ScreenOS Firewalls (NOT SRX)
Reply
Trusted Contributor
Tim_Eberhard
Posts: 39
Registered: ‎05-12-2011

New release of NSSA - The Netscreen Session Analyzer

[ Edited ]

I released the original NSSA in 2006. NSSA was a downloadable session table analyzer for netscreen devices. It was originally written in python 2.6 and required wx.python module for the GUI. I compiled it with py2exe for a windows binary. NSSA has  been used by engineers around the world and even by JTAC to troubleshoot netscreen issues.

 

NSSA will take your session table and analyze the data reporting on top talkers by source, destination, ports, protocols, etc. In addition to that there are several plugins added to NSSA to assist you in troubleshooting DoS attacks, high CPU situations and high traffic volumes. 

 Version 2.0 has been rewritten in python 3.x and uses the new tk.ttk library for it's GUI. A lot of effort has been put in making data processing faster and more efficient. 

 

Great improvements have been made on the back end code focusing on performance and simplifiying the way NSSA processes data. I've updated it to work with ScreenOS 6.X based firewalls.  Please take a look at the new NSSA, test it out and let me know what you think. If you run into a bug please email me directly. 

 

For Linux/OSX users, please email me directly for a copy. I'll send you a working python version. 

 

 

*Edit* Updated links to version 2.5

Links below:

 

Windows XP:

performanceclassifieds.net/NSSA-winxp-32bit-V2.5.zip

 

Windows7 32bit

performanceclassifieds.net/NSSA-win7-64bit-V2.5.zip

 

Windows 7 64bit

performanceclassifieds.net/NSSA-win7-32bit-V2.5.zip

 

Thanks guys, and enjoy it. Hopefully it helps.

-Tim Eberhard

-Tim Eberhard
JNCIE-SEC #50
Co-Author of Junos Security
Author of Netscreen Session Analyzer and the SRX Session Analyzer
Contributor
tnhphuong@j-protek.net
Posts: 10
Registered: ‎11-22-2011
0

Re: New release of NSSA - The Netscreen Session Analyzer

Thanks you very much. :smileyhappy: It's great tool

Trusted Contributor
Tim_Eberhard
Posts: 39
Registered: ‎05-12-2011
0

Re: New release of NSSA - The Netscreen Session Analyzer

thanks, to everyone downloading it please let me know if you encounter any issues or bugs. I haven't recieved much feedback as of yet. So hopefully that's good news.

 

-Tim Eberhard

-Tim Eberhard
JNCIE-SEC #50
Co-Author of Junos Security
Author of Netscreen Session Analyzer and the SRX Session Analyzer
Contributor
rootless_rooter
Posts: 23
Registered: ‎08-07-2008
0

Re: New release of NSSA - The Netscreen Session Analyzer

Hi,

 

being linux user I'd like to get a copy of the tool - is there a chance you can send me a URL with download or send a copy,please?

 

thanks

 

rootless.rooter@gmail.com

Visitor
gvanblitz
Posts: 2
Registered: ‎01-10-2012
0

Re: New release of NSSA - The Netscreen Session Analyzer

Hi,

 

Thank you very much for all this job.

 

But I can't have any results with the OS task Analyser plugin.

 

Here is an exemple of what I paste in the dialog box.

 

