Friday, July 30, 2010

sniffing traffic on a netscreen - snoop or debug flow

If you want to figure out what's happening with traffic on a Juniper Netscreen, there are three basic ways to do it. The least informative is to turn on the "log" option for a given rule. This provides a gui way to look at packets that have matched the rule.

The most informative is "debug flow", from "debug flow basic" up to "debug flow all", and you'll get all kind of information about the decisionmaking process the netscreen goes through as part of passing or dropping a packet - is it part of a flow, is it a new connection, how does it get routed, etc.

And in between, as a happy medium, is the snoop command. It gives you output similar to the basic output from the Solaris "snoop" command. Adjusting the "detail" level will let you change the length of the packet it examines.

Both debug flow and snoop let you filter what traffic is interesting by means of the "set ff" command, and both drop their output into the "dbuf" debug buffer.

Wednesday, July 28, 2010

"Wait, did we forget something?"

It's not just overt displays of stupidity and classlessness on the part of the industry. Sometimes it's more subtle. Like making a management simulator on the web and FORGETTING TO INCLUDE THE OPTION TO HIRE WOMEN.

I can't really thing of anything to say beyond what what's here at (via


Sunday, July 25, 2010

Password recovery on foundry/brocade devices

As usual, you need console access to a brocade/foundry device that you want to do password recovery on.

Power cycle the device, and when prompted, hit the "b" key during the boot process. Once you're in boot monitor mode, you can enter "no password" to tell it to (you guessed it) ignore the password data. Then, tell the device to boot by issuing the "boot system flash primary" or "boot system flash secondary" command, as appropriate. Once it boots, you can set the password to a known value.

Wednesday, July 21, 2010

Everything is better with Legos.

It's true! Everything is better with Legos. Check this out: The folks over at Righteous IT have illustrated the TCP/IP packet header structure with Legos. Aww yeah.

Sunday, July 18, 2010

It's Radia Perlman's network. We just route over it.

I dropped a couple of routers into place, replacing a bunch of network-specific firewall interfaces with a backbone-type link and put several of the specific networks onto the routers. Basically, pushing the firewalls deeper into the core, and the routing further out to the edge.

NOTE TO MYSELF: It is all Radia Perlman's fault, which is to say -- spanning tree spanning tree spanning tree. Check it, then check it again and still again. There were several problems I ran into that were either caused by spanning tree configs being borked or that I diagnosed by looking at spanning tree. If any of your network devices on a vlan disagree as to what the root bridge ID is, then you have some kind of discontinuous vlan. If you have spanning tree on some but not all devices, you are going to run into all kinds of problems with loop topology.

Thursday, July 15, 2010

Oh, blade chassis devices, you are awesome yet annoying.

So, a couple of different folks are making blade chassis devices. IBM has the bladecenter and HP has the bladesystem.

While they're awesome in terms of machine density, they can unexpectedly hose you if you're not careful. For instance, if you don't carefully check that there are no unexpected internal paths that bypass spanning tree, you could end up with a topology loop.

I hate when that happens.

Thursday, July 8, 2010

Stay classy, network world.

Oh, yay! Network world has a list of resources and pages regarding women in networking.

Oh, boo! Network world is still running a hottest booth babe contest!

I am reminded of a Cisco Networkers conference I went to about 10 years ago. One of the sessions was about ways to encourage and retain women in networking. That was nice. And then, the very same day, there was the social event where part of the decor added to the venue was a bunch of "living statues", which were scantily clad women standing around on pedestals being very still. No guys. Just women. Even a single token male bit of beefcake to go with the cheesecake would've been great and would've gotten the taste of boyzone sexism out of my brain. NO SUCH LUCK.


Wednesday, July 7, 2010

Okay, this is a weird one -- Synless Acking

So, the normal TCP three way handshake looks like this:

Client Server
SYN --------->
<--------- SYN/ACK
ACK --------->

I'm seeing packet traces that show my first connection attempt does this:

Client Server
SYN --------->
<--------- ACK (with no SYN)
then nothing until a new SYN from the client

Which ... I mean ... That's a big pile of WTF going on there.

I'm not quite sure what's going on, here, but *something* is.


About Me

My photo
Regis has worked as a network engineer since 1994 for small companies and for large companies.