Difference between revisions of "Packet Capture JUNOS"

From Teknologisk videncenter
Jump to: navigation, search
m (Created page with "JunOS understøtter at opsamle pakker til en pcap fil direkte på udstyret.<br/> '''Vær opmærksom på det kræver mange resourcer'''")
 
m
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
JunOS understøtter at opsamle pakker til en pcap fil direkte på udstyret.<br/>
+
JunOS understøtter at opsamle pakker til en pcap fil direkte på udstyret.<ref>[http://kb.juniper.net/InfoCenter/index?page=content&id=KB11709 How to create a PCAP packet capture on a J-Series or SRX branch device]</ref><br/>
'''Vær opmærksom på det kræver mange resourcer'''
+
'''Vær opmærksom på det kræver mange resourcer'''<br/><br/>
 +
på Branch SRX'er skal følgende konfigureres
 +
#Slå packet capture til under forwarding-options
 +
#Definer en fil der skal logges til
 +
#Definer maks pakke størrelsen
 +
#Definer et firewall filter der skal sample pakker
 +
#Smid filtret på et interface
 +
#Commit
 +
=Eksempel på konfiguration=
 +
LAN interfacet vlan.0 vil her sample alle indkomne pakker med en destinations port på TCP/80
 +
<source lang=cli>
 +
[edit]
 +
root@SRX07# <input>show | compare rollback 1</input>
 +
[edit interfaces vlan unit 0 family inet]
 +
+      filter {
 +
+          input HTTP;
 +
+      }
 +
[edit]
 +
+  forwarding-options {
 +
+      packet-capture {
 +
+          file filename HTTP-CAP;
 +
+          maximum-capture-size 1500;
 +
+      }
 +
+  }
 +
+  firewall {
 +
+      filter HTTP {
 +
+          term 1 {
 +
+              from {
 +
+                  protocol tcp;
 +
+                  destination-port 80;
 +
+              }
 +
+              then {
 +
+                  sample;
 +
+                  accept;
 +
+              }
 +
+          }
 +
+          term default {
 +
+              then accept;
 +
+          }
 +
+      }
 +
+  }
 +
</source>
 +
=PCAP Filen=
 +
PCAP filen findes under /cf/var/tmp/<navn>.<interface>
 +
<source lang=cli>
 +
root@SRX07# <input>run file list /cf/var/tmp/?</input>
 +
Possible completions:
 +
  <[Enter]>            Execute this command
 +
  <path>              Path to list
 +
  <notice>/cf/var/tmp/HTTP-CAP.vlan  Size: 73892, Last changed: Jan 12 22:13:24</notice>
 +
</source>
 +
Fra shellen kan man bruge tcpdump til at analyzere filen direkte eller overføre den til en server for at analyzere den med Wireshark
 +
==TCP Dump==
 +
<source lang=cli>
 +
root@SRX07# <input>run start shell</input>
 +
root@SRX07% <input>tcpdump -r /cf/var/tmp/HTTP-CAP.vlan</input>
 +
Reverse lookup for 192.168.1.2 failed (check DNS reachability).
 +
Other reverse lookup failures will not be reported.
 +
Use <no-resolve> to avoid reverse lookups on IP addresses.
 +
 