Interrupt: 343728572/4257484109
ID     Task Name     State               Stack            Heap/used  Scheduled    Run Time   Lock Latency
  1 100ms timer     IDLE (Suspend)      70002380/02000  1022/    8   85522596    3322.343,       0.000
  2 1s timer        IDLE (Suspend)      70102380/02000  1022/    8    8552687   41720.740,       0.000
  3 10s timer       IDLE (Suspend)      70202380/02000  1022/    8     855270      36.991,       0.000
  4 1s stimer       BLOCK (Semaphore)    70302380/02000  1022/    8   25657188   31097.052,       0.000
  5 10s stimer      BLOCK (Mail)         704023b0/02000  1022/    8     855240      80.005,       0.000
  6 min stimer      BLOCK (Mail)         705023b0/02000  1022/    8     142540    1975.033,       0.000
  7 idle task       RSVD  (YIELD)        706023b0/02000  1022/    8 3061731181 1878727.563,       0.002
  8 resource        BLOCK (Mail)         70702360/02000  1022/    8          3       0.009,       0.000
  9 asmp monitor    IDLE (Suspend)      70802380/02000  1022/    8          1       0.000,       0.000
 10 File Async Task BLOCK (Mail)         70904350/04000  1022/   16          1       0.000,       0.000
 11 led             NORM  (Running)      70a08380/08000  1022/   32  171047213    3286.805,       0.000
 12 mount cfcard    IDLE (Suspend)      70b02380/02000  1022/    8    8552398     101.850,       0.000
 13 route           IDLE (Suspend)      70c18380/18000  1022/   96         12       0.001,       0.000
 14 nat_session_agerBLOCK (Semaphore)    70d02380/02000  1022/    8    8552397  141722.413,       0.000
 15 nat_hole_ager   BLOCK (Semaphore)    70e02380/02000  1022/    8    8552397     134.151,       0.000
 16 session scan    IDLE (Suspend)      70f02350/02000  1022/    8      46610    1040.082,      23.545
 17 mcast session scIDLE (Suspend)      71002380/02000  1022/    8          1       0.000,       0.000
 18 platform_task   NORM  (Running)      71102380/02000  1022/    8   85488225   16502.818,       0.000
 19 link poll       IDLE (Suspend)      71208380/08000  1022/   32    8552451     111.759,       0.004
 20 hwif count poll IDLE (Suspend)      71302380/02000  1022/    8     534529     890.585,       0.000
 21 tcp send        IDLE (Suspend)      714020a0/02000  1022/    8    6860289    4528.204,       0.000
 22 tcp recv        IDLE (Suspend)      71502380/02000  1022/    8    4418821     376.760,       0.000
 23 ping high       IDLE (Socket)       71606110/06000  1022/   24        101       0.004,       0.000
 24 ping norm       IDLE (Socket)       71706110/06000  1022/   24   87028057    2626.317,     546.564
 25 tftp            BLOCK (Mail)         71802320/02000  1022/    8      32855       4.234,       0.000
 26 netif           IDLE (Sleep)        71908380/08000  1022/   32   25399345    1113.683,       0.000
 27 pk poll mgt     BLOCK (Event)        71a023a0/02000  1022/    8         52       0.010,       0.004
 28 asp_tcp_timer   IDLE (Sleep)        71b08330/08000  1022/   32   17104646     250.593,       0.000
 29 cmd             IDLE (Sleep)        71c102d0/10000  1022/   64    6893989      12.245,       0.000
 30 pki             IDLE (Socket)       71d0fb90/0fa00  1022/   62      96020       4.532,       0.759
 31 pki-db          BLOCK (Mail)         71e04270/04000  1022/   16          4       0.000,       0.000
 32 ssl             IDLE (Suspend)      71f0f350/0f000  1022/   60   50706474      98.611,       2.367
 33 nsrp_task       IDLE (Suspend)      72004380/04000  1022/   16        153       0.011,       0.000
 34 resync_task     BLOCK (Mail)         721082e0/08000  1022/   32   52087260     110.328,       0.000
 35 infranet        IDLE (Sleep)        722078a0/08000  1022/   32     142546       2.748,       0.000
 36 dhcp probing    BLOCK (Mail)         72302330/02000  1022/    8          1       0.000,       0.000
 37 dnsa            IDLE (Socket)       724101b0/10000  1022/   64          1       0.000,       0.000
 38 dns             IDLE (Suspend)      72510380/10000  1022/   64    8552397     106.041,       0.000
 39 dns_refresh     IDLE (Suspend)      72610380/10000  1022/   64     142543       2.620,       0.000
 40 nsgp            IDLE (Socket)       72708180/08000  1022/   32    3420977     131.337,      24.641
 41 rm              IDLE (Sleep)        72804340/04000  1022/   16    8552394     126.118,       0.000
 42 vpnmon_send     IDLE (Sleep)        72904340/04000  1022/   16    8552392      94.190,       0.000
 43 ppp             BLOCK (Mail)         72a08350/08000  1022/   32          1       0.000,       0.000
 44 ikmpd           IDLE (Suspend)      72b18350/18000  1022/  112   17104786    1035.846,       0.000
 45 natt_ka         NORM  (Event)        72c04390/04000  1022/   16   17104791     136.920,       0.000
 46 l2tp mgt        IDLE (Suspend)      72d10380/10000  1022/   64   12828607     126.318,       0.000
 47 gt_ka           IDLE (Sleep)        72e02370/02000  1022/    8    8552391      84.585,       0.000
 48 arp             IDLE (Socket)       72f06190/06000  1022/   24   39269591    5035.055,     379.469
 49 count           IDLE (Suspend)      73002380/02000  1022/    8          1       0.000,       0.000
 50 rs_install      IDLE (Suspend)      73108380/08000  1022/   32    1710588      41.684,       0.051
 51 acl_ager        IDLE (Suspend)      73204380/04000  1022/   16   25657184    1135.282,       0.000
...

 

I'm a linux user too. Can you send me a copy of your script ?

Thanks a lot.

