Vous êtes sur la page 1sur 6

Captura de trafico

diag sniffer packet port1 'host 10.84.162.9' 4 2


Niveles detallados en detalle:
1: encabezado de impresin de los paquetes
2: encabezado de impresin y datos de IP de los paquetes
3: encabezado de impresin y datos de Ethernet de paquetes
4: encabezado de impresin de los paquetes con nombre de la interfaz
5: encabezado de impresin y datos de IP de los paquetes con nombre de la interfaz
6: cabecera de impresin y los datos de Ethernet de paquetes con nombre de la interfaz

diag sniffer packet <interface> <'filter'> <verbose>


<count> a
Interface es la interface por la que se va a capturar
trafico.
Filter Filtro de la traza a capturar
Verbose nivel de detalle cmo se ha descrito ya
Count numero de paquetes a capturar
Ejemplos
# Paquete sniffer diag ninguno interna 4 3
interna en 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918764
1949135261 ack
interna en 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918816
1949135261 ack
interna a cabo 192.168. 0.30.1144 -> 192.168.0.1.22: ack 2859918884

diag sniffer packet internal none 5 1


internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2867817048 ack
1951061933
0x0000
0x0010
0x0020
0x0030
0x0040
0x0050

4510
c0a8
5018
3eaf
08a9
bd9c

005c
001e
0b5c
3804
7907
b649

8eb1
0016
8ab9
3fee
202d
5318

4000
0478
0000
2555
5898
7fc5

4006
aaef
9819
8deb
a85c
c415

2a6b
6a58
880b
24da
facb
5a59

c0a8 0001 E..\..@.@.*k....


744a d7ad .......x..jXtJ..
f465 62a8 P..\.........eb.
dd0d c684 >.8.?.%U..$.....
8c0a f9e5 ..y..-X..\......
...IS.....ZY

# diag sniffer packet internal 'src host 192.168.0.130 and dst host
192.168.0.1' 1
192.168.0.130.3426 -> 192.168.0.1.80:
192.168.0.1.80 -> 192.168.0.130.3426:
192.168.0.130.3426 -> 192.168.0.1.80:
192.168.0.130.3426 -> 192.168.0.1.80:
192.168.0.1.80 -> 192.168.0.130.3426:

syn
syn
ack
psh
ack

1325244087
3483111189 ack 1325244088
3483111190
1325244088 ack 3483111190
1325244686

192.168.0.130.1035 -> 192.168.0.1.53: udp 26


192.168.0.130.1035 -> 192.168.0.1.53: udp 42
192.168.0.130.1035 -> 192.168.0.1.53: udp 42
192.168.0.130 -> 192.168.0.1: icmp: echo request
192.168.0.130.3426 -> 192.168.0.1.80: psh 1325244686 ack 3483111190
192.168.0.1.80 -> 192.168.0.130.3426: ack 1325244735
192.168.0.130 -> 192.168.0.1: icmp: echo request

# diag sniffer packet internal 'src host 192.168.0.130 and dst host
192.168.0.1 and tcp' 1
192.168.0.130.3569 -> 192.168.0.1.23: syn 1802541497
192.168.0.1.23 -> 192.168.0.130.3569: syn 4238146022 ack 1802541498
192.168.0.130.3569 -> 192.168.0.1.23: ack 4238146023

# diag sniffer packet internal 'host 192.168.0.130 and icmp' 1


192.168.0.130 -> 192.168.0.1: icmp: echo request
192.168.0.1 -> 192.168.0.130: icmp: echo reply

# diag sniffer packet internal 'host 192.168.0.130 or 192.168.0.1 and


tcp port 80' 1
192.168.0.130.3625 -> 192.168.0.1.80:
192.168.0.1.80 -> 192.168.0.130.3625:
192.168.0.130.3625 -> 192.168.0.1.80:
192.168.0.130.3625 -> 192.168.0.1.80:
192.168.0.1.80 -> 192.168.0.130.3625:

syn
syn
ack
psh
ack

2057246590
3291168205 ack 2057246591
3291168206
2057246591 ack 3291168206
2057247265

Filtrada se puede utilizar para mostrar paquetes basndose en su contenido, utilizando posicin de byte
hexadecimal.
Match TTL = 1

# diagnose sniffer packet port2 "ip[8:1] = 0x01"


Match Source IP address = 192.168.1.2:

# diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)"


Match Source MAC = 00:09:0f:89:10:ea

# diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and


(ether[10:2]=0x10ea)"
Match Destination MAC = 00:09:0f:89:10:ea

# diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and


(ether[4:2]=0x10ea)"

Match ARP packets only

# diagnose sniffer packet internal "ether proto 0x0806"


TCP or UDP flags can be addressed using the following:
Match packets with RST flag set:

# diagnose sniffer packet internal "tcp[13] & 4 != 0"


Match packets with SYN flag set:

