Difference between revisions of "Packet Capture JUNOS"
From Teknologisk videncenter
m (Created page with "JunOS understøtter at opsamle pakker til en pcap fil direkte på udstyret.<br/> '''Vær opmærksom på det kræver mange resourcer'''") |
m |
||
| Line 1: | Line 1: | ||
| − | JunOS understøtter at opsamle pakker til en pcap fil direkte på udstyret.<br/> | + | JunOS understøtter at opsamle pakker til en pcap fil direkte på udstyret.<ref>[[http://kb.juniper.net/InfoCenter/index?page=content&id=KB11709 How to create a PCAP packet capture on a J-Series or SRX branch device]]</ref><br/> |
| − | '''Vær opmærksom på det kræver mange resourcer''' | + | '''Vær opmærksom på det kræver mange resourcer'''<br/><br/> |
| + | på Branch SRX'er skal følgende konfigureres | ||
| + | #Slå packet capture til under forwarding-options | ||
| + | #Definer en fil der skal logges til | ||
| + | #Definer maks pakke størrelsen | ||
| + | #Definer et firewall filter der skal sample pakker | ||
| + | #Smid filtret på et interface | ||
| + | #Commit | ||
| + | =Eksempel på konfiguration= | ||
| + | LAN interfacet vlan.0 vil her sample alle indkomne pakker med en destinations port på TCP/80 | ||
| + | <source lang=cli> | ||
| + | [edit] | ||
| + | root@SRX07# <input>show | compare rollback 1</input> | ||
| + | [edit interfaces vlan unit 0 family inet] | ||
| + | + filter { | ||
| + | + input HTTP; | ||
| + | + } | ||
| + | [edit] | ||
| + | + forwarding-options { | ||
| + | + packet-capture { | ||
| + | + file filename HTTP-CAP; | ||
| + | + maximum-capture-size 1500; | ||
| + | + } | ||
| + | + } | ||
| + | + firewall { | ||
| + | + filter HTTP { | ||
| + | + term 1 { | ||
| + | + from { | ||
| + | + protocol tcp; | ||
| + | + destination-port 80; | ||
| + | + } | ||
| + | + then { | ||
| + | + sample; | ||
| + | + accept; | ||
| + | + } | ||
| + | + } | ||
| + | + term default { | ||
| + | + then accept; | ||
| + | + } | ||
| + | + } | ||
| + | + } | ||
| + | </source> | ||
| + | =PCAP Filen= | ||
| + | PCAP filen findes under /cf/var/tmp/<navn>.<interface> | ||
| + | <source lang=cli> | ||
| + | root@SRX07# <input>run file list /cf/var/tmp/?</input> | ||
| + | Possible completions: | ||
| + | <[Enter]> Execute this command | ||
| + | <path> Path to list | ||
| + | <notice>/cf/var/tmp/HTTP-CAP.vlan Size: 73892, Last changed: Jan 12 22:13:24</notice> | ||
| + | </source> | ||
| + | Fra shellen kan man bruge tcpdump til at analyzere filen direkte eller overføre den til en server for at analyzere den med Wireshark | ||
| + | ==TCP Dump== | ||
| + | <source lang=cli> | ||
| + | root@SRX07# <input>run start shell</input> | ||
| + | root@SRX07% <input>tcpdump -r /cf/var/tmp/HTTP-CAP.vlan</input> | ||
| + | Reverse lookup for 192.168.1.2 failed (check DNS reachability). | ||
| + | Other reverse lookup failures will not be reported. | ||
| + | Use <no-resolve> to avoid reverse lookups on IP addresses. | ||
| + | |||
| + | 22:12:49.177916 In IP 192.168.1.2.53248 > 192.168.146.101.http: S 130165449:130165449(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:12:49.177993 In IP 192.168.1.2.53248 > 192.168.146.101.http: . ack 146967937 win 256 | ||
| + | 22:12:49.178041 In IP 192.168.1.2.53248 > 192.168.146.101.http: P 0:79(79) ack 1 win 256 | ||
| + | 22:12:49.178108 In IP 192.168.1.2.53248 > 192.168.146.101.http: . ack 248 win 255 | ||
| + | 22:12:49.178156 In IP 192.168.1.2.53248 > 192.168.146.101.http: F 79:79(0) ack 248 win 255 | ||
| + | 22:13:08.872915 In IP 192.168.1.2.53253 > 185.31.17.175.http: S 469493814:469493814(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.873129 In IP 192.168.1.2.53255 > 185.31.17.175.http: S 581656369:581656369(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.873188 In IP 192.168.1.2.53254 > 185.31.17.175.http: S 3731498194:3731498194(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.874616 In IP 192.168.1.2.53256 > host-85.232.230.228.maxpi.pl.http: S 3967760413:3967760413(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.874803 In IP 192.168.1.2.53257 > host-85.232.230.228.maxpi.pl.http: S 3041244724:3041244724(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.874868 In IP 192.168.1.2.53258 > host-85.232.230.228.maxpi.pl.http: S 3148747047:3148747047(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.874916 In IP 192.168.1.2.53260 > 159.20.6.6.http: S 3204519997:3204519997(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.875027 In IP 192.168.1.2.53259 > 159.20.6.6.http: S 1601172244:1601172244(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.875091 In IP 192.168.1.2.53261 > 159.20.6.6.http: S 1064773724:1064773724(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.875141 In IP 192.168.1.2.53262 > 159.20.6.6.http: S 3465149975:3465149975(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.875188 In IP 192.168.1.2.53263 > 159.20.6.6.http: S 3660771728:3660771728(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.875316 In IP 192.168.1.2.53264 > 159.20.6.6.http: S 3481549314:3481549314(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.875381 In IP 192.168.1.2.53265 > beacon-3.newrelic.com.http: S 3410165567:3410165567(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.875428 In IP 192.168.1.2.53266 > beacon-3.newrelic.com.http: S 2336042501:2336042501(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.875528 In IP 192.168.1.2.53267 > beacon-3.newrelic.com.http: S 1625321004:1625321004(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.875591 In IP 192.168.1.2.53259 > 159.20.6.6.http: . ack 2102293682 win 256 | ||
| + | 22:13:08.875853 In IP 192.168.1.2.53260 > 159.20.6.6.http: . ack 3087089253 win 256 | ||
| + | 22:13:08.882934 In IP 192.168.1.2.53262 > 159.20.6.6.http: . ack 1323517297 win 256 | ||
| + | 22:13:08.883036 In IP 192.168.1.2.53268 > 195.137.195.8.http: S 2133318288:2133318288(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.883100 In IP 192.168.1.2.53269 > 195.137.195.8.http: S 263836097:263836097(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.883149 In IP 192.168.1.2.53270 > 195.137.195.8.http: S 424401833:424401833(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.883211 In IP 192.168.1.2.53271 > 195.137.195.8.http: S 185113240:185113240(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.883261 In IP 192.168.1.2.53273 > 159.20.6.6.http: S 49235658:49235658(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.883309 In IP 192.168.1.2.53272 > 159.20.6.6.http: S 3956944977:3956944977(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.883373 In IP 192.168.1.2.53274 > 159.20.6.6.http: S 3090274801:3090274801(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.883421 In IP 192.168.1.2.53275 > 159.20.6.6.http: S 1820799325:1820799325(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.883495 In IP 192.168.1.2.53276 > 159.20.6.6.http: S 3229868342:3229868342(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | 22:13:08.883543 In IP 192.168.1.2.53277 > 159.20.6.6.http: S 182171036:182171036(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> | ||
| + | </source> | ||
| + | ==Wireshark== | ||
| + | <source lang=cli> | ||
| + | root@SRX07# <input>run file copy /cf/var/tmp/HTTP-CAP.vlan ftp://demo@192.168.1.2/HHTP_CAP.pcap</input> | ||
| + | Password for demo@192.168.1.2: | ||
| + | ftp://demo@192.168.1.2/HHTP_CAP.pcap 100% of 115 kB 423 kBps | ||
| + | </source> | ||
| + | {| | ||
| + | |[[Image:ScreenShot14161.png|800px|left|thumb|Wireshark]] | ||
| + | |} | ||
| + | =References= | ||
| + | <references /> | ||
| + | {{Source cli}} | ||
| + | [[Category:Juniper]] | ||
Revision as of 23:28, 12 January 2015
JunOS understøtter at opsamle pakker til en pcap fil direkte på udstyret.[1]
Vær opmærksom på det kræver mange resourcer
på Branch SRX'er skal følgende konfigureres
- Slå packet capture til under forwarding-options
- Definer en fil der skal logges til
- Definer maks pakke størrelsen
- Definer et firewall filter der skal sample pakker
- Smid filtret på et interface
- Commit
Eksempel på konfiguration
LAN interfacet vlan.0 vil her sample alle indkomne pakker med en destinations port på TCP/80
[edit]
root@SRX07# <input>show | compare rollback 1</input>
[edit interfaces vlan unit 0 family inet]
+ filter {
+ input HTTP;
+ }
[edit]
+ forwarding-options {
+ packet-capture {
+ file filename HTTP-CAP;
+ maximum-capture-size 1500;
+ }
+ }
+ firewall {
+ filter HTTP {
+ term 1 {
+ from {
+ protocol tcp;
+ destination-port 80;
+ }
+ then {
+ sample;
+ accept;
+ }
+ }
+ term default {
+ then accept;
+ }
+ }
+ }PCAP Filen
PCAP filen findes under /cf/var/tmp/<navn>.<interface>
root@SRX07# <input>run file list /cf/var/tmp/?</input>
Possible completions:
<[Enter]> Execute this command
<path> Path to list
<notice>/cf/var/tmp/HTTP-CAP.vlan Size: 73892, Last changed: Jan 12 22:13:24</notice>Fra shellen kan man bruge tcpdump til at analyzere filen direkte eller overføre den til en server for at analyzere den med Wireshark
