SRX Services Gateway
Reply
Trusted Contributor
Tim_Eberhard
Posts: 39
Registered: ‎05-12-2011

SRX Session Analyzer

[ Edited ]

Update!

 

The SRX Session analyzer has been updated. The links below have been updated to version 1.5. Thanks for all the bug reports, feedback and kind words. 

 

New Plugins have been added in 1.5-
 There are three plugins currently written. All analyze traffic log files (either local on the box that have been downloaded)
 or data stored on a syslog server. Either way.. you can analyzer three types of log entries. There are multiple filters in place to show you top talkers
 by source/dest, service, policy, bytes, zones, and how your session was closed.

 1) Session Create - These are logs are created when 'log session init' is configured on the policy. This log entry means a session has been opened.


 2) Session Close - These are logs are created when 'log session close' is configured on the policy. This log entry means a session has been removed from the session table.


 3) Session Deny - These are logs when logging is configured on a deny policy and the traffic was dropped.

 I wrote these log file plugins because the session analyzer is real time, and there are no SRX specific log analyzers out there for historical analyzing of traffic patterns.
 Juniper sells the STRM box for this but many customers cannot justify that kind of cost. These plugins are very beta, if you have feedback, a feature request or just want to
 tell me it sucks, feel free to email me.

 

#Change History:
#12/08/11 - Version 1.5 - Added the first set of plugins for SRX Session Analyzer. These plugins can analyze traffic log files (syslog or locally logged)
# and give you the ability to parse for top talkers by various data points. Needs additional testing as it's only been tested on 11.2 syslog output.
#12/07/11 - Version 1.3 - Added some basic GUI items, file, edit, plugins and help. Fixed a couple of minor bugs.
#12/02/11 - Version 1.2 - Fixed the "all" option within the drop down menu. Previously this didn't work.
#11/03/11 - Version 1.1 - Minor bug fixes and code clean up. Added protocol lookup (much like port lookups).
#10/14/11 - Version 1.0 - Base version released. It does basic top 10 with filters

 

 

So for those that are interested I went ahead and published the source on github. I will still host and create the compiled .exe's for windows versions but for those of you running linux/unix/osx you can now download this directly.

 

Feel free to take a look at the source and I always welcome input. I still ask that you don't copy/fork the code without permissions but that's something I can't control. 

 

Below is the link for the github project. 

https://github.com/xmin0s/SRX-Session-Analyzer

 

-----------------------------------------------------------------------------------------------------------------

Original post:

 

All,

After finally finding some free time (a new job or two, and a new kid) I was able to at least sit down and hack out a base version of my SRX Session Analyzer. For those of you who used NSSA (Netscreen Session Analyzer) I wrote it to assist in troubleshooting Juniper firewalls.
Basically this tool will take a look at your current session table and give you a list of top talkers by IP, port, policy, Interface and now by packets and bytes.

It is written completely in python and requires nothing other than what is in the compressed file.

 

Windows XP:

performanceclassifieds.net/SRX-Session-Analyzer-winxp-32bit-V1.5.zip

 

Windows7 32bit

performanceclassifieds.net/SRX-Session-Analyzer-win7-32bit-V1.5.zip

 

Windows 7 64bit

performanceclassifieds.net/SRX-Session-Analyzer-win7-64bit-V1.5.zip

 


If you run osx/linux feel free to email me directly and i'll get you a working copy. It just requires that you install python 3.2.

As always this is virus free and requires no internet connection. Source available upon request. Please let me know what you think and if you find a bug let me know. This is the very first release.

Hopefully it helps some people out. Lots of folks have been emailing me requesting it.

Thanks,
-Tim Eberhard

-Tim Eberhard
JNCIE-SEC #50
Co-Author of Junos Security
Author of Netscreen Session Analyzer and the SRX Session Analyzer
Trusted Expert
Automate
Posts: 784
Registered: ‎11-01-2007
0

Re: SRX Session Analyzer

w00t! Thanks Tim!

 

For those of you not familiar, Tm's earlier product was very well reviewed (even better than our online tool). 

 

-Keith

Super Contributor
cryptochrome
Posts: 496
Registered: ‎03-29-2008
0

Re: SRX Session Analyzer

This is awesome. Thanks for sharing!

 

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Contributor
Tim_Eberhard
Posts: 39
Registered: ‎05-12-2011
0

Re: SRX Session Analyzer

Thanks all.

 

I had a couple requests to add screenshots to this thread. Hopefully these help.

 

 

 

Thanks for all the great feedback and comments guys. Automatically pulling via netconf and raw xml processing is on my to do list for sure. Not sure when i'll find the time but it's on my roadmap/todo list.

-Tim Eberhard
JNCIE-SEC #50
Co-Author of Junos Security
Author of Netscreen Session Analyzer and the SRX Session Analyzer
Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: SRX Session Analyzer

Nice job.

 

Could you post links to the Linux / Mac versions?

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
misha
Posts: 25
Registered: ‎10-12-2010
0

Re: SRX Session Analyzer

[ Edited ]

Hi Tim,

Have a problem with analyzer,

Did all steps correctly as described in README.TXT, but when I hit analyze button, It shows only the following output:

 

-----------------

File loaded:C:/Users/misha/Desktop/sessiontable.txt


-SRX Session Analyzer-
-Written By Tim Eberhard-
-SRX Session Ananlyzer Verion 1.1 GUI Beta-

 

------------------

 

First file I tried, was >5K, taken from my production SRX3K, then I tried with smaller file (taken from SRX240) but result was the same.

Am I missing something ?

 

Best Regards,

 

Misha

 

 

 

UPDATE: It was my mistake, When you start the program, you have to manually check filters. As program starts, by default they are checked, but do not work:

Here are screenshots:

 

Best Regards,
Misha
Trusted Contributor
Tim_Eberhard
Posts: 39
Registered: ‎05-12-2011
0

Re: SRX Session Analyzer

[ Edited ]

Misha,

 

Interesting problem. Looks like the state isn't displaying correctly as it should. On my system it shows up as highlighted but not checked.

 

Unicast me directly via email. I suspect it's a problem with the specific binary you're running but I'd like to pinpoint it down and test a few things with you if you had time.

 

Thanks for your help, my apologies for the display bug. This is my first go around with ttk tkinter, I previously used wx.python but wx.python doesn't support python 3.x yet :smileysad:

-Tim Eberhard
JNCIE-SEC #50
Co-Author of Junos Security
Author of Netscreen Session Analyzer and the SRX Session Analyzer
Contributor
misha
Posts: 25
Registered: ‎10-12-2010
0

Re: SRX Session Analyzer

Hi Tim,

I'm running 64 bit version for win7, and downloaded apropriate binary of session analyzer.

Python32.dll version is: 3.2.2

If you need any more details, please let me know. Willing to test your software :smileywink:

 

Best Regards,

 

Misha

Best Regards,
Misha
Contributor
Sami Bhatti
Posts: 10
Registered: ‎09-28-2011
0

Re: SRX Session Analyzer

[ Edited ]

Nice job !!!

 

 

Contributor
Jimmy
Posts: 28
Registered: ‎07-07-2009
0

Re: SRX Session Analyzer

 

 

wowooo,that's cool,thank you for share.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.