# diagnose sniffer packet internal "tcp[13] & 2 != 0"


Match packets with SYN-ACK flag set:

# diagnose sniffer packet internal "tcp[13] = 18"

Enlace documentacion tecnica http://docs.fortinet.com

1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1

Ver parmetros de la interface


diagnose hardware deviceinfo nic port1

Mostrar la configuracin general del appliance y estado de los


mdulos
get sys status

myfirewall1 # get sys status


Version: Fortigate-50B v4.0,build0535,120511 (MR3 Patch 7)
Virus-DB: 14.00000(2011-08-24 17:17)
Extended DB: 14.00000(2011-08-24 17:09)
IPS-DB: 3.00150(2012-02-15 23:15)
FortiClient application signature package: 1.529(2012-10-09 10:00)
Serial-Number: FGT50B1234567890
BIOS version: 04000010
Log hard disk: Not available
Hostname: myfirewall1
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 234
Release Version Information: MR3 Patch 7
System time: Thu Nov 15 13:12:30 2012

Mostrar las estadsticas del trfico hasta el momento:

get system performance firewall statistics


1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7

myfirewall1 # get system performance firewall statistics


getting traffic statistics...
Browsing: 544083 packets, 80679942 bytes
DNS: 19333 packets, 2400831 bytes
E-Mail: 52 packets, 3132 bytes
FTP: 0 packets, 0 bytes
Gaming: 0 packets, 0 bytes
IM: 0 packets, 0 bytes
Newsgroups: 0 packets, 0 bytes
P2P: 0 packets, 0 bytes
Streaming: 0 packets, 0 bytes
TFTP: 0 packets, 0 bytes
VoIP: 0 packets, 0 bytes
Generic TCP: 13460 packets, 1301879 bytes
Generic UDP: 7056 packets, 647156 bytes
Generic ICMP: 172 packets, 11804 bytes
Generic IP: 26 packets, 832 bytes

2
3
4
5
6
7
8
9
1
0

myfirewall1 # get system performance status


CPU states: 0% user 0% system 0% nice 100% idle
CPU0 states: 0% user 0% system 0% nice 100% idle
Memory states: 48% used
Average network usage: 1 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes
Average sessions: 0 sessions in 1 minute, 0 sessions in 10 minutes, 0 sessions in 30
minutes
Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second
in last 10 minutes, 0 sessions per second in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 24 days, 11 hours, 25 minutes

1
2
3
4
5
6
7
8
9
1
0

Mostrar el estado del CPU y tiempo prendido:


get system performance status

Mostrar el uso del CPU ordenado por los procesos de mayor peso:
get system performance top

myfirewall1 # get system performance top


Run Time: 24 days, 11 hours and 26 minutes
0U, 0S, 100I; 249T, 119F, 60KF
initXXXXXXXXXXX 1 S 0.0 4.5
cmdbsvr 23 S 0.0 6.8
zebos_launcher 27 S 0.0 4.7
uploadd 28 S 0.0 4.6
miglogd 29 S 0.0 5.9
miglogd 30 S 0.0 4.6
httpsd 31 S 0.0 7.0
nsm 32 S 0.0 1.1

1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3

ripd 33 S 0.0 0.9


ripngd 34 S 0.0 0.9
ospfd 35 S 0.0 0.9
proxyd 36 S 0.0 4.6
wad_diskd 37 S 0.0 4.6
scanunitd 38 S < 0.0 4.9
ospf6d 39 S 0.0 0.9
bgpd 40 S 0.0 1.0
isisd 41 S 0.0 0.9
proxyacceptor 42 S 0.0 0.7
proxyworker 43 S 0.0 1.8
getty 44 S < 0.0 4.6

1
2
3
4
5
6
7
8
9
1
0
1
1
1
2

myfirewall1 # get sys ha status


Model: 311
Mode: a-p
Group: 0
Debug: 0
ses_pickup: enable
Master:254 myfirewall1 FG311B1111111111 0
Slave :128 myfirewall2 FG311B1111111112 1
number of vcluster: 1
vcluster 1: work 10.0.0.1
Master:0 FG311B1111111111
Slave :1 FG311B1111111112

1
2
3
4
5
6
7

Mostrar el estado del mdulo de High Availability:


get sys ha status

Verificar la tabla de sesiones del Firewall:


diag sys session full-stat

myfirewall1 # diag sys session full-stat


session table: table_size=65536 max_depth=1 used=2
expect session table: table_size=1024 max_depth=0 used=0
misc info: session_count=1 setup_rate=0 exp_count=0 clash=0
memory_tension_drop=0 ephemeral=0/16368 removeable=0 ha_scan=0
delete=0, flush=0, dev_down=0/0
TCP sessions:

8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1

1 in ESTABLISHED state
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000000
tcp reset stat:
syncqf=0 acceptqf=0 no-listener=11025 data=0 ses=0 ips=0