 

Greg

gvanblitz      ( a  t   )   free (dot) fr

Trusted Contributor
Tim_Eberhard
Posts: 39
Registered: ‎05-12-2011
0

Re: New release of NSSA - The Netscreen Session Analyzer

I think I fixed the OS task Analyzer in a newer version. I'll post the updated code later tonight. 

gvanblitz wrote:

Hi,

 

Thank you very much for all this job.

 

But I can't have any results with the OS task Analyser plugin.

 

Here is an exemple of what I paste in the dialog box.

 

Interrupt: 343728572/4257484109
ID     Task Name     State               Stack            Heap/used  Scheduled    Run Time   Lock Latency
  1 100ms timer     IDLE (Suspend)      70002380/02000  1022/    8   85522596    3322.343,       0.000
  2 1s timer        IDLE (Suspend)      70102380/02000  1022/    8    8552687   41720.740,       0.000
  3 10s timer       IDLE (Suspend)      70202380/02000  1022/    8     855270      36.991,       0.000
  4 1s stimer       BLOCK (Semaphore)    70302380/02000  1022/    8   25657188   31097.052,       0.000
  5 10s stimer      BLOCK (Mail)         704023b0/02000  1022/    8     855240      80.005,       0.000
  6 min stimer      BLOCK (Mail)         705023b0/02000  1022/    8     142540    1975.033,       0.000
  7 idle task       RSVD  (YIELD)        706023b0/02000  1022/    8 3061731181 1878727.563,       0.002
  8 resource        BLOCK (Mail)         70702360/02000  1022/    8          3       0.009,       0.000
  9 asmp monitor    IDLE (Suspend)      70802380/02000  1022/    8          1       0.000,       0.000
 10 File Async Task BLOCK (Mail)         70904350/04000  1022/   16          1       0.000,       0.000
 11 led             NORM  (Running)      70a08380/08000  1022/   32  171047213    3286.805,       0.000
 12 mount cfcard    IDLE (Suspend)      70b02380/02000  1022/    8    8552398     101.850,       0.000
 13 route           IDLE (Suspend)      70c18380/18000  1022/   96         12       0.001,       0.000
 14 nat_session_agerBLOCK (Semaphore)    70d02380/02000  1022/    8    8552397  141722.413,       0.000
 15 nat_hole_ager   BLOCK (Semaphore)    70e02380/02000  1022/    8    8552397     134.151,       0.000
 16 session scan    IDLE (Suspend)      70f02350/02000  1022/    8      46610    1040.082,      23.545
 17 mcast session scIDLE (Suspend)      71002380/02000  1022/    8          1       0.000,       0.000
 18 platform_task   NORM  (Running)      71102380/02000  1022/    8   85488225   16502.818,       0.000
 19 link poll       IDLE (Suspend)      71208380/08000  1022/   32    8552451     111.759,       0.004
 20 hwif count poll IDLE (Suspend)      71302380/02000  1022/    8     534529     890.585,       0.000
 21 tcp send        IDLE (Suspend)      714020a0/02000  1022/    8    6860289    4528.204,       0.000
 22 tcp recv        IDLE (Suspend)      71502380/02000  1022/    8    4418821     376.760,       0.000
 23 ping high       IDLE (Socket)       71606110/06000  1022/   24        101       0.004,       0.000
 24 ping norm       IDLE (Socket)       71706110/06000  1022/   24   87028057    2626.317,     546.564
 25 tftp            BLOCK (Mail)         71802320/02000  1022/    8      32855       4.234,       0.000
 26 netif           IDLE (Sleep)        71908380/08000  1022/   32   25399345    1113.683,       0.000
 27 pk poll mgt     BLOCK (Event)        71a023a0/02000  1022/    8         52       0.010,       0.004
 28 asp_tcp_timer   IDLE (Sleep)        71b08330/08000  1022/   32   17104646     250.593,       0.000
 29 cmd             IDLE (Sleep)        71c102d0/10000  1022/   64    6893989      12.245,       0.000
 30 pki             IDLE (Socket)       71d0fb90/0fa00  1022/   62      96020       4.532,       0.759
 31 pki-db          BLOCK (Mail)         71e04270/04000  1022/   16          4       0.000,       0.000
 32 ssl             IDLE (Suspend)      71f0f350/0f000  1022/   60   50706474      98.611,       2.367
 33 nsrp_task       IDLE (Suspend)      72004380/04000  1022/   16        153       0.011,       0.000
 34 resync_task     BLOCK (Mail)         721082e0/08000  1022/   32   52087260     110.328,       0.000
 35 infranet        IDLE (Sleep)        722078a0/08000  1022/   32     142546       2.748,       0.000
 36 dhcp probing    BLOCK (Mail)         72302330/02000  1022/    8          1       0.000,       0.000
 37 dnsa            IDLE (Socket)       724101b0/10000  1022/   64          1       0.000,       0.000
 38 dns             IDLE (Suspend)      72510380/10000  1022/   64    8552397     106.041,       0.000
 39 dns_refresh     IDLE (Suspend)      72610380/10000  1022/   64     142543       2.620,       0.000
 40 nsgp            IDLE (Socket)       72708180/08000  1022/   32    3420977     131.337,      24.641
 41 rm              IDLE (Sleep)        72804340/04000  1022/   16    8552394     126.118,       0.000
 42 vpnmon_send     IDLE (Sleep)        72904340/04000  1022/   16    8552392      94.190,       0.000
 43 ppp             BLOCK (Mail)         72a08350/08000  1022/   32          1       0.000,       0.000
 44 ikmpd           IDLE (Suspend)      72b18350/18000  1022/  112   17104786    1035.846,       0.000
 45 natt_ka         NORM  (Event)        72c04390/04000  1022/   16   17104791     136.920,       0.000
 46 l2tp mgt        IDLE (Suspend)      72d10380/10000  1022/   64   12828607     126.318,       0.000
 47 gt_ka           IDLE (Sleep)        72e02370/02000  1022/    8    8552391      84.585,       0.000
 48 arp             IDLE (Socket)       72f06190/06000  1022/   24   39269591    5035.055,     379.469
 49 count           IDLE (Suspend)      73002380/02000  1022/    8          1       0.000,       0.000
 50 rs_install      IDLE (Suspend)      73108380/08000  1022/   32    1710588      41.684,       0.051
 51 acl_ager        IDLE (Suspend)      73204380/04000  1022/   16   25657184    1135.282,       0.000
...

