Preview only show first 10 pages with watermark. For full document please download

How To – Monitor Packet Flow In Cyberoam

Rating
Date

November 2018
Size

277KB
Views

4,582
Categories

Home Domestic appliances Large home appliances Tumble dryers

Transcript

How To – Monitor Packet Flow in Cyberoam How To – Monitor Packet Flow in Cyberoam Applicable Version: 10.00 onwards Overview You can monitor packet flow from Cybroam CLI using the tcpdump command. tcpdump is a packet capture tool that allows interception and capture of packets passing through a network interface, making it useful for understanding and troubleshooting network layer problems. It helps in monitoring packet flow coming on interface, response for each packet, packet drop, and ARP information. tcpdump prints out the headers of packets on a network interface that match the Boolean expression. Note: This utility is not of much help in identifying and troubleshooting problems related to Application. Command Description Use tcpdump from Cyberoam Telnet Console or from Cyberoam CLI. How to view traffic of the tcpdump command Example specific host tcpdump ‘host ‘ tcpdump ‗host 10.10.10.1‘ specific source host tcpdump ‘src host ‘ tcpdump ‗src host 10.10.10.1‘ specific destination host tcpdump ‘dst host ‘ tcpdump ‗dst host 10.10.10.1‘ specific network tcpdump ‘net ‘ tcpdump ‗net 10.10.10‘ specific source network tcpdump ‘src net ‘ tcpdump ‗src net 10.10.10‘ specific destination network tcpdump ‘dst net ‘ tcpdump ‗dst net 10.10.10‘ specific port tcpdump ‘port ‘ tcpdump ‗port 21‘ specific source port tcpdump ‘src port ‘ tcpdump ‗src port 21‘ specific destination port tcpdump ‘dst port ‘ tcpdump ‗dst port 21‘ the tcpdump ‗host and port ‘ tcpdump ‗host 10.10.10.1 and port 21‘ the specific host for all the ports except SSH tcpdump ‗host and port not ‘ tcpdump ‗host 10.10.10.1 and port not 22‘ specific protocol tcpdump ‘proto ICMP‘ tcpdump ‘proto UDP‘ tcpdump ‘proto TCP‘ tcpdump ‗arp‘ paritcular interface tcpdump interface tcpdump interface PortB specific port of a particular interface tcpdump interface ‗port ‘ tcpdump interface PortB ‗port 21‘ specific host particular port for How To – Monitor Packet Flow in Cyberoam Note: Expression can be combined using logical operators AND or OR and with NOT also. Make sure to use different combinations within single quotes. Analyzing TCPDUMP Output console> tcpdump 'port 21' tcpdump: Starting Packet Dump 1. 13:27:14.453378 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [S], seq 3632672926, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 2. 13:27:14.453983 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [S], seq 3632672926, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 3. 13:27:14.685967 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [S.], seq 1058429879, ack 3632672927, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 8], length 0 4. 13:27:14.686378 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags [S.], seq 1058429879, ack 3632672927, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 8], length 0 5. 13:27:14.686903 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [.], ack 1, win 2048, length 0 6. 13:27:14.687140 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [.], ack 1, win 2048, length 0 7. 13:27:14.921018 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [P.], ack 1, win 23, length 20 8. 13:27:14.921397 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags [P.], ack 1, win 23, length 20 9. 13:27:15.121914 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [.], ack 21, win 2043, length 0 10. 13:27:15.122249 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [.], ack 21, win 2043, length 0 11. 13:27:18.781053 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [P.], ack 21, win 2043, length 19 12. 13:27:18.781424 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [P.], ack 21, win 2043, length 19 13. 13:27:19.013605 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [.], ack 20, win 23, length 0 14. 