Troubleshooting—packet capture sniffer

Fill in the filter conditions, IP, port, etc. that need to be captured according to the picture above, click OK, and the added data will be captured as shown below.

Select the added data capture, click the "Run" switch to capture the packet; after capturing the packet, you can click "Download" to save the captured data packet to the local disk, which can be viewed directly with Wireshark.

The advantage of this method is that it is convenient and the captured content can be viewed directly. The disadvantage is that the filtering options are not rich enough.

2. Detailed explanation of packet capture command

命令格式：diagnose sniffer packet <interface>　<'filter'>　<verbose>　<count>

2.1 interface

<interface> specifies the actual interface name, which can be the real physical interface name or the logical interface name of the VLAN. When the "any" keyword is used, it means capturing the data packets of all interfaces. example:

#diagnose sniffer packet port1 //Indicates capturing all packets with the physical interface port1

#diagnose sniffer packet any //Indicates capturing all packets on all interfaces

#diagnose sniffer packet port1-v10 //When a VLAN sub-interface is established on the physical interface, and its logical interface is named port1-v10, it means capturing all data packets of the port1-v10 interface. There is a problem that must be paid attention to here. Since capturing Spaces in the package command are used to distinguish parameter fields. However, when creating a logical interface, the interface name supports spaces. Considering the convenience of packet capture and analysis in the future, it is recommended not to include spaces when creating a logical interface.

2.2 verbose display content

<verbose> refers to controlling the content of captured data packets. Commonly used options 4 and 6.

1: print header of packets, //Only capture the original IP address, source port, destination address, destination port and sequence numbers of the packet, which is the system default setting

2: print header and data from ip of packets, //Capture the payload including IP, TCP or UDP and its content layer.

3: print header and data from ethernet of packets), //Capture the payload including Ether, IP, TCP or UDP and its content layer. Can be exported to text files using dedicated conversion tools and converted to Ethereal support files

4:print header of packets with interface name //Similar to the first item, but includes displaying the interface information for sending and receiving packets

5: print header and data from ip of packets with interface name //Similar to the second item, but includes displaying the interface information for sending and receiving packets

6: print header and data from ethernet of packets (if available) with intf name //Similar to the third item, but includes displaying the interface information for sending and receiving packets

2.3 count

<count> Number of packets captured.

2.4 filter packet filtering parameters

Filters can be represented by an expression or a combination of multiple expressions;

When the expression is a continuous string with no space characters in the middle, there is no need to add single quotes or double quotes.

如diagnose sniffer packet wan1 icmp 1 10；

When there are spaces in the middle of the filter expression, or when it is composed of multiple filter expressions, the entire expression needs to be placed within single quotes or double quotes.

like:

diagnose sniffer packet any 'host 192.168.1.11' 4 2

diagnose sniffer packet wan1 'icmp and host 8.8.8.8' 1 10;　

2.4.1 none

If None or no parameters are written, no filtering will be performed.

Ruijie # diagnose sniffer packet wan1 none 1 3

interfaces=[wan1]

filters=[none]

0.726021 arp who-has 192.168.118.64 tell 192.168.118.1

0.726054 arp who-has 192.168.118.207 tell 192.168.118.1

0.907046 192.168.118.55.3975 -> 255.255.255.255.2654: udp 312

2.4.2 Tcp, udp, icmp, arp parameters

Ruijie # diagnose sniffer packet wan1 tcp 1 3

interfaces=[wan1]

filters=[tcp]

5.854756 192.168.118.28.41972 -> 74.125.31.138.443: 1918013413 ack 2189770725

10.680845 192.168.118.28.37644 -> 106.120.151.51.80: syn 1554494232

10.681300 106.120.151.51.80 -> 192.168.118.28.37644: syn 199984742 ack 1554494

Ruijie # diagnose sniffer packet wan1 udp 1 3

interfaces=[wan1]

filters=[udp]

