Захват пакетов на Juniper SRX

Захват и анализ пакетов является одним из важнейших инструментов для анализа сетевых процессов и поиска неисправностей (troubleshooting).
В данной статье я расскажу как организовать захват пакетов на Juniper SRX (испытывалось на устройствах Juniper SRX100, SRX240 и SRX550).

Конфигурируем параметры файла, в который будут записываться результаты захвата:

set forwarding-options packet-capture file filename OfficeDHCP
set forwarding-options packet-capture maximum-capture-size 1500

Создаем фильтр для захвата пакетов:

set firewall filter PCAP term 1 from source-address 192.168.32.0/24
set firewall filter PCAP term 1 from destination-address 10.89.66.21
set firewall filter PCAP term 1 then sample
set firewall filter PCAP term 1 then accept
set firewall filter PCAP term 2 from source-address 10.89.66.21
set firewall filter PCAP term 2 from destination-address 192.168.32.0/24
set firewall filter PCAP term 2 then sample
set firewall filter PCAP term 2 then accept
set firewall filter PCAP term allow-all-else then accept

Вешаем фильтр на интерфейс:

set interfaces ge-0/0/1 unit 0 family inet filter output PCAP
set interfaces ge-0/0/1 unit 0 family inet filter input PCAP

Проверяем конфигурацию:

[edit] admin@WTF-FW# show | compare
[edit interfaces ge-0/0/1 unit 0 family inet] + filter {
+ input PCAP;
+ output PCAP;
+ }
[edit forwarding-options] + packet-capture {
+ file filename OfficeDHCP;
+ maximum-capture-size 1500;
+ }
[edit firewall] + filter PCAP {
+ term 1 {
+ from {
+ source-address {
+ 192.168.32.0/24;
+ }
+ destination-address {
+ 10.89.66.21/32;
+ }
+ }
+ then {
+ sample;
+ accept;
+ }
+ }
+ term 2 {
+ from {
+ source-address {
+ 10.89.66.21/32;
+ }
+ destination-address {
+ 192.168.32.0/24;
+ }
+ }
+ then {
+ sample;
+ accept;
+ }
+ }
+ term allow-all-else {
+ then accept;
+ }
+ }

Применяем конфигурацию.
Я предпочитаю делать «commit confirmed» на нужное количество минут, чтобы потом конфигурация откатилась сама, и не пришлось её чистить:

[edit] admin@WTF-FW# commit confirmed 2
commit confirmed will be automatically rolled back in 2 minutes unless confirmed
commit complete

Ждём…
Конфигурация откатывается:

[edit]

Broadcast Message from root@WTF-FW
(no tty) at 17:02 MSK…

Commit was not confirmed; automatic rollback complete.

Файл создастся в папке /var/tmp/.
Имя файла будет создано по следующему алгоритму: .
Проверяем наличие файла:

admin@WTF-FW> file list /var/tmp/

/var/tmp/:
OfficeDHCP.ge-0.0.1
cleanup-pkgs.log
dhcpd.core-tarball.0.tgz

Отлично, файл создался (если файл не создался, это означает, что в фильтр не попал ни один пакет).
Но просто так вы его открыть и прочитать не сможете.

Попытка прочитать файл как текст

Это связано с тем, что в файле находятся «пойманные» пакеты, а не просто текст.
Прочитать этот файл можно любым анализатором пакетов, совместимым с tcpdump’ом (например, удобным и широкоизвестным Wireshark’ом).
Или самим tcpdump’ом, не выходя с маршрутизатора:

% tcpdump -r /var/tmp/OfficeDHCP.ge-0.0.1
Reverse lookup for 192.168.32.3 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use to avoid reverse lookups on IP addresses.

