Snoop
There is no port-mirror or flow generation functionality on our SSG or older firewalls (true as of 6.2.x).You can run snoop on the firewall; however beware that snoop is very CPU intensive.You also need to know that the buffer that snoop uses is laughably small: 128MB. At any given time you appear to see only the last 128MB. So unless you are extremely specific about your filters, or use it on a really really quiet link, you will probably not see what you are looking for.| Command | Description |
|---|---|
| clear dbuf | clears the debug output |
| snoop | enables snoop |
| snoop filter ip | |
| snoop filter ip 10.10.0.1 port 22 interface Untrust direction both | |
| snoop filter ip src-ip 10.1.2.1 dst-ip 192.168.1.2 src-port 80 | |
| snoop detail len 1514 | turns on full packet capture(as opposed to headers) |
| snoop off | turns off snoop |
| Snoop info | displays the snoop status |
| get db stream | displays L2,3 and 4 headers of each incoming (i) and outgoing (o) packet. |
| get db stream > tftp $IP $FILE | send output to tftp |
20644057.0: ethernet0/0(i) len=167:0026c67c11ba->ffffffffffff/8100/0800, tag 2023
172.25.7.65 -> 255.255.255.255/17
vhl=45, tos=00, id=18868, frag=0000, ttl=128 tlen=149
udp:ports 17500->17500, len=129
ff ff ff ff ff ff 00 26 c6 7c 11 ba 81 00 07 e7 .......&.|......
08 00 45 00 00 95 49 b4 00 00 80 11 3d 4a ac 19 ..E...I.....=J..
07 41 ff ff ff ff 44 5c 44 5c 00 81 30 67 7b 22 .A....DD..0g{"
68 6f 73 74 5f 69 6e 74 22 3a 20 31 35 36 36 36 host_int":.15666
32 35 30 38 2c 20 22 76 65 72 73 69 6f 6e 22 3a 2508,."version":
20 5b 31 2c 20 38 5d 2c 20 22 64 69 73 70 6c 61 .[1,.8],."displa
20644057.0: ethernet0/0(i) len=64:001b217ea0b0->ffffffffffff/886d
ff ff ff ff ff ff 00 1b 21 7e a0 b0 88 6d 00 01 ........!~...m..
00 01 00 27 43 fc 00 04 00 1b 21 7e a0 b0 00 00 ...'C.....!~....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................Note: "snoop" seems to be one of those charming hold-overs from Netscreen's origins with Sun Microsystems.
no comments |
post comment
Virtual Dave Megaplex:
Home Page- This wiki's start page
- Send Feedback To Dave
Logged in Users: (0)
Recently Changed
Check Internet Service Database Match- Device-Local Certificate Expired
- CLI Policy Lookup
- DH Selection For IPsec VPNs
- Scan For Newly Added Disk
- nmap
- Seconds Since Epoch to Local Time
- Link Monitor
- DH group to OAKLEY_GROUP table
- Fire Eater
- start
- FortiClient Error Codes
- dhparams Generation
- SSL Certificate Bundles
- ufw
- Grow A LVM Partition
- Creating Users
- whoami
- list databases
- 2023
- 2022
- 2019
- 2018
- 2017
- 2011
- 2010
- 2008
- 2001
- 2000
- 1999
Editing: snipsnap-help, Image Macro(Et auditum est, et idcirco ego nunc simulare)
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.