0.851497 192.168.118.39.58839 -> 234.34.23.234.33674: udp 20

0.880828 192.168.118.28.38299 -> 8.8.8.8.53: udp 37

0.951063 192.168.118.55.4045 -> 255.255.255.255.2654: udp 312

Ruijie # diagnose sniffer packet wan1 icmp 1 3

interfaces=[wan1]

filters=[icmp]

5.831862 192.168.118.28 -> 119.254.12.21: icmp: echo request

5.833274 119.254.12.21 -> 192.168.118.28: icmp: echo reply

6.836748 192.168.118.28 -> 119.254.12.21: icmp: echo request

Ruijie # diagnose sniffer packet wan1 arp 1 3

interfaces=[wan1]

filters=[arp]

0.835697 arp who-has 192.168.118.211 tell 192.168.118.1

0.955753 arp who-has 192.168.118.64 tell 192.168.118.1

0.955780 arp who-has 192.168.118.207 tell 192.168.118.1

2.4.3 Src, dst parameters

Specify source IP or destination IP.

Ruijie # diag sniffer pa any 'src 192.168.118.45 and dst 4.2.2.1' 4

interfaces=[any]

filters=[src 192.168.118.45 and dst 4.2.2.1]

3.053283 SE in 192.168.118.45 -> 4.2.2.1: icmp: echo request

4.055621 SE in 192.168.118.45 -> 4.2.2.1: icmp: echo request

5.057185 SE in 192.168.118.45 -> 4.2.2.1: icmp: echo request

6.059751 SE in 192.168.118.45 -> 4.2.2.1: icmp: echo request

2.4.4 host parameter

Specify the host and capture the data packets including the IP address of the host, which can be the source address or the destination address.

Ruijie # diagnose sniffer packet wan1 'host 8.8.8.8' 1 10

interfaces=[wan1]

filters=[host 8.8.8.8]

5.793921 192.168.118.28 -> 8.8.8.8: icmp: echo request //Destination address

5.833691 8.8.8.8 -> 192.168.118.28: icmp: echo reply //Source address

2.4.5 port parameters

Capture packets based on the source port or destination port of the data packet.

Ruijie # diagnose sniffer packet wan1 'port 80' 1 3

interfaces=[wan1]

filters=[port 80]

5.391804 192.168.118.28.8977 -> 83.145.92.172.80: syn 3438827760

5.392339 83.145.92.172.80 -> 192.168.118.28.8977: syn 4238988927 ack 3438827761

5.392842 192.168.118.28.8977 -> 83.145.92.172.80: ack 4238988928

2.4.6 proto parameters

Packets can be captured by protocol number, 1:ICMP, 6:TCP, 17:UDP, 89: OSPF, etc.

Ruijie # diagnose sniffer packet wan1 'proto 1' 1 10

interfaces=[wan1]

filters=[proto 1]

5.193085 192.168.118.28 -> 8.8.8.8: icmp: echo request

5.233840 8.8.8.8 -> 192.168.118.28: icmp: echo reply

6.193968 192.168.118.28 -> 8.8.8.8: icmp: echo request

6.234911 8.8.8.8 -> 192.168.118.28: icmp: echo reply

Ruijie # diagnose sniffer packet wan1 'proto 17' 1 10

interfaces=[wan1]

filters=[proto 17]

1.291398 192.168.118.48.1786 -> 255.255.255.255.2654: udp 312

1.307764 192.168.118.48.1787 -> 255.255.255.255.2654: udp 322

2.813556 192.168.118.55.3735 -> 255.255.255.255.2654: udp 312

2.815426 192.168.118.55.3736 -> 255.255.255.255.2654: udp 324

2.4.7 and and or parameters

The expression connection symbol and is the relationship of "and", or is the relationship of "or". Through these 2 parameters, multiple filter expressions can be combined into a more precise packet capture filter.

