Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  to capture traffic logs of SSG 140.

    Posted 06-01-2010 23:50

    Dear all,

                Can anyone suggest me what is the best way to  capture the traffic log file from any  Source  address  to any  Destination address???

               I have a SSG140,and I want to capture log file from my Mail Server to any Wan ip address.

               Thank you.

     

     



  • 2.  RE: to capture traffic logs of SSG 140.

    Posted 06-02-2010 04:07

    You probably already have a policy for public access to this server so just turn on the logging option for that policy.  The logs will then appear on the policy screen or under reports.

     

    If you need to save them for review, you will need to setup a syslog server then configure that log to ship to the syslog server.



  • 3.  RE: to capture traffic logs of SSG 140.

    Posted 06-02-2010 23:27

    Thanks for the reply,

                 Yeah I have already enabled the log report on the definite policy. My concern was to snoop the packets which are going from my mail server to the WAN,via CLI.

                    Thank you.



  • 4.  RE: to capture traffic logs of SSG 140.

    Posted 06-03-2010 03:54

    If you want to capture live traffic then debug flow is the cli tool.

    Set a filter for you mail server:

    set ffilter scr-ip x.x.x.x

    Clear previous data
    clear db

    start the capture
    debug flow basic

    Read data to screen
    get db str

    Clean up
    unset ffilter
    clear db



  • 5.  RE: to capture traffic logs of SSG 140.

    Posted 06-03-2010 04:36

    Thanks for the reply.

                I have captured the traffic log file but when I want to analyize the log file from Wireshark then there comes an error saying that the Wireshark didnt understand the file format...

     What may be the reason?

                           Thank you.



  • 6.  RE: to capture traffic logs of SSG 140.

    Posted 06-03-2010 05:36

    Hi,

     

    Wireshark will be able (probably) to intertpret the "debug flow all"-output but not the one from "debug flow basic".

    I would recommend to use this:

    "Use the mirror commands to mirror all traffic for at least one source interface to a
    destination interface. This command is useful for debugging and monitoring network
    traffic. For example, you can connect a sniffer to a destination interface to monitor
    traffic passing through multiple source interfaces." (ScreenOS Reference Guide:IPv4 Command Descriptions)

    Kind regards,

    Edouard



  • 7.  RE: to capture traffic logs of SSG 140.

    Posted 06-03-2010 22:54

    Thanks for the reply.

            But the mirror command is unknown in my SSG140.

     



  • 8.  RE: to capture traffic logs of SSG 140.

    Posted 06-04-2010 02:43

    Hi Issn ,

     

    You can use the below to capture traffic on your firewall

    undebug all  

    clear db

    set console dbuf
    snoop detail   ~~~~~~~~~only available for  root  (netscreen by default)
    snoop detail len  1514

    snoop filter ip src-ip X.X.X.X  dst-ip Y.Y.Y.Y
    snoop    ~~~~~then initiate the traffic & wait few seconds

     

    Stop the capture with <ESC>  to stop the snoop

    display the output with the command "get dbuf stream".


    You can save the output directly to a tftp-server with the command

    "get dbuf stream > tftp <host> <filename>"

     

    You can read that file using WireShark

     

     

     But if your target is only to see the traffic flow :

     

    undebug all

    clear debug

    set ff src-ip X.X.X.X dst-ip Y.Y.Y.Y

    Debug flow basic  , then initiate the traffic & wait few seconds

    press ESc ~~~~~to stop the debug  

    get db st   to see the debug output