Friday, July 30, 2010

sniffing traffic on a netscreen - snoop or debug flow

If you want to figure out what's happening with traffic on a Juniper Netscreen, there are three basic ways to do it. The least informative is to turn on the "log" option for a given rule. This provides a gui way to look at packets that have matched the rule.

The most informative is "debug flow", from "debug flow basic" up to "debug flow all", and you'll get all kind of information about the decisionmaking process the netscreen goes through as part of passing or dropping a packet - is it part of a flow, is it a new connection, how does it get routed, etc.

And in between, as a happy medium, is the snoop command. It gives you output similar to the basic output from the Solaris "snoop" command. Adjusting the "detail" level will let you change the length of the packet it examines.

Both debug flow and snoop let you filter what traffic is interesting by means of the "set ff" command, and both drop their output into the "dbuf" debug buffer.

No comments:

Post a Comment


About Me

My photo
Regis has worked as a network engineer since 1994 for small companies and for large companies.