Ruijie # diagnose sniffer packet wan1 'host 8.8.8.8 and udp and port 53’ 1 10

interfaces=[wan1]

filters=[host 8.8.8.8 and udp and port 53]

9.161057 192.168.118.28.25758 -> 8.8.8.8.53: udp 30

9.200929 8.8.8.8.53 -> 192.168.118.28.25758: udp 273

Ruijie # diagnose sniffer packet wan1 'host 8.8.8.8 or udp' 1 6

interfaces=[wan1]

filters=[host 8.8.8.8 or udp]

0.406682 192.168.118.28 -> 8.8.8.8: icmp: echo request

0.446384 8.8.8.8 -> 192.168.118.28: icmp: echo reply

1.408758 192.168.118.28 -> 8.8.8.8: icmp: echo request

1.447828 192.168.118.48.2345 -> 255.255.255.255.2654: udp 312

1.448329 8.8.8.8 -> 192.168.118.28: icmp: echo reply

1.467194 192.168.118.48.2346 -> 255.255.255.255.2654: udp 324

2.4.8 TCP header field filtering

Ruijie # diag sniff packet any 'tcp[13]==2' 4 10　　

interfaces=[any]

filters=[tcp[13]==2]

0.566163 SE in 192.168.118.44.51011 -> 118.67.120.53.80: its 1443461665

0.566253 port13 out 59.108.29.180.65483 -> 118.67.120.53.80: syn 1443461665

0.566476 SE in 192.168.118.44.51012 -> 118.67.120.37.80: its 2381613524

0.566569 port13 out 59.108.29.180.65484 -> 118.67.120.37.80: syn 2381613524

The 13-byte content of the TCP header == 2, that is, 00 000010 . The first byte number of the packet header is 0, and counting backward, 13 is the byte where the Flag position is located. The penultimate bit of the byte is the SYN bit, so the command is to capture all syn packets as 1 , packets with other flag bits set to 0.

In the same way: diagnose sniffer packet any "tcp[13] & 4 != 0" 3 10 to capture the packet with FIN of 1.

Because the FIN bit is 1 in the data packet, ACK is also set to 1, through tcp[13]& 4 != 0, that is, it is not equal to 0 through the AND operation. In other words, as long as FIN is 1, other bits are arbitrary.

diagnose sniffer packet any "tcp[13] & 2 != 0" 4 10 The SYN bit is 1, and the other positions can be any value (SYN, SYN ACK packet).

2.4.9 IP header field filtering

Hexadecimal 0x59 is 89 in decimal, the 9th byte of the IP header is the protocol byte, and the protocol number 89 is OSPF.

Ruijie # diagnose sniffer packet any "ip[9]==0x59" 1 10

interfaces=[any]

filters=[ip[9]==0x59]

0.601194 192.168.118.28 -> 224.0.0.5: ip-proto-89 44

11.601206 192.168.118.28 -> 224.0.0.5: ip-proto-89 44

2 packets received by filter

0 packets dropped by kernel

Ruijie # diagnose sniffer packet any "ip[9]==89" 1 10

interfaces=[any]

filters=[ip[9]==89]

2.601194 192.168.118.28 -> 224.0.0.5: ip-proto-89 44

12.601208 192.168.118.28 -> 224.0.0.5: ip-proto-89 44

2.4.10 Ethernet header field filtering

The 4 consecutive bytes starting from the 6th byte of the Ethernet packet header are the source MAC address field position. The following command captures all packets with source MAC address 0x00090fdf.

Ruijie # diagnose sniffer packet SE "(ether[6:4]=0x00090fdf) and (ether[10:2]=0xe8e3)" 3 3

interfaces=[SE]

filters=[(ether[6:4]=0x00090fdf) and (ether[10:2]=0xe8e3)]

0.632650 192.168.118.45.62528 -> 192.168.118.1.22: ack 2277714159

0x0000 0009 0fcd 9f48 0009 0fdf e8e3 0800 4500 .....H........E.

0x0010 0028 2383 4000 7f06 6acd c0a8 762d c0a8 .(#[email protected]..

0x0020 7601 f440 0016 16b9 4e62 87c3 28ef 5010 [email protected]..(.P.

