06-01-2010 11:49 PM
Can anyone suggest me what is the best way to capture the traffic log file from any Source address to any Destination address???
I have a SSG140,and I want to capture log file from my Mail Server to any Wan ip address.
06-02-2010 04:06 AM
You probably already have a policy for public access to this server so just turn on the logging option for that policy. The logs will then appear on the policy screen or under reports.
If you need to save them for review, you will need to setup a syslog server then configure that log to ship to the syslog server.
06-02-2010 11:27 PM
Thanks for the reply,
Yeah I have already enabled the log report on the definite policy. My concern was to snoop the packets which are going from my mail server to the WAN,via CLI.
06-03-2010 03:53 AM
If you want to capture live traffic then debug flow is the cli tool.
Set a filter for you mail server:
set ffilter scr-ip x.x.x.x
Clear previous data
start the capture
debug flow basic
Read data to screen
get db str
06-03-2010 04:36 AM
Thanks for the reply.
I have captured the traffic log file but when I want to analyize the log file from Wireshark then there comes an error saying that the Wireshark didnt understand the file format...
What may be the reason?
06-03-2010 05:36 AM
Wireshark will be able (probably) to intertpret the "debug flow all"-output but not the one from "debug flow basic".
I would recommend to use this:
"Use the mirror commands to mirror all traffic for at least one source interface to a
destination interface. This command is useful for debugging and monitoring network
traffic. For example, you can connect a sniffer to a destination interface to monitor
traffic passing through multiple source interfaces." (ScreenOS Reference Guide:IPv4 Command Descriptions)
06-04-2010 02:43 AM - edited 06-04-2010 02:48 AM
Hi Issn ,
You can use the below to capture traffic on your firewall
set console dbuf
snoop detail ~~~~~~~~~only available for root (netscreen by default)
snoop detail len 1514
snoop filter ip src-ip X.X.X.X dst-ip Y.Y.Y.Y
snoop ~~~~~then initiate the traffic & wait few seconds
Stop the capture with <ESC> to stop the snoop
display the output with the command "get dbuf stream".
You can save the output directly to a tftp-server with the command
"get dbuf stream > tftp <host> <filename>"
You can read that file using WireShark
But if your target is only to see the traffic flow :
set ff src-ip X.X.X.X dst-ip Y.Y.Y.Y
Debug flow basic , then initiate the traffic & wait few seconds
press ESc ~~~~~to stop the debug
get db st to see the debug output