Snoop
There is no port-mirror or flow generation functionality on our SSG or older firewalls (true as of 6.2.x).
You can run snoop on the firewall; however beware that snoop is very CPU intensive.
You also need to know that the buffer that snoop uses is laughably small: 128MB. At any given time you appear to see only the
last 128MB. So unless you are extremely specific about your filters, or use it on a really really quiet link, you will probably not see what you are looking for.
Command | Description |
---|
clear dbuf | clears the debug output |
snoop | enables snoop |
snoop filter ip |
snoop filter ip 10.10.0.1 port 22 interface Untrust direction both |
snoop filter ip src-ip 10.1.2.1 dst-ip 192.168.1.2 src-port 80 |
snoop detail len 1514 | turns on full packet capture(as opposed to headers) |
snoop off | turns off snoop |
Snoop info | displays the snoop status |
get db stream | displays L2,3 and 4 headers of each incoming (i) and outgoing (o) packet. |
get db stream > tftp $IP $FILE | send output to tftp |
Sample output
20644057.0: ethernet0/0(i) len=167:0026c67c11ba->ffffffffffff/8100/0800, tag 2023
172.25.7.65 -> 255.255.255.255/17
vhl=45, tos=00, id=18868, frag=0000, ttl=128 tlen=149
udp:ports 17500->17500, len=129
ff ff ff ff ff ff 00 26 c6 7c 11 ba 81 00 07 e7 .......&.|......
08 00 45 00 00 95 49 b4 00 00 80 11 3d 4a ac 19 ..E...I.....=J..
07 41 ff ff ff ff 44 5c 44 5c 00 81 30 67 7b 22 .A....DD..0g{"
68 6f 73 74 5f 69 6e 74 22 3a 20 31 35 36 36 36 host_int":.15666
32 35 30 38 2c 20 22 76 65 72 73 69 6f 6e 22 3a 2508,."version":
20 5b 31 2c 20 38 5d 2c 20 22 64 69 73 70 6c 61 .[1,.8],."displa
20644057.0: ethernet0/0(i) len=64:001b217ea0b0->ffffffffffff/886d
ff ff ff ff ff ff 00 1b 21 7e a0 b0 88 6d 00 01 ........!~...m..
00 01 00 27 43 fc 00 04 00 1b 21 7e a0 b0 00 00 ...'C.....!~....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Note: "snoop" seems to be one of those charming hold-overs from Netscreen's origins with Sun Microsystems.