Netscreen: Troublesoot Packets Using Snoop

Snoop is a powerful troubleshooting tool that gives the user the ability to view packet information from layer-2 to layer-4 as it comes into and out of the firewall interfaces.

There are two classes of Juniper/Netscreen Firewalls:  Appliances and Systems.  Appliances only have CPUs for processing.  Systems are highend devices that incorporate ASICs as well as CPUs for processing.  Packet capturing tools, like Snoop and Debugs only run in CPU.  When a system receives an initial packet, it inspects it in CPU, if it is permitted it is passed to the ASIC.  This provides better performance but you cannot capture traffic being processed by the ASIC.  Starting in 6.1, Juniper incorporated a new feature that will enable you to prevent certain traffic to be sent to the ASIC.  The traffic will stay in CPU, enabling you to perform packet captures. The option is available on a per policy basis. Instructions for preventing traffic from being delivered to ASIC:

set policy <id number>

set no-hw-sessexit

 Note: Remember to rollback this change after you’re done troubleshooting

  

To setup a snoop filter based on source/destination IP:

Snoop info (this will show current status of snoop) if enabled turn off snoop and delete any old filters

Snoop off

Snoop filter delete

 

snoop filter ip src-ip x.x.x.x dest-ip x.x.x.x  (this will capture traffic  in one direction, setup a return snoop for return traffic)

clear db

snoop  (this will prompt you to start snoop, press “y” for yes)

 

get db stream

 

 

Example:

)-> snoop filter delete

All filters removed

( )-> snoo filter ip dst-ip 10.133.0.3

snoop filter added

)-> cl db

snoop

Start Snoop, type ESC or ‘snoop off’ to stop, continue? [y]/n y

(M)->

(M)-> get db stre

45804306.0: ethernet1/0(i) len=201:001ec9ab01dc->0010dbff2080/0800

10.128.28.99 -> 10.133.0.3/6

vhl=45, tos=00, id=17859, frag=0000, ttl=128 tlen=187

tcp:ports 4790->150, seq=1608066714, ack=2975491607, flag=5018/ACK

 

45804306.0: ethernet0/1(o) len=201:0010dbff2050->00188b38937c/0800

10.128.28.99 -> 10.133.0.3/6

vhl=45, tos=00, id=17859, frag=0000, ttl=127 tlen=187

tcp:ports 4790->150, seq=1608066714, ack=2975491607, flag=5018/ACK

 

45804306.0: ethernet1/0(i) len=60:001ec9ab01dc->0010dbff2080/0800

10.128.28.99 -> 10.133.0.3/6

vhl=45, tos=00, id=17861, frag=0000, ttl=128 tlen=40

tcp:ports 4790->150, seq=1608066861, ack=2975491754, flag=5010/ACK

 

45804306.0: ethernet0/1(o) len=54:0010dbff2050->00188b38937c/0800

10.128.28.99 -> 10.133.0.3/6

vhl=45, tos=00, id=17861, frag=0000, ttl=127 tlen=40

tcp:ports 4790->150, seq=1608066861, ack=2975491754, flag=5010/ACK

 

)-> snoop off

Snoop off

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s