For When You Can't Have The Real Thing
[ start | index | login ]
start > Netscreen > snoop

snoop

Created by dave. Last edited by dave, 6 years and 255 days ago. Viewed 2,240 times. #2
[diff] [history] [edit] [rdf]
labels
attachments

Snoop

There is no port-mirror or flow generation functionality on our SSG or older firewalls (true as of 6.2.x).

You can run snoop on the firewall; however beware that snoop is very CPU intensive.

You also need to know that the buffer that snoop uses is laughably small: 128MB. At any given time you appear to see only the last 128MB. So unless you are extremely specific about your filters, or use it on a really really quiet link, you will probably not see what you are looking for.

CommandDescription
clear dbufclears the debug output
snoopenables snoop
snoop filter ip
snoop filter ip 10.10.0.1 port 22 interface Untrust direction both
snoop filter ip src-ip 10.1.2.1 dst-ip 192.168.1.2 src-port 80
snoop detail len 1514turns on full packet capture(as opposed to headers)
snoop offturns off snoop
Snoop infodisplays the snoop status
get db streamdisplays L2,3 and 4 headers of each incoming (i) and outgoing (o) packet.
get db stream > tftp $IP $FILEsend output to tftp

Sample output

20644057.0: ethernet0/0(i) len=167:0026c67c11ba->ffffffffffff/8100/0800, tag 2023
              172.25.7.65 -> 255.255.255.255/17
              vhl=45, tos=00, id=18868, frag=0000, ttl=128 tlen=149
              udp:ports 17500->17500, len=129
              ff ff ff ff ff ff 00 26 c6 7c 11 ba 81 00 07 e7     .......&.|......
              08 00 45 00 00 95 49 b4 00 00 80 11 3d 4a ac 19     ..E...I.....=J..
              07 41 ff ff ff ff 44 5c 44 5c 00 81 30 67 7b 22     .A....DD..0g{"
              68 6f 73 74 5f 69 6e 74 22 3a 20 31 35 36 36 36     host_int":.15666
              32 35 30 38 2c 20 22 76 65 72 73 69 6f 6e 22 3a     2508,."version":
              20 5b 31 2c 20 38 5d 2c 20 22 64 69 73 70 6c 61     .[1,.8],."displa

20644057.0: ethernet0/0(i) len=64:001b217ea0b0->ffffffffffff/886d ff ff ff ff ff ff 00 1b 21 7e a0 b0 88 6d 00 01 ........!~...m.. 00 01 00 27 43 fc 00 04 00 1b 21 7e a0 b0 00 00 ...'C.....!~.... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................


Note: "snoop" seems to be one of those charming hold-overs from Netscreen's origins with Sun Microsystems.
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt