Packet Capture JUNOS

From Teknologisk videncenter
Revision as of 22:28, 12 January 2015 by Rael (talk | contribs)
Jump to: navigation, search

JunOS understøtter at opsamle pakker til en pcap fil direkte på udstyret.[1]
Vær opmærksom på det kræver mange resourcer

på Branch SRX'er skal følgende konfigureres

  1. Slå packet capture til under forwarding-options
  2. Definer en fil der skal logges til
  3. Definer maks pakke størrelsen
  4. Definer et firewall filter der skal sample pakker
  5. Smid filtret på et interface
  6. Commit

Eksempel på konfiguration

LAN interfacet vlan.0 vil her sample alle indkomne pakker med en destinations port på TCP/80

[edit]
root@SRX07# <input>show | compare rollback 1</input>
[edit interfaces vlan unit 0 family inet]
+       filter {
+           input HTTP;
+       }
[edit]
+  forwarding-options {
+      packet-capture {
+          file filename HTTP-CAP;
+          maximum-capture-size 1500;
+      }
+  }
+  firewall {
+      filter HTTP {
+          term 1 {
+              from {
+                  protocol tcp;
+                  destination-port 80;
+              }
+              then {
+                  sample;
+                  accept;
+              }
+          }
+          term default {
+              then accept;
+          }
+      }
+  }

PCAP Filen

PCAP filen findes under /cf/var/tmp/<navn>.<interface>

root@SRX07# <input>run file list /cf/var/tmp/?</input>
Possible completions:
  <[Enter]>            Execute this command
  <path>               Path to list
  <notice>/cf/var/tmp/HTTP-CAP.vlan  Size: 73892, Last changed: Jan 12 22:13:24</notice>

Fra shellen kan man bruge tcpdump til at analyzere filen direkte eller overføre den til en server for at analyzere den med Wireshark

TCP Dump

root@SRX07# <input>run start shell</input>
root@SRX07% <input>tcpdump -r /cf/var/tmp/HTTP-CAP.vlan</input>
Reverse lookup for 192.168.1.2 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

22:12:49.177916  In IP 192.168.1.2.53248 > 192.168.146.101.http: S 130165449:130165449(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:12:49.177993  In IP 192.168.1.2.53248 > 192.168.146.101.http: . ack 146967937 win 256
22:12:49.178041  In IP 192.168.1.2.53248 > 192.168.146.101.http: P 0:79(79) ack 1 win 256
22:12:49.178108  In IP 192.168.1.2.53248 > 192.168.146.101.http: . ack 248 win 255
22:12:49.178156  In IP 192.168.1.2.53248 > 192.168.146.101.http: F 79:79(0) ack 248 win 255
22:13:08.872915  In IP 192.168.1.2.53253 > 185.31.17.175.http: S 469493814:469493814(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.873129  In IP 192.168.1.2.53255 > 185.31.17.175.http: S 581656369:581656369(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.873188  In IP 192.168.1.2.53254 > 185.31.17.175.http: S 3731498194:3731498194(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874616  In IP 192.168.1.2.53256 > host-85.232.230.228.maxpi.pl.http: S 3967760413:3967760413(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874803  In IP 192.168.1.2.53257 > host-85.232.230.228.maxpi.pl.http: S 3041244724:3041244724(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874868  In IP 192.168.1.2.53258 > host-85.232.230.228.maxpi.pl.http: S 3148747047:3148747047(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874916  In IP 192.168.1.2.53260 > 159.20.6.6.http: S 3204519997:3204519997(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875027  In IP 192.168.1.2.53259 > 159.20.6.6.http: S 1601172244:1601172244(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875091  In IP 192.168.1.2.53261 > 159.20.6.6.http: S 1064773724:1064773724(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875141  In IP 192.168.1.2.53262 > 159.20.6.6.http: S 3465149975:3465149975(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875188  In IP 192.168.1.2.53263 > 159.20.6.6.http: S 3660771728:3660771728(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875316  In IP 192.168.1.2.53264 > 159.20.6.6.http: S 3481549314:3481549314(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875381  In IP 192.168.1.2.53265 > beacon-3.newrelic.com.http: S 3410165567:3410165567(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875428  In IP 192.168.1.2.53266 > beacon-3.newrelic.com.http: S 2336042501:2336042501(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875528  In IP 192.168.1.2.53267 > beacon-3.newrelic.com.http: S 1625321004:1625321004(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875591  In IP 192.168.1.2.53259 > 159.20.6.6.http: . ack 2102293682 win 256
22:13:08.875853  In IP 192.168.1.2.53260 > 159.20.6.6.http: . ack 3087089253 win 256
22:13:08.882934  In IP 192.168.1.2.53262 > 159.20.6.6.http: . ack 1323517297 win 256
22:13:08.883036  In IP 192.168.1.2.53268 > 195.137.195.8.http: S 2133318288:2133318288(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883100  In IP 192.168.1.2.53269 > 195.137.195.8.http: S 263836097:263836097(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883149  In IP 192.168.1.2.53270 > 195.137.195.8.http: S 424401833:424401833(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883211  In IP 192.168.1.2.53271 > 195.137.195.8.http: S 185113240:185113240(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883261  In IP 192.168.1.2.53273 > 159.20.6.6.http: S 49235658:49235658(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883309  In IP 192.168.1.2.53272 > 159.20.6.6.http: S 3956944977:3956944977(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883373  In IP 192.168.1.2.53274 > 159.20.6.6.http: S 3090274801:3090274801(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883421  In IP 192.168.1.2.53275 > 159.20.6.6.http: S 1820799325:1820799325(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883495  In IP 192.168.1.2.53276 > 159.20.6.6.http: S 3229868342:3229868342(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883543  In IP 192.168.1.2.53277 > 159.20.6.6.http: S 182171036:182171036(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

Wireshark

root@SRX07# <input>run file copy /cf/var/tmp/HTTP-CAP.vlan ftp://demo@192.168.1.2/HHTP_CAP.pcap</input>
Password for demo@192.168.1.2:
ftp://demo@192.168.1.2/HHTP_CAP.pcap          100% of  115 kB  423 kBps
Wireshark

References