13:27:19.013629 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [P.], ack 20, win 23, length 34 15. 13:27:19.014028 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags [.], ack 20, win 23, length 0 16. 13:27:19.014257 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags [P.], ack 20, win 23, length 34 17. 13:27:19.213374 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [.], ack 55, win 2034, length 0 18. 13:27:19.213734 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [.], ack 55, win 2034, length 0 19. 13:27:21.429606 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [P.], ack 55, win 2034, length 22 How To – Monitor Packet Flow in Cyberoam 20. 13:27:21.430018 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [P.], ack 55, win 2034, length 22 21. 13:27:21.701511 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [.], ack 42, win 23, length 0 22. 13:27:21.701820 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags [.], ack 42, win 23, length 0 23. 13:27:21.970660 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [P.], ack 42, win 23, length 23 24. 13:27:21.971040 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags [P.], ack 42, win 23, length 23 25. 13:27:22.173594 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [.], ack 78, win 2028, length 0 26. 13:27:22.173909 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [.], ack 78, win 2028, length 0 27. 13:27:23.188769 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [P.], ack 78, win 2028, length 6 28. 13:27:23.189153 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [P.], ack 78, win 2028, length 6 29. 13:27:23.421626 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [.], ack 48, win 23, length 0 30. 13:27:23.421651 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [P.], ack 48, win 23, length 14 31. 13:27:23.422035 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags [.], ack 48, win 23, length 0 32. 13:27:23.422266 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags [P.], ack 48, win 23, length 14 33. 13:27:23.423114 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [F.], seq 92, ack 48, win 23, length 0 34. 13:27:23.423299 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags [F.], seq 92, ack 48, win 23, length 0 35. 13:27:23.424184 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [.], ack 93, win 2025, length 0 36. 13:27:23.424419 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [.], ack 93, win 2025, length 0 37. 13:27:23.426540 PortA, IN: IP 10.120.16.100.59349 > 192.168.1.39.21: Flags [F.], seq 48, ack 93, win 2025, length 0 38. 13:27:23.426760 PortB, OUT: IP 10.103.4.247.59349 > 192.168.1.39.21: Flags [F.], seq 48, ack 93, win 2025, length 0 39. 13:27:24.135438 PortB, IN: IP 192.168.1.39.21 > 10.103.4.247.59349: Flags [.], ack 49, win 23, length 0 40. 13:27:24.135726 PortA, OUT: IP 192.168.1.39.21 > 10.120.16.100.59349: Flags [.], ack 49, win 23, length 0 st 1 line: Brown color shows timestamp of the packet Green color shows the incoming interface Purple color shows direction of packet flow i.e., IN/OUT Blue color shows source address who originates the request Grey color shows port used by source address Red color shows destination IP address Orange color shows port of destination Maroon color shows flag of particular packet. 1st line shows a new connection originated by 10.120.16.100 IP address and destined for 192.168.1.39 to access FTP services . This is first packet so flag is set to ‗S‘ (Sync) How To – Monitor Packet Flow in Cyberoam nd 2 line: Cyberoam NATs the private IP 10.120.16.100 and sends Sync request to 192.168.1.39 on behalf of it using its own public IP 10.103.4.247.. 3rd line: This packet is the response coming back from server to Cyberoam with Ack for Sync packet. This is nothing but ―Syn-Ack‖ packet with flag set as ‗S.‘. 4th Line: Cyberoam forwards Syn-Ack packet to private IP. th 5 line: To complete Three-way handshake, private IP sends Ack packet to Cyberoam. Flag is set to ‗.