d:192.168.1.2/8417->192.168.200.25/1c36,6,40

and thats it.

Understanding ‘ff’ (Flow Filter) statements ordering

The following set of flow filters are applied as any. That is, if ANY packet matches ANY of of the flow filters then that packet will be matched.

netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 192.168.100.1
id:1 src ip 192.168.100.2
id:2 src ip 192.168.1.10
netscreen(M)->

So this ruleset will match any IP packets with a source address of 192.168.100.1, 192.168.100.2 and 192.168.1. This is mostly a problem when you make the mistake of

netscreen(M)-> set ff dst-ip 192.168.1.10
filter added
netscreen(M)-> set ff dst-port 80
filter added
netscreen(M)-> get ff
Flow filter based on:
id:0 dst ip 192.168.1.10
id:1 dst port 80
netscreen(M)->

this will show you every packet, from any IP on port 80 PLUS any packets 192.168.1.10.

The correct method

netscreen(M)-> set ff dst-ip 192.168.1.10 ?
dst-port flow filter dst port
ip-proto flow filter ip proto
src-port flow filter src port
netscreen(M)-> set ff dst-ip 192.168.1.10 dst-port 80
filter added
netscreen(M)->

This will correctly match packets with a destination of 192.168.1.10 on port 80.

Virtual Systems

Remember that you cannot do debugging from within a virtual system. You must be in the root vsys to be able to run a debug commands.

In order to debug and obtain output for the traffic flow through the Netscreen, you will need action a couple of commands, these are shown below,

5gt-> unset ff

5gt-> set ff dst-port 8080

Below shows you what each command does.... 

• unset ff =remove all flow filters
• undebug all = clears all previous debug settings
• clear db = clears the debug buffer
• set ff dst-port 8080 = creates a flow filter for port 8080
• debug flow basic = sets the debug flow level to basic
• get db str = shows the debug buffer stream

Once you have got your debug stream buffer you can remove the flow filter, the debug basic and clear the debug buffer.

Example, you want to debug a connection from a client(192.168.110.20) to the internet (google – 8.8.8.8).

From your client you start a continuous ping to 8.8.8.8, now you are able to debug the traffic on your juniper device.

Go via SSH to your Juniper:

1

ssh netscreen@192.168.110.1

1234

320-node2(M)->320-node2(M)-> undebug all320-node2(M)-> get ffilter320-node2(M)->clear db

Create new filter:

123456789

320-node2(M)-> set ffilter 
        
         # Available debug options:dst-ip flow filter dst ipdst-port flow filter dst portip-proto flow filter ip protosrc-ip flow filter src ipsrc-port flow filter src port320-node2(M)-> set ffilter src-ip 192.168.110.20 dst-ip 8.8.8.8320-node2(M)-> debug flow basic
        

View dump:

1

320-node2(M)-> get db stream

Example, you want to debug a connection from a client(192.168.110.20) to the internet (google – 8.8.8.8).

From your client you start a continuous ping to 8.8.8.8, now you are able to debug the traffic on your juniper device.

Go via SSH to your Juniper:

1

ssh netscreen@192.168.110.1

1234

320-node2(M)->320-node2(M)-> undebug all320-node2(M)-> get ffilter320-node2(M)->clear db

Create new filter:

123456789

320-node2(M)-> set ffilter 
        
         # Available debug options:dst-ip flow filter dst ipdst-port flow filter dst portip-proto flow filter ip protosrc-ip flow filter src ipsrc-port flow filter src port320-node2(M)-> set ffilter src-ip 192.168.110.20 dst-ip 8.8.8.8320-node2(M)-> debug flow basic
        

View dump:

1

320-node2(M)-> get db stream

Debug Netscreen Juniper SSG

debug ike alldebug ike basicdebug ike detail

debug auth all

set dbuf size 512

get dbuf stream

clear dbuf

get dbuf stream > tftp 192.168.1.100 firewall.log

undebug all

get sa activeget sa inactiveget sa stat

set ff src-ip 
    
      dst-ip 
     
      set ff src-ip 
      
        dst-ip 
       
        clear db!! Initiate traffic over the VPN then type:!debug flow basic!! or!debug ike detail!! Wait for a few seconds then type:!undebug allget db streamunset ffunset ff
       
      
     
    

get eventget event interface ?get event src-ip 
    
      dst-ip 
     
      get log | inc [interesting_key]get log traffic policy [number] | inc [interesting_keyword]
     
    

1

ssh netscreen@192.168.110.1

1234

320-node2(M)->320-node2(M)-> undebug all320-node2(M)-> get ffilter320-node2(M)->clear db

123456789

320-node2(M)-> set ffilter 
         
          # Available debug options:dst-ip flow filter dst ipdst-port flow filter dst portip-proto flow filter ip protosrc-ip flow filter src ipsrc-port flow filter src port320-node2(M)-> set ffilter src-ip 192.168.110.20 dst-ip 8.8.8.8320-node2(M)-> debug flow basic
         

1

320-node2(M)-> get db stream

转载地址：http://sihvi.baihongyu.com/