juniper Snoop文档格式.docx

juniper Snoop文档格式.docx

《juniper Snoop文档格式.docx》由会员分享，可在线阅读，更多相关《juniper Snoop文档格式.docx（16页珍藏版）》请在冰豆网上搜索。

Asmentionedearlier,thesnooputilityisnotintendedtobeareplacementforathirdpartyprofessionalsniffertool.Thisisbecauseitlacksincompletenessincomparison.Themajorityofitsdownfallscomeasaresultoftheplatformitisrunningon.TheNetscreenhardwareisnotdesignedasgeneralpurposehardware.Hence,itdoesnotperformgeneralpurposetaskswell.Thisleadstodownfallsincertainsniffingfeaturesthatonemaytakeforgranted.Mostofthesefeatureshavetodowitheaseofuseandflexibility.Thelackingfeaturesinclude:

∙Inabilitytofilterbaseduponasource-ipanddestination-ipsimultaneously

∙InabilitytofilterbaseduponMACaddress

∙Inabilitytofilterthecaptureddataforviewing

∙Inabilitytoeasilyscrollthroughdata

∙Inabilitytodirectlysavecaptureddata.Youmusthavetheconsoleapplicationsavethefile.

∙Inabilitytoeasilymakeadistinctionbetweendifferenttypesofdatagrams（ICMP,TCP,etc）.Thiscanbedone,butthedifferenttypesarenotcolorizedorcategorizedinotherwaysasmanycommercialsniffersdo.

∙ThesnooputilitywillonlycapturedatathatflowsthroughtheNetscreenfirewall.Thisismuchlessalimitationthanitisthepurposeofthesnooputility.

∙Thesnoopwillnotcapturethecontentsofthepacket.Itwillonlycapturethepropertiesofit.

Evenwiththeselimitations,thesnooputilitycanbeveryusefulinhelpingtodeterminerootcauseofproblemsastheypertaintotheNetscreenfirewall.Somecommonquestionsthatonecanexpecttoanswerusingthisutilityarethefollowing.Thetroubleshootingabilityofthesnoopcommandaren’tlimitedtosolvingthesetypesofissues,ofcourse.

∙Whycan’tIgettotheInternetthroughmyNetscreen?

∙Whycan’tIgetSNMP（orFTP,HTTP,etc.）throughmyNetscreen?

∙IconfiguredanMIP/VIP,butitdoesn’tseemtowork.What’swrong?

Theseandmanymorevariationofquestionscanbeansweredbythesnooputility.However,theresultingdatathatthesnoopwillshowrequiresspecialknowledge.Theintendeduserofsnoopwillpossessthefollowingknowledgeandskills.

∙MusthavestrongunderstandingoftheIPprotocol.Thisknowledgemustbeonanintimatelevel,withtheunderstandingofhowportsareused,transportsareused,howNATfunctions,andhowthesubnetmaskisused.Withoutthisknowledge,thesnooptoolwillconfusetheusermorethanitwillhelp.

∙MusthaveastrongunderstandingoftheNetworkcomponents（Servers,Clients,Routers,Switches,etc.）surroundingtheNetscreeninquestionareconfigured.Manytimes,theproblemisnottheNetscreenitself,butratherthatofanothernetworkcomponent.Anintimateunderstandingofhowtheseothercomponentsareconfiguredwillhelpthesolutiontotheproblemmuchquicker.

III.UsageofSnoopBySyntax.

Thefollowingisadetailedexplanationofhowthesnoopisused.

1.Asnoopcanberunbasedonseveraldifferentparameters.Thesecanbefoundbyissuingthe‘snoop?

’command.Theresultisthefollowing.

ns5->

snoop?

<

return>

number>

snoopspecifiedethernettype

arpsnooparppacket

directionsnoopdirection

infoshowsnoopinformation

ipsnoopippacket

2.snoopinfo

Byissuingthiscommandyoucanseethecurrentsettingsforthesnoop.

Anexampleofthisisbelow.

snoopinfo

Snoop:

Off,Interface:

trust,direction:

both

EtherType0800,SrcIp0.0.0.0,DstIp0.0.0.0,Proto6

Thereareseveralfieldsthatweareinterestedin.

Direction:

ThistellstheNetscreentocaptureinbound,outbound,orbi-

directional（both）data.Bothisthemostcommonandmostusefulconfiguration.Thiscanbechangedbyusingthe‘snoopdirection’command.‘snoopdirection?

’givesustheoptions.

snoopdirection?

bothsnoopbothincomingandoutgoing

incomingsnoopincoming

outgoingsnoopoutgoing

SrcIp:

Thisallowsustofilterthesnoopedinformationbasedonthe

sourceIPaddressofthepacket.Thisisagoodparametertousewhenthereisalotofdatarunningthroughtheboxandtheproblemiswithaparticularclient.Thecommand‘snoopip’isusedtochangethis.‘snoopip?

’givesustheoptions.

snoopip?

dst-ipsnoopspecifieddestinationipaddress

protosnoo