Debugging ScreenOS on Juniper Netscreen

Debugging on the Netscreen wasn’t all the obvious to me. Because I don’t always work on Netscreens here is a note to myself to remember how to do it.

Netscreen ScreenOS debug and show to do it right

Get logged into CLI on the box.

Do a ‘get debug’ to check if there are any debugs currently running.

netscreen(M)-> get debug flow : basic netscreen(M)-> tweet

This tells that there is a ‘flow basic’ debug already running. To turn it off press ‘escape’ key.

netscreen(M)-> All debug off netscreen(M)-> tweet

The Netscreen OS uses the idea of flow filters to define interesting traffic. Makes sense, because a firewall doesn’t just handle packets, it really handles flow for inspection but the flow is actually made up of packets.

So now we need to set some flow filters:

netscreen(M)-> set ff src-ip 192.168.1.10 filter added netscreen(M)-> get ff Flow filter based on: id:0 src ip 195.232.226.225 id:1 src ip 195.232.226.226 id:2 src ip 192.168.1.10 netscreen(M)-> tweet

You can see that a ‘get ff’ will display for the flow filter you have created. Note that you have many entries in the flow filter.

netscreen(M)-> set ff ? dst-ip flow filter dst ip dst-port flow filter dst port ip-proto flow filter ip proto src-ip flow filter src ip src-port flow filter src port netscreen(M)-> tweet

If you need to the clear the filter…..

netscreen(M)-> unset ff filter 0 removed netscreen(M)-> get ff Flow filter based on: id:0 src ip 195.232.226.226 id:1 src ip 192.168.1.10 netscreen(M)-> unset ff filter 0 removed netscreen(M)-> get ff Flow filter based on: id:0 src ip 192.168.1.10 netscreen(M)-> tweet

You get the idea, I’m sure.

So let turn on debug

netscreen(M)-> debug flow basic tweet

and check which debugs are turned on.

netscreen(M)-> get debug flow: basic netscreen(M)-> tweet

The Netscreen stores the debug in some sort of buffer and we can display the buffer with this command

netscreen(M)-> get db str 76:192.168.1.2/8411->192.168.200.25/1c36,6,40 ****** 93412.0: packet received [40]****** ipid = 50294(c476), @e00c6918 packet passed sanity check. flow packet already have session. flow session id 286622 vsd 0 is active flow_tcp_fin_vector() post addr xlation: 10.33.248.81->10.102.151.20. update policy out counter info. packet send out to 00000c07ac1f through ethernet2/1 **st: e00fd118: c477:192.168.1.2/8417->192.168.200.25/1c36,6,40 ****** 93412.0: packet received [40]****** ipid = 50295(c477), @e00fd118 packet passed sanity check. flow packet already have session. flow session id 286652 vsd 0 is active Got ack, 192.168.1.2(33815)->192.168.200.25(7222), natpflag 0×200400, nspflag 0×1801, 0×1800, timeout=900 transfer packet to hardware. **st: e00cd118: c49a:192.168.1.2/8417->192.168.200.25/1c36,6,40 ****** 93412.0: packet received [40]****** ipid = 50330(c49a), @e00cd118 packet passed sanity check. flow packet already have session. flow session id 286652 vsd 0 is active flow_tcp_fin_vector() post addr xlation: 10.33.248.81->10.102.151.20. update policy out counter info. packet send out to 00000c07ac1f through ethernet2/1 **st: e009f918: c49d:192.168.1.2/8417->192.168.200.25/1c36,6,40 tweet

and thats it.

Understanding ‘ff’ (Flow Filter) statements ordering

The following set of flow filters are applied as any. That is, if ANY packet matches ANY of of the flow filters then that packet will be matched.

netscreen(M)-> get ff Flow filter based on: id:0 src ip 192.168.100.1 id:1 src ip 192.168.100.2 id:2 src ip 192.168.1.10 netscreen(M)-> tweet

So this ruleset will match any IP packets with a source address of 192.168.100.1, 192.168.100.2 and 192.168.1. This is mostly a problem when you make the mistake of

netscreen(M)-> set ff dst-ip 192.168.1.10 filter added netscreen(M)-> set ff dst-port 80 filter added netscreen(M)-> get ff Flow filter based on: id:0 dst ip 192.168.1.10 id:1 dst port 80 netscreen(M)-> tweet

this will show you every packet, from any IP on port 80 PLUS any packets 192.168.1.10.

The correct method

netscreen(M)-> set ff dst-ip 192.168.1.10 ? dst-port flow filter dst port ip-proto flow filter ip proto src-port flow filter src port netscreen(M)-> set ff dst-ip 192.168.1.10 dst-port 80 filter added netscreen(M)-> tweet

This will correctly match packets with a destination of 192.168.1.10 on port 80.

Virtual Systems

Remember that you cannot do debugging from within a virtual system. You must be in the root vsys to be able to run a debug commands.

About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

You can contact Greg via the site contact page.

  • Roger Larsen

    Thank You – I saved time searching my local disk after this.
    It is a smart thing to clear the dbuf as a initial step. The buffer may contain a lot of old crap. :-)

    BR
    Roger Larsen

    • http://etherealmind.com Greg Ferro

      Thanks heaps. I had almost forgotten about this post, glad to see it is still up to date.

  • http://davehope.co.uk Dave

    You missed an important one:

    clear dbuf

    Which clears the buffer of debug information.

    • http://etherealmind.com Greg Ferro

      Dang. Of course, you absolutely correct.

Subscribe For Weekly Updates by Email

Get a Weekly Summary of Latest Articles and Posts to your Email Inbox Every Sunday

Thanks for signing up. Look for the email from MailChimp & make sure you confirm your email address. You may need to check your spam or gmail settings to be sure of receiving the email.

Note: You can unsubscribe at any time using the link at the bottom of every email.