juniper Snoop文档格式.docx
《juniper Snoop文档格式.docx》由会员分享,可在线阅读,更多相关《juniper Snoop文档格式.docx(16页珍藏版)》请在冰豆网上搜索。
Asmentionedearlier,thesnooputilityisnotintendedtobeareplacementforathirdpartyprofessionalsniffertool.Thisisbecauseitlacksincompletenessincomparison.Themajorityofitsdownfallscomeasaresultoftheplatformitisrunningon.TheNetscreenhardwareisnotdesignedasgeneralpurposehardware.Hence,itdoesnotperformgeneralpurposetaskswell.Thisleadstodownfallsincertainsniffingfeaturesthatonemaytakeforgranted.Mostofthesefeatureshavetodowitheaseofuseandflexibility.Thelackingfeaturesinclude:
∙Inabilitytofilterbaseduponasource-ipanddestination-ipsimultaneously
∙InabilitytofilterbaseduponMACaddress
∙Inabilitytofilterthecaptureddataforviewing
∙Inabilitytoeasilyscrollthroughdata
∙Inabilitytodirectlysavecaptureddata.Youmusthavetheconsoleapplicationsavethefile.
∙Inabilitytoeasilymakeadistinctionbetweendifferenttypesofdatagrams(ICMP,TCP,etc).Thiscanbedone,butthedifferenttypesarenotcolorizedorcategorizedinotherwaysasmanycommercialsniffersdo.
∙ThesnooputilitywillonlycapturedatathatflowsthroughtheNetscreenfirewall.Thisismuchlessalimitationthanitisthepurposeofthesnooputility.
∙Thesnoopwillnotcapturethecontentsofthepacket.Itwillonlycapturethepropertiesofit.
Evenwiththeselimitations,thesnooputilitycanbeveryusefulinhelpingtodeterminerootcauseofproblemsastheypertaintotheNetscreenfirewall.Somecommonquestionsthatonecanexpecttoanswerusingthisutilityarethefollowing.Thetroubleshootingabilityofthesnoopcommandaren’tlimitedtosolvingthesetypesofissues,ofcourse.
∙Whycan’tIgettotheInternetthroughmyNetscreen?
∙Whycan’tIgetSNMP(orFTP,HTTP,etc.)throughmyNetscreen?
∙IconfiguredanMIP/VIP,butitdoesn’tseemtowork.What’swrong?
Theseandmanymorevariationofquestionscanbeansweredbythesnooputility.However,theresultingdatathatthesnoopwillshowrequiresspecialknowledge.Theintendeduserofsnoopwillpossessthefollowingknowledgeandskills.
∙MusthavestrongunderstandingoftheIPprotocol.Thisknowledgemustbeonanintimatelevel,withtheunderstandingofhowportsareused,transportsareused,howNATfunctions,andhowthesubnetmaskisused.Withoutthisknowledge,thesnooptoolwillconfusetheusermorethanitwillhelp.
∙MusthaveastrongunderstandingoftheNetworkcomponents(Servers,Clients,Routers,Switches,etc.)surroundingtheNetscreeninquestionareconfigured.Manytimes,theproblemisnottheNetscreenitself,butratherthatofanothernetworkcomponent.Anintimateunderstandingofhowtheseothercomponentsareconfiguredwillhelpthesolutiontotheproblemmuchquicker.
III.UsageofSnoopBySyntax.
Thefollowingisadetailedexplanationofhowthesnoopisused.
1.Asnoopcanberunbasedonseveraldifferentparameters.Thesecanbefoundbyissuingthe‘snoop?
’command.Theresultisthefollowing.
ns5->
snoop?
<
return>
number>
snoopspecifiedethernettype
arpsnooparppacket
directionsnoopdirection
infoshowsnoopinformation
ipsnoopippacket
2.snoopinfo
Byissuingthiscommandyoucanseethecurrentsettingsforthesnoop.
Anexampleofthisisbelow.
snoopinfo
Snoop:
Off,Interface:
trust,direction:
both
EtherType0800,SrcIp0.0.0.0,DstIp0.0.0.0,Proto6
Thereareseveralfieldsthatweareinterestedin.
Direction:
ThistellstheNetscreentocaptureinbound,outbound,orbi-
directional(both)data.Bothisthemostcommonandmostusefulconfiguration.Thiscanbechangedbyusingthe‘snoopdirection’command.‘snoopdirection?
’givesustheoptions.
snoopdirection?
bothsnoopbothincomingandoutgoing
incomingsnoopincoming
outgoingsnoopoutgoing
SrcIp:
Thisallowsustofilterthesnoopedinformationbasedonthe
sourceIPaddressofthepacket.Thisisagoodparametertousewhenthereisalotofdatarunningthroughtheboxandtheproblemiswithaparticularclient.Thecommand‘snoopip’isusedtochangethis.‘snoopip?
’givesustheoptions.
snoopip?
dst-ipsnoopspecifieddestinationipaddress
protosnoo