0x0030 3fa0 f88f 0000 ?.....

0.633263 192.168.118.45.62528 -> 192.168.118.1.22: ack 2277714383

0x0000 0009 0fcd 9f48 0009 0fdf e8e3 0800 4500 .....H........E.

0x0010 0028 2384 4000 7f06 6acc c0a8 762d c0a8 .(#[email protected]..

0x0020 7601 f440 0016 16b9 4e62 87c3 29cf 5010 [email protected]..).P.

0x0030 3ec0 f88f 0000 >.....

Capture target MAC = 00:09:0f:cd:9f:48 data packet

Ruijie # diagnose sniffer packet SE "(ether[0:4]=0x00090fcd) and (ether[4:2]=0x9f48)" 3 3

interfaces=[SE]

filters=[(ether[6:4]=0x00090fdf) and (ether[10:2]=0xe8e3)]

0.632650 192.168.118.45.62528 -> 192.168.118.1.22: ack 2277714159

0x0000 0009 0fcd 9f48 0009 0fdf e8e3 0800 4500 .....H........E.

0x0010 0028 2383 4000 7f06 6acd c0a8 762d c0a8 .(#[email protected]..

0x0020 7601 f440 0016 16b9 4e62 87c3 28ef 5010 [email protected]..(.P.

0x0030 3fa0 f88f 0000 ?.....

2.5 Data format conversion

First, the data packet captured through this command will be output directly to the screen. It is necessary to collect the packet capture data through SecureCRT related tools.

Secondly, the exported file can be recognized by Wireshark only when the <verbose> level of the packet capture command is 6.

Third, when a large amount of packet capture information is to be obtained, the SecureCRT tool should connect to the firewall through remote TELNET/SSH. If you use the host serial port to capture packets, due to the low serial port rate, it will be very slow to obtain a large amount of data.

Fourth, use a separately provided script program file for conversion. The host must install the Perl interpreter and Wireshark software in advance, and make the necessary path points in the provided conversion script program.

2.5.1 SecureCRT configuration

Install the SecureCRT software normally and log in to the firewall remotely.

1. Configure SecureCRT: File > Log Session, select the path where the configuration file is stored, the file format is *.txt

2. Execute the packet capture command on the firewall

Ruijie # diagnose sniffer packet< interface><'filter'>6<count>

Among them, 6 means that the captured package output file can be converted into a Wireshark format file.

2.5.2 Script program

Download the ruijiet2eth.pl file in the attachment below this page and use the editor to edit it. Since the text2pacp.exe program of the packet capture software is required to convert the file into the pac file format, such as Wireshark's text2pacp.exe, the path of text2pcap.exe needs to be specified in the script. The path where text2pcap.exe is located is the installation path of Wireshark. Find the following line and modify the red part according to the actual situation. Note that the path needs to use two "\", that is, "\\".

# Path to the windows text2pcap.exe

# You need to double character '\'

my $text2pcapdirwin = "c:\\Progra~1\\Ethereal";

# Use wireshark text2pcap if installed

$text2pcapdirwin = "D:\\Program Files\\Wireshark" if -e "D:\\Program Files\\Wireshark\\text2pcap.exe";

2.5.2 Conversion operation

1. Install the perl interpreter

You need to install the Perl interpreter before conversion, download link Download & Install Perl - ActiveState

2. Prepare scripts and packet capture files

Assume that the packet capture file is packet.txt. Create a working directory on the C drive, such as c:\pacp, and copy the script ruijiet2eth.pl file and packet capture file packet.txt to c:\pacp

3. Conversion work

Enter the cmd command line, enter the perl interpreter execution program directory, and then execute the conversion according to the following command:

After executing the command, press Enter to automatically generate the 1.pacp file under c:\pacp. 1.pcap is converted into a format file recognized by Wireshark. Detailed analysis can be performed after opening it with Wireshark. Directly enter perl Ruijiet2eth.pl –help to get help information