Netscreen Packet Capture – Snoop

Packet Capture (cropped)

I’ve worked with Netscreens for a few years now, starting with ScreenOS version 5.x, and when troubleshooting I had always been pointed towards debug flow as the way to see what was going on. I suspect many of you have also been taught:

  • clear db
  • debug flow basic
  • (wait for packets you wanted to capture)
  • undebug all
  • get db stream (to view output)

This is definitely helpful for rule debugging but for simple packet capture is a bit over the top, which is where the snoop command comes in.

Snoop

To be clear, snoop won’t tell you anything about what decisions the firewall made about the packets, but it’s a simple way to see the actual traffic. Here’s an example of the output produced by snoop:

19944926.0: ethernet2/1(o) len=206:0010dbff2070->00005e000101/8100/0800, tag 1872
              1.4.63.82 -> 1.15.18.27/17
              vhl=45, tos=00, id=13096, frag=0000, ttl=64 tlen=188
              udp:ports 500->500, len=168
              00 00 5e 00 00 01 00 10 db a1 27 a1 81 00 07 50     ..^........p....
              08 00 45 00 00 bc 33 28 00 00 40 11 b6 18 01 04     ..E...3([email protected]
              3f 52 01 0e 12 1b 01 f4 01 f4 00 a8 95 79 a8 d3     @4P..........y..
              a6 4a f3 28 34 82 00 00 00 00 00 00 00 00 02 18     ...........3@...
              09 00 00 00 00 00 00 00 00 c2 0a 00 00 ea 00 00     ....a..'........
              00 08 00 00 00 16 00 00 00 b8 02 31 aa 90 00 00     ...P....y.......

Pretty straightforward stuff – you get to see the source and destination IP and protocol (17 is UDP), some header and port information, and the length, followed by a hex dump of some of the packet. That’s enough to see what’s going on in many cases. So how do you use it?

Snoop Configuration

First step, make sure nothing else is filling the debug buffer:

  • undebug all
  • snoop off

Now double check the current status of snoop to make sure it’s not running:

netscreen-> snoop info
Snoop: OFF
Filters Defined: 0, Active Filters 0
Detail: ON, Detail Display length: 96
Snoop tunnel traffic: ON
netscreen->

In this case there are no filters already defined, so we can create one. As a simple example, let’s filter on a specific IP:

  • snoop filter ip 1.2.3.4

There are actually a number of options you can add to this command, including IPs, ports, IP protocols and direction (the default is to capture both inbound and outbound). You can also add more than up to eight filters; just issue the snoop filter ip command again and the filter will be added. If we check the status of the snoop again, the new filter shows up and it has an id:

netscreen-> snoop info
    Snoop: OFF
    Filters Defined: 1, Active Filters 1
    Detail: ON, Detail Display length: 96
    Snoop tunnel traffic: ON
    Snoop filter based on:
    id 1(on): IP ip 1.2.3.4 dir(B)

The filter id can be used to individual enable, disable, or delete a filter:

netscreen-> snoop filter id 1 ?
delete               delete snoop filter
off                  turn off snoop filter
on                   turn on snoop filter

Now the filter is in place, let’s clear the old debug buffer before we start adding content:

  • clear dbuf

And finally, we’ll start our snoop:

  • snoop

You’ll be prompted to type y to continue with the snoop. At any point, you can view the current buffered output by issuing:

  • get dbuf stream

If you’re on console, if memory serves, the db stream is mirrored there automatically, but I believe on a VTY you don’t get to see it unless you issue the get db stream command.

When you’re done, stop the snooping:

  • snoop off

If you want to delete the filters you added (all of them):

  • snoop filter delete

…or you can delete individual filters by id.

My 10 Bits

I failed to discover this command’s existence for the longest time, and I have no idea how as it’s incredibly useful; just remember to turn it off afterwards. It feels – subjectively – safer somehow than a debug flow basic, but I welcome your opinions on that statement!

Be the first to comment

Leave a Reply

Your email address will not be published.


*


 

This site uses Akismet to reduce spam. Learn how your comment data is processed.