TCP Dump
root@SRX07# <input>run start shell</input>
root@SRX07% <input>tcpdump -r /cf/var/tmp/HTTP-CAP.vlan</input>
Reverse lookup for 192.168.1.2 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
22:12:49.177916 In IP 192.168.1.2.53248 > 192.168.146.101.http: S 130165449:130165449(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:12:49.177993 In IP 192.168.1.2.53248 > 192.168.146.101.http: . ack 146967937 win 256
22:12:49.178041 In IP 192.168.1.2.53248 > 192.168.146.101.http: P 0:79(79) ack 1 win 256
22:12:49.178108 In IP 192.168.1.2.53248 > 192.168.146.101.http: . ack 248 win 255
22:12:49.178156 In IP 192.168.1.2.53248 > 192.168.146.101.http: F 79:79(0) ack 248 win 255
22:13:08.872915 In IP 192.168.1.2.53253 > 185.31.17.175.http: S 469493814:469493814(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.873129 In IP 192.168.1.2.53255 > 185.31.17.175.http: S 581656369:581656369(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.873188 In IP 192.168.1.2.53254 > 185.31.17.175.http: S 3731498194:3731498194(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874616 In IP 192.168.1.2.53256 > host-85.232.230.228.maxpi.pl.http: S 3967760413:3967760413(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874803 In IP 192.168.1.2.53257 > host-85.232.230.228.maxpi.pl.http: S 3041244724:3041244724(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874868 In IP 192.168.1.2.53258 > host-85.232.230.228.maxpi.pl.http: S 3148747047:3148747047(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.874916 In IP 192.168.1.2.53260 > 159.20.6.6.http: S 3204519997:3204519997(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875027 In IP 192.168.1.2.53259 > 159.20.6.6.http: S 1601172244:1601172244(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875091 In IP 192.168.1.2.53261 > 159.20.6.6.http: S 1064773724:1064773724(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875141 In IP 192.168.1.2.53262 > 159.20.6.6.http: S 3465149975:3465149975(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875188 In IP 192.168.1.2.53263 > 159.20.6.6.http: S 3660771728:3660771728(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875316 In IP 192.168.1.2.53264 > 159.20.6.6.http: S 3481549314:3481549314(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875381 In IP 192.168.1.2.53265 > beacon-3.newrelic.com.http: S 3410165567:3410165567(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875428 In IP 192.168.1.2.53266 > beacon-3.newrelic.com.http: S 2336042501:2336042501(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875528 In IP 192.168.1.2.53267 > beacon-3.newrelic.com.http: S 1625321004:1625321004(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.875591 In IP 192.168.1.2.53259 > 159.20.6.6.http: . ack 2102293682 win 256
22:13:08.875853 In IP 192.168.1.2.53260 > 159.20.6.6.http: . ack 3087089253 win 256
22:13:08.882934 In IP 192.168.1.2.53262 > 159.20.6.6.http: . ack 1323517297 win 256
22:13:08.883036 In IP 192.168.1.2.53268 > 195.137.195.8.http: S 2133318288:2133318288(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883100 In IP 192.168.1.2.53269 > 195.137.195.8.http: S 263836097:263836097(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883149 In IP 192.168.1.2.53270 > 195.137.195.8.http: S 424401833:424401833(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883211 In IP 192.168.1.2.53271 > 195.137.195.8.http: S 185113240:185113240(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883261 In IP 192.168.1.2.53273 > 159.20.6.6.http: S 49235658:49235658(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883309 In IP 192.168.1.2.53272 > 159.20.6.6.http: S 3956944977:3956944977(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883373 In IP 192.168.1.2.53274 > 159.20.6.6.http: S 3090274801:3090274801(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883421 In IP 192.168.1.2.53275 > 159.20.6.6.http: S 1820799325:1820799325(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883495 In IP 192.168.1.2.53276 > 159.20.6.6.http: S 3229868342:3229868342(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
22:13:08.883543 In IP 192.168.1.2.53277 > 159.20.6.6.http: S 182171036:182171036(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>Wireshark
root@SRX07# <input>run file copy /cf/var/tmp/HTTP-CAP.vlan ftp://demo@192.168.1.2/HHTP_CAP.pcap</input>
Password for demo@192.168.1.2:
ftp://demo@192.168.1.2/HHTP_CAP.pcap 100% of 115 kB 423 kBps