 +
22:12:49.177916  In IP 192.168.1.2.53248 > 192.168.146.101.http: S 130165449:130165449(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:12:49.177993  In IP 192.168.1.2.53248 > 192.168.146.101.http: . ack 146967937 win 256
 +
22:12:49.178041  In IP 192.168.1.2.53248 > 192.168.146.101.http: P 0:79(79) ack 1 win 256
 +
22:12:49.178108  In IP 192.168.1.2.53248 > 192.168.146.101.http: . ack 248 win 255
 +
22:12:49.178156  In IP 192.168.1.2.53248 > 192.168.146.101.http: F 79:79(0) ack 248 win 255
 +
22:13:08.872915  In IP 192.168.1.2.53253 > 185.31.17.175.http: S 469493814:469493814(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.873129  In IP 192.168.1.2.53255 > 185.31.17.175.http: S 581656369:581656369(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.873188  In IP 192.168.1.2.53254 > 185.31.17.175.http: S 3731498194:3731498194(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.874616  In IP 192.168.1.2.53256 > host-85.232.230.228.maxpi.pl.http: S 3967760413:3967760413(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.874803  In IP 192.168.1.2.53257 > host-85.232.230.228.maxpi.pl.http: S 3041244724:3041244724(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.874868  In IP 192.168.1.2.53258 > host-85.232.230.228.maxpi.pl.http: S 3148747047:3148747047(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.874916  In IP 192.168.1.2.53260 > 159.20.6.6.http: S 3204519997:3204519997(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.875027  In IP 192.168.1.2.53259 > 159.20.6.6.http: S 1601172244:1601172244(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.875091  In IP 192.168.1.2.53261 > 159.20.6.6.http: S 1064773724:1064773724(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.875141  In IP 192.168.1.2.53262 > 159.20.6.6.http: S 3465149975:3465149975(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.875188  In IP 192.168.1.2.53263 > 159.20.6.6.http: S 3660771728:3660771728(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.875316  In IP 192.168.1.2.53264 > 159.20.6.6.http: S 3481549314:3481549314(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.875381  In IP 192.168.1.2.53265 > beacon-3.newrelic.com.http: S 3410165567:3410165567(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.875428  In IP 192.168.1.2.53266 > beacon-3.newrelic.com.http: S 2336042501:2336042501(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.875528  In IP 192.168.1.2.53267 > beacon-3.newrelic.com.http: S 1625321004:1625321004(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.875591  In IP 192.168.1.2.53259 > 159.20.6.6.http: . ack 2102293682 win 256
 +
22:13:08.875853  In IP 192.168.1.2.53260 > 159.20.6.6.http: . ack 3087089253 win 256
 +
22:13:08.882934  In IP 192.168.1.2.53262 > 159.20.6.6.http: . ack 1323517297 win 256
 +
22:13:08.883036  In IP 192.168.1.2.53268 > 195.137.195.8.http: S 2133318288:2133318288(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.883100  In IP 192.168.1.2.53269 > 195.137.195.8.http: S 263836097:263836097(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.883149  In IP 192.168.1.2.53270 > 195.137.195.8.http: S 424401833:424401833(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.883211  In IP 192.168.1.2.53271 > 195.137.195.8.http: S 185113240:185113240(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.883261  In IP 192.168.1.2.53273 > 159.20.6.6.http: S 49235658:49235658(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.883309  In IP 192.168.1.2.53272 > 159.20.6.6.http: S 3956944977:3956944977(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.883373  In IP 192.168.1.2.53274 > 159.20.6.6.http: S 3090274801:3090274801(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.883421  In IP 192.168.1.2.53275 > 159.20.6.6.http: S 1820799325:1820799325(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.883495  In IP 192.168.1.2.53276 > 159.20.6.6.http: S 3229868342:3229868342(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
22:13:08.883543  In IP 192.168.1.2.53277 > 159.20.6.6.http: S 182171036:182171036(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 +
</source>
 +
==Wireshark==
 +
<source lang=cli>
 +
root@SRX07# <input>run file copy /cf/var/tmp/HTTP-CAP.vlan ftp://demo@192.168.1.2/HHTP_CAP.pcap</input>
 +
Password for demo@192.168.1.2:
 +
ftp://demo@192.168.1.2/HHTP_CAP.pcap          100% of  115 kB  423 kBps
 +
</source>
 +
{|
 +
|[[Image:ScreenShot14161.png|800px|left|thumb|Wireshark]]
 +
|}
 +
=References=
 +
<references />
 +
{{Source cli}}
 +
[[Category:Juniper]]

Latest revision as of 22:28, 12 January 2015

JunOS understøtter at opsamle pakker til en pcap fil direkte på udstyret.[1]
Vær opmærksom på det kræver mange resourcer

på Branch SRX'er skal følgende konfigureres

  1. Slå packet capture til under forwarding-options
  2. Definer en fil der skal logges til
  3. Definer maks pakke størrelsen
  4. Definer et firewall filter der skal sample pakker
  5. Smid filtret på et interface
  6. Commit

Eksempel på konfiguration

LAN interfacet vlan.0 vil her sample alle indkomne pakker med en destinations port på TCP/80

[edit]
root@SRX07# <input>show | compare rollback 1</input>
[edit interfaces vlan unit 0 family inet]
+       filter {
+           input HTTP;
+       }
[edit]
+  forwarding-options {
+      packet-capture {
+          file filename HTTP-CAP;
+          maximum-capture-size 1500;
+      }
+  }
+  firewall {
+      filter HTTP {
+          term 1 {
+              from {
+                  protocol tcp;
+                  destination-port 80;
+              }
+              then {
+                  sample;
+                  accept;
+              }
+          }
+          term default {
+              then accept;
+          }
+      }
+  }

PCAP Filen

PCAP filen findes under /cf/var/tmp/<navn>.<interface>

root@SRX07# <input>run file list /cf/var/tmp/?</input>
Possible completions:
  <[Enter]>            Execute this command
  <path>               Path to list
  <notice>/cf/var/tmp/HTTP-CAP.vlan  Size: 73892, Last changed: Jan 12 22:13:24</notice>

Fra shellen kan man bruge tcpdump til at analyzere filen direkte eller overføre den til en server for at analyzere den med Wireshark

TCP Dump

root@SRX07# <input>run start shell</input>
root@SRX07% <input>tcpdump -r /cf/var/tmp/HTTP-CAP.vlan</input>
Reverse lookup for 192.168.1.2 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

22:12:49.177916  In IP 192.168.1.2.53248 > 192.168.146.101.http: S 130165449:130165449(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:12:49.177993  In IP 192.168.1.2.53248 > 192.168.146.101.http: . ack 146967937 win 256
22:12:49.178041  In IP 192.168.1.2.53248 > 192.168.146.101.http: P 0:79(79) ack 1 win 256
22:12:49.178108  In IP 192.168.1.2.53248 > 192.168.146.101.http: . ack 248 win 255
22:12:49.178156  In IP 192.168.1.2.53248 > 192.168.146.101.http: F 79:79(0) ack 248 win 255
22:13:08.872915  In IP 192.168.1.2.53253 > 185.31.17.175.http: S 469493814:469493814(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.873129  In IP 192.168.1.2.53255 > 185.31.17.175.http: S 581656369:581656369(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.873188  In IP 192.168.1.2.53254 > 185.31.17.175.http: S 3731498194:3731498194(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874616  In IP 192.168.1.2.53256 > host-85.232.230.228.maxpi.pl.http: S 3967760413:3967760413(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874803  In IP 192.168.1.2.53257 > host-85.232.230.228.maxpi.pl.http: S 3041244724:3041244724(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874868  In IP 192.168.1.2.53258 > host-85.232.230.228.maxpi.pl.http: S 3148747047:3148747047(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874916  In IP 192.168.1.2.53260 > 159.20.6.6.http: S 3204519997:3204519997(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875027  In IP 192.168.1.2.53259 > 159.20.6.6.http: S 1601172244:1601172244(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875091  In IP 192.168.1.2.53261 > 159.20.6.6.http: S 1064773724:1064773724(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875141  In IP 192.168.1.2.53262 > 159.20.6.6.http: S 3465149975:3465149975(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875188  In IP 192.168.1.2.53263 > 159.20.6.6.http: S 3660771728:3660771728(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875316  In IP 192.168.1.2.53264 > 159.20.6.6.http: S 3481549314:3481549314(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875381  In IP 192.168.1.2.53265 > beacon-3.newrelic.com.http: S 3410165567:3410165567(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875428  In IP 192.168.1.2.53266 > beacon-3.newrelic.com.http: S 2336042501:2336042501(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875528  In IP 192.168.1.2.53267 > beacon-3.newrelic.com.http: S 1625321004:1625321004(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875591  In IP 192.168.1.2.53259 > 159.20.6.6.http: . ack 2102293682 win 256
22:13:08.875853  In IP 192.168.1.2.53260 > 159.20.6.6.http: . ack 3087089253 win 256
22:13:08.882934  In IP 192.168.1.2.53262 > 159.20.6.6.http: . ack 1323517297 win 256
22:13:08.883036  In IP 192.168.1.2.53268 > 195.137.195.8.http: S 2133318288:2133318288(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883100  In IP 192.168.1.2.53269 > 195.137.195.8.http: S 263836097:263836097(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883149  In IP 192.168.1.2.53270 > 195.137.195.8.http: S 424401833:424401833(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883211  In IP 192.168.1.2.53271 > 195.137.195.8.http: S 185113240:185113240(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883261  In IP 192.168.1.2.53273 > 159.20.6.6.http: S 49235658:49235658(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883309  In IP 192.168.1.2.53272 > 159.20.6.6.http: S 3956944977:3956944977(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883373  In IP 192.168.1.2.53274 > 159.20.6.6.http: S 3090274801:3090274801(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883421  In IP 192.168.1.2.53275 > 159.20.6.6.http: S 1820799325:1820799325(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883495  In IP 192.168.1.2.53276 > 159.20.6.6.http: S 3229868342:3229868342(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883543  In IP 192.168.1.2.53277 > 159.20.6.6.http: S 182171036:182171036(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

Wireshark

root@SRX07# <input>run file copy /cf/var/tmp/HTTP-CAP.vlan ftp://demo@192.168.1.2/HHTP_CAP.pcap</input>
Password for demo@192.168.1.2:
ftp://demo@192.168.1.2/HHTP_CAP.pcap          100% of  115 kB  423 kBps
Wireshark

References