16:59:48.281979 In IP 192.168.32.3.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from 6c:3b:e5:17:11:ed, length 307
16:59:48.282043 Out IP 10.89.66.21.bootps > 192.168.32.51.bootpc: BOOTP/DHCP, Reply, length 320
16:59:48.282111 In IP 192.168.32.51 > 10.89.66.21: ICMP 192.168.32.51 udp port bootpc unreachable, length 356
16:59:48.282165 In IP 192.168.32.2.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from 6c:3b:e5:17:11:ed, length 307
16:59:48.960797 Out IP 10.89.66.21.bootps > 192.168.32.51.bootpc: BOOTP/DHCP, Reply, length 320
16:59:48.960895 In IP 192.168.32.51 > 10.89.66.21: ICMP 192.168.32.51 udp port bootpc unreachable, length 356
17:00:10.768459 In IP 192.168.32.3.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from ac:16:2d:0e:3f:4f, length 307
17:00:10.768566 Out IP 10.89.66.21.bootps > 192.168.32.44.bootpc: BOOTP/DHCP, Reply, length 320
17:00:10.768667 In IP 192.168.32.44 > 10.89.66.21: ICMP 192.168.32.44 udp port bootpc unreachable, length 356
17:00:10.768739 In IP 192.168.32.2.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from ac:16:2d:0e:3f:4f, length 307
17:00:10.967080 Out IP 10.89.66.21.bootps > 192.168.32.44.bootpc: BOOTP/DHCP, Reply, length 320
17:00:10.967245 In IP 192.168.32.44 > 10.89.66.21: ICMP 192.168.32.44 udp port bootpc unreachable, length 356
17:00:14.959795 In IP 192.168.32.3.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from 30:85:a9:3b:08:67, length 308
17:00:14.959894 Out IP 10.89.66.21.bootps > 192.168.32.3.bootps: BOOTP/DHCP, Reply, length 320
17:00:14.959963 In IP 192.168.32.2.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from 30:85:a9:3b:08:67, length 308
17:00:14.960015 Out IP 10.89.66.21.bootps > 192.168.32.2.bootps: BOOTP/DHCP, Reply, length 320
17:00:18.075833 In IP 192.168.32.3.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from 2c:44:fd:23:42:d9, length 311
17:00:18.075936 Out IP 10.89.66.21.bootps > 192.168.32.3.bootps: BOOTP/DHCP, Reply, length 320
17:00:18.075991 In IP 192.168.32.2.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from 2c:44:fd:23:42:d9, length 311
17:00:18.076059 Out IP 10.89.66.21.bootps > 192.168.32.2.bootps: BOOTP/DHCP, Reply, length 320
17:00:50.304574 In IP 192.168.32.2.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from c4:34:6b:62:0f:11, length 313
17:00:50.304728 Out IP 10.89.66.21.bootps > 192.168.32.14.bootpc: BOOTP/DHCP, Reply, length 320
17:00:50.304798 In IP 192.168.32.14 > 10.89.66.21: ICMP 192.168.32.14 udp port bootpc unreachable, length 356
17:00:50.963733 In IP 192.168.32.3.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from c4:34:6b:62:0f:11, length 313
17:00:50.963832 Out IP 10.89.66.21.bootps > 192.168.32.14.bootpc: BOOTP/DHCP, Reply, length 320
17:00:50.963887 In IP 192.168.32.14 > 10.89.66.21: ICMP 192.168.32.14 udp port bootpc unreachable, length 356
17:01:25.205141 In IP 192.168.32.3.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from f4:6d:04:2e:54:51, length 310
17:01:25.205291 Out IP 10.89.66.21.bootps > 192.168.32.12.bootpc: BOOTP/DHCP, Reply, length 320
17:01:25.205359 In IP 192.168.32.2.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from f4:6d:04:2e:54:51, length 310
17:01:25.205414 Out IP 10.89.66.21.bootps > 192.168.32.12.bootpc: BOOTP/DHCP, Reply, length 320
17:01:25.965543 In IP 192.168.32.12 > 10.89.66.21: ICMP 192.168.32.12 udp port bootpc unreachable, length 356
17:01:43.962531 In IP 192.168.32.3.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from ec:b1:d7:42:00:ce, length 312
17:01:43.962692 Out IP 10.89.66.21.bootps > 192.168.32.3.bootps: BOOTP/DHCP, Reply, length 320
17:01:43.962749 In IP 192.168.32.2.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from ec:b1:d7:42:00:ce, length 312
17:01:43.962813 Out IP 10.89.66.21.bootps > 192.168.32.2.bootps: BOOTP/DHCP, Reply, length 320
17:01:45.970626 In IP 192.168.32.3.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from 2c:44:fd:23:42:d9, length 311
17:01:45.970720 In IP 192.168.32.2.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from 2c:44:fd:23:42:d9, length 311
17:01:45.970905 Out IP 10.89.66.21.bootps > 192.168.32.3.bootps: BOOTP/DHCP, Reply, length 320
17:01:45.970976 Out IP 10.89.66.21.bootps > 192.168.32.2.bootps: BOOTP/DHCP, Reply, length 320
17:01:51.472326 In IP 192.168.32.3.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from 2c:44:fd:18:f6:c5, length 307
17:01:51.472417 Out IP 10.89.66.21.bootps > 192.168.32.35.bootpc: BOOTP/DHCP, Reply, length 320
17:01:51.472488 In IP 192.168.32.35 > 10.89.66.21: ICMP 192.168.32.35 udp port bootpc unreachable, length 356
17:01:51.472620 In IP 192.168.32.2.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from 2c:44:fd:18:f6:c5, length 307
17:01:51.960383 Out IP 10.89.66.21.bootps > 192.168.32.35.bootpc: BOOTP/DHCP, Reply, length 320
17:01:51.960483 In IP 192.168.32.35 > 10.89.66.21: ICMP 192.168.32.35 udp port bootpc unreachable, length 356
17:02:27.804368 In IP 192.168.32.3.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from f4:6d:04:5c:09:40, length 310
17:02:27.804469 In IP 192.168.32.2.bootps > 10.89.66.21.bootps: BOOTP/DHCP, Request from f4:6d:04:5c:09:40, length 310
17:02:27.804534 Out IP 10.89.66.21.bootps > 192.168.32.46.bootpc: BOOTP/DHCP, Reply, length 320
17:02:27.804669 Out IP 10.89.66.21.bootps > 192.168.32.46.bootpc: BOOTP/DHCP, Reply, length 320
17:02:28.045831 In IP 192.168.32.46 > 10.89.66.21: ICMP 192.168.32.46 udp port bootpc unreachable, length 356
17:02:28.045942 In IP 192.168.32.46 > 10.89.66.21: ICMP 192.168.32.46 udp port bootpc unreachable, length 356

Статья в KB Juniper:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

Эта запись была опубликована в Juniper.
Занести в закладки: ссылка.

Оставить комментарий

Ваш адрес электронной почты не будет опубликован. Обязательные поля помечены *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>