Debugging ScreenOS on Juniper Netscreen

Debugging on the Netscreen wasn’t all the obvious to me. Because I don’t always work on Netscreens here is a note to myself to remember how to do it.

Netscreen ScreenOS debug and show to do it right

Get logged into CLI on the box.

Do a ‘get debug’ to check if there are any debugs currently running.

netscreen(M)-> get debug flow
: basic
netscreen(M)->

This tells that there is a ‘flow basic’ debug already running. To turn it off press ‘escape’ key.

netscreen(M)-> All debug off
netscreen(M)->

The Netscreen OS uses the idea of flow filters to define interesting traffic. Makes sense, because a firewall doesn’t just handle packets, it really handles flow for inspection but the flow is actually made up of packets.

So now we need to set some flow filters:

netscreen(M)-> set ff src-ip 192.168.1.10
filter added
netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 195.232.226.225
id:1 src ip 195.232.226.226
id:2 src ip 192.168.1.10
netscreen(M)->

You can see that a ‘get ff’ will display for the flow filter you have created. Note that you have many entries in the flow filter.

netscreen(M)-> set ff ?
dst-ip flow filter dst ip
dst-port flow filter dst port
ip-proto flow filter ip proto
src-ip flow filter src ip
src-port flow filter src port
netscreen(M)->

If you need to the clear the filter…..

netscreen(M)-> unset ff
filter 0 removed
netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 195.232.226.226
id:1 src ip 192.168.1.10
netscreen(M)-> unset ff
filter 0 removed
netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 192.168.1.10
netscreen(M)->

You get the idea, I’m sure.

So let turn on debug

netscreen(M)-> debug flow basic

and check which debugs are turned on.

netscreen(M)-> get debug
flow: basic
netscreen(M)->

The Netscreen stores the debug in some sort of buffer and we can display the buffer with this command

netscreen(M)-> get db str
76:192.168.1.2/8411->192.168.200.25/1c36,6,40
****** 93412.0: packet received [40]******
ipid = 50294(c476), @e00c6918
packet passed sanity check.
flow packet already have session.
flow session id 286622
vsd 0 is active
flow_tcp_fin_vector()
post addr xlation: 10.33.248.81->10.102.151.20.
update policy out counter info. packet send out to 00000c07ac1f through ethernet2/1
**st: e00fd118: c477:192.168.1.2/8417->192.168.200.25/1c36,6,40
****** 93412.0: packet received [40]******
ipid = 50295(c477), @e00fd118
packet passed sanity check.
flow packet already have session.
flow session id 286652
vsd 0 is active
Got ack, 192.168.1.2(33815)->192.168.200.25(7222), natpflag 0×200400, nspflag 0×1801, 0×1800, timeout=900
transfer packet to hardware.
**st: e00cd118: c49a:192.168.1.2/8417->192.168.200.25/1c36,6,40
****** 93412.0: packet received [40]******
ipid = 50330(c49a), @e00cd118
packet passed sanity check.
flow packet already have session.
flow session id 286652
vsd 0 is active
flow_tcp_fin_vector()
post addr xlation: 10.33.248.81->10.102.151.20.
update policy out counter info. packet send out to 00000c07ac1f through ethernet2/1
**st: e009f918: c49d:192.168.1.2/8417->192.168.200.25/1c36,6,40

and thats it.

Understanding ‘ff’ (Flow Filter) statements ordering

The following set of flow filters are applied as any. That is, if ANY packet matches ANY of of the flow filters then that packet will be matched.

netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 192.168.100.1
id:1 src ip 192.168.100.2
id:2 src ip 192.168.1.10
netscreen(M)->

So this ruleset will match any IP packets with a source address of 192.168.100.1, 192.168.100.2 and 192.168.1. This is mostly a problem when you make the mistake of

netscreen(M)-> set ff dst-ip 192.168.1.10
filter added
netscreen(M)-> set ff dst-port 80
filter added
netscreen(M)-> get ff
Flow filter based on:
id:0 dst ip 192.168.1.10
id:1 dst port 80
netscreen(M)->

this will show you every packet, from any IP on port 80 PLUS any packets 192.168.1.10.

The correct method

netscreen(M)-> set ff dst-ip 192.168.1.10 ?
dst-port flow filter dst port
ip-proto flow filter ip proto
src-port flow filter src port
netscreen(M)-> set ff dst-ip 192.168.1.10 dst-port 80
filter added
netscreen(M)->

This will correctly match packets with a destination of 192.168.1.10 on port 80.

Virtual Systems

Remember that you cannot do debugging from within a virtual system. You must be in the root vsys to be able to run a debug commands.

About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

You can contact Greg via the site contact page.

  • Roger Larsen

    Thank You – I saved time searching my local disk after this.
    It is a smart thing to clear the dbuf as a initial step. The buffer may contain a lot of old crap. :-)

    BR
    Roger Larsen

    • http://etherealmind.com Greg Ferro

      Thanks heaps. I had almost forgotten about this post, glad to see it is still up to date.

  • http://davehope.co.uk Dave

    You missed an important one:

    clear dbuf

    Which clears the buffer of debug information.

    • http://etherealmind.com Greg Ferro

      Dang. Of course, you absolutely correct.

Subscribe For Weekly Updates by Email

Get a Weekly Summary of Latest Articles and Posts to your Email Inbox Every Sunday

Thanks for signing up. Look for the email from MailChimp & make sure you confirm your email address. You may need to check your spam or gmail settings to be sure of receiving the email.

Note: You can unsubscribe at any time using the link at the bottom of every email.