Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Debug filter Question

    Posted 05-05-2010 04:17

     

    if i have pc1 on trust zone with ip= 10.10.10.2   , pc2 at untrust zone with ip= 10.20.20.2

     

    now ,  i run ping from  pc1 to pc2   & i need to see traffic flow using debug

     

    if i put  ffilter with : src-ip  pc1 & dst-ip pc2 , will i be able to see bot icmp requset & icmp reply ? or i need to put a filter at the reverse direction ( src-ip pc2 & dst-ip pc1 )  to see the reply

     

     



  • 2.  RE: Debug filter Question
    Best Answer

    Posted 05-05-2010 08:34

    Put a reverse filter also.

     

    -Mike



  • 3.  RE: Debug filter Question

    Posted 05-05-2010 09:06

    set ff src-ip <x.x.x.x> dst-ip <y.y.y.y>

    set ff src-ip <y.y.y.y> dst-ip <x.x.x.x>

     

    to unset the filters

    unset ff ( repeat for the number of the filters you have )



  • 4.  RE: Debug filter Question

    Posted 05-05-2010 12:12

     

    Thnaks

     

    But while the ping is working from ip1 to ip2    +  putting filter with only  src-ip  ip2   to dst-ip ip1  , i can see that the debug output is empty ?

     

     

    I just want to make sure i'm getting the debug concept right  ,   if i'm suspecting that the ping reply is not received back  , what debug  filter will show me the reply only (  without showing me the requset ) ?



  • 5.  RE: Debug filter Question

    Posted 05-06-2010 09:45

    Did you do a "debug flow basic" to turn on flow debug?

     

    -Mike



  • 6.  RE: Debug filter Question

    Posted 05-07-2010 04:18

     

    Yes ,

     

    i just want to know the following :

     

    when pinging from ip1 to  ip2  :

     

    filter with src-ip ip1 & dst-ip ip2  will show both the request &  the reply ? 



  • 7.  RE: Debug filter Question

    Posted 05-17-2010 12:29

    Hi ...........



  • 8.  RE: Debug filter Question

    Posted 05-21-2010 02:23

    Hi,

    Yes, you'll see both request and response, because you are debugging a FLOW, not separate packets (debug flow basic etc.).

    I prefer simpler tools for simpler tasks. So, you can configure a temporary policy for such a test and enable both logging options - on session init and on session close. If you see "Close - AGE OUT" in the ping entries, then for sure  there was no response.

     

    Kind regards

    Edouard



  • 9.  RE: Debug filter Question

    Posted 05-22-2010 01:52

    Thanks Echidov

     

    What if i want to cheack only the reply using debug , is that possible ?



  • 10.  RE: Debug filter Question

    Posted 05-25-2010 00:54

    Hi,

     

    You can always filter the output using this command:

     

    get db stream | include <string> 

    <string> is a regular expression

    You should play a little bit with the command to learn which <string> would be the best choice for you.

    The debug output can also be sent to a tftp server using redirect > or saved to the usb stick for further use with a text editor.

     

    Kind regards,

    Edouard