 

I'm a linux user too. Can you send me a copy of your script ?

Thanks a lot.

 

Greg

gvanblitz      ( a  t   )   free (dot) fr


 

-Tim Eberhard
JNCIE-SEC #50
Co-Author of Junos Security
Author of Netscreen Session Analyzer and the SRX Session Analyzer
Trusted Contributor
Tim_Eberhard
Posts: 39
Registered: ‎05-12-2011
0

Re: New release of NSSA - The Netscreen Session Analyzer

NSSA Version 2.5 links are below.

 

Windows XP:

performanceclassifieds.net/NSSA-winxp-32bit-V2.5.zip

 

Windows7 32bit

performanceclassifieds.net/NSSA-win7-64bit-V2.5.zip

 

Windows 7 64bit

performanceclassifieds.net/NSSA-win7-32bit-V2.5.zip

-Tim Eberhard
JNCIE-SEC #50
Co-Author of Junos Security
Author of Netscreen Session Analyzer and the SRX Session Analyzer
Visitor
gvanblitz
Posts: 2
Registered: ‎01-10-2012
0

Re: New release of NSSA - The Netscreen Session Analyzer

Hi Tim and all,

 

This new version works very well for me.

The OS Task Analyser plugin works with copies of the "get os task" from NS5200 with Screen OS 6.3.0r1.0.

 

Tanks for the quick job.

 

Enjoy :-)


Greg

Contributor
rootless_rooter
Posts: 23
Registered: ‎08-07-2008
0

Re: New release of NSSA - The Netscreen Session Analyzer

downloaded win32 version release 2.5 ,loaded my session log into but getting no results at all.

only getting message 'File loaded C:/path/to/file.nss' and that's it.

 

the same happens when I load output from 'debug flow basic' - all I see is 'Total Number of Packets Analyzed: 2786' message.

 

 

I'm running SSG550M  [6.2.0r8.0]

 

any ideas?

 

many thanks

 

 

 

Trusted Contributor
Tim_Eberhard
Posts: 39
Registered: ‎05-12-2011
0

Re: New release of NSSA - The Netscreen Session Analyzer

Just a quick reminder. I spoke with rootless_rooter via email and figured out he had a display issue on his computer.
On some systems the checkboxes show checked/greyed out. You must enable a filter before selecting analyze for NSSA to do anything. Click a filter and you will see the checkbox change state. This enables it.
Sorry all, I'm trying to pinpoint down why tk.ttk's checkboxes show this way on some systems. I use a mac and I don't see this problem :smileysad:
-Tim Eberhard

rootless_rooter wrote:

downloaded win32 version release 2.5 ,loaded my session log into but getting no results at all.

only getting message 'File loaded C:/path/to/file.nss' and that's it.

 

the same happens when I load output from 'debug flow basic' - all I see is 'Total Number of Packets Analyzed: 2786' message.

 

 

I'm running SSG550M  [6.2.0r8.0]

 

any ideas?

 

many thanks

 

 

 


 

-Tim Eberhard
JNCIE-SEC #50
Co-Author of Junos Security
Author of Netscreen Session Analyzer and the SRX Session Analyzer
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.