‘. th 6 line: Cyberoam forwards Ack packet to FTP server. For any tcp connection first few lines represent the Three-way Handshake which involve 1. Source to Destination-- Sync 2. Destination to Source-- Sync-Ack 3. Source to Destination—Ack th 7 to 32 nd lines: Push packet (Data Packet) containin ―P‖ & ―P.‖ Flag rd th th th th th th th 33 and 34 line: Termination of FTP connection. FTP server sends FIN packet to Cyberoam which forwards it to private IP. 35 and 36 packet: Private IP sends ack packet to Cyberoam which forwards it to FTP server. 37 and 38 line: Private IP sends FIN packet to Cyberoam which forwards it to FTP server. 39 and 40 packet: Server sends ack packet to Cyberoam which forwards it to private IP. Flag Information: S – Sync packet for new connection S. – Sync packet with ―ack‖ P. – Push packet containing Data . -- No data information, only ―ack‖ F. – FIN packet which provides information of termination of connection R – Reset packet, Packet which dropped in between somewhere at firewall end How To – Monitor Packet Flow in Cyberoam Advanced Usage  To view packet contents in hexadecimal notations, execute the following command: console> tcpdump hex "port 23" tcpdump: Starting Packet Dump 13:40:40.737451 PortA, OUT: IP 10.120.16.1.23 > 10.120.16.100.59384: Flags [S.], seq 279170894, ack 2807241456, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0 0x0000: 4500 0034 0000 4000 4006 0570 0a78 1001 0x0010: 0a78 1064 0017 e7f8 10a3 cf4e a753 1af0 0x0020: 8012 16d0 9898 0000 0204 05b4 0101 0402 0x0030: 0103 0306 13:40:40.738181 PortA, IN: IP 10.120.16.100.59384 > 10.120.16.1.23: Flags [.], ack 1, win 4096, length 0 0x0000: 4500 0028 535b 4000 4006 b220 0a78 1064 0x0010: 0a78 1001 e7f8 0017 a753 1af0 10a3 cf4f 0x0020: 5010 1000 e039 0000 0000 0000 0000 13:40:40.760134 PortA, IN: IP 10.120.16.100.59384 > 10.120.16.1.23: Flags [P.], ack 1, win 4096, length 3 0x0000: 4500 002b 535d 4000 4006 b21b 0a78 1064 0x0010: 0a78 1001 e7f8 0017 a753 1af0 10a3 cf4f 0x0020: 5018 1000 dd30 0000 fffd 0300 0000 13:40:40.760187 PortA, OUT: IP 10.120.16.1.23 > 10.120.16.100.59384: Flags [.], ack 4, win 92, length 0 0x0000: 4500 0028 fda1 4000 4006 07da 0a78 1001 0x0010: 0a78 1064 0017 e7f8 10a3 cf4f a753 1af3 0x0020: 5010 005c efda 0000 13:40:40.773653 PortA, OUT: IP 10.120.16.1.23 > 10.120.16.100.59384: Flags [P.], ack 4, win 92, length 15 0x0000: 4500 0037 fda2 4000 4006 07ca 0a78 1001 0x0010: 0a78 1064 0017 e7f8 10a3 cf4f a753 1af3 0x0020: 5018 005c 357e 0000 fffd 01ff fd1f fffd How To – Monitor Packet Flow in Cyberoam 0x0030: 21ff fb01 fffb 03 13:40:40.774271 PortA, IN: IP 10.120.16.100.59384 > 10.120.16.1.23: Flags [P.], ack 16, win 4092, length 21 0x0000: 4500 003d 535f 4000 4006 b207 0a78 1064 0x0010: 0a78 1001 e7f8 0017 a753 1af3 10a3 cf5e 0x0020: 5018 0ffc 24d8 0000 fffc 01ff fb1f fffa 0x0030: 1f00 8400 2dff f0ff fb21 fffd 01  To view packet contents with Ethernet or other layer 2 header information console> tcpdump llh 'host 10.120.16.1' tcpdump: Starting Packet Dump 13:37:58.229889 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800), length 815: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length: 771 13:37:58.269046 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800), length 812: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length: 768 13:37:58.679279 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800), length 812: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length: 768 13:37:58.746161 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800), length 837: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length: 793 13:37:58.763740 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800), length 763: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length: 719 13:37:58.781331 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800), length 824: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length: 780 13:37:58.825464 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800), length 667: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length: 623 13:37:59.077341 PortA, OUT: Out 00:0d:48:32:a4:cb ethertype IPv4 (0x0800), length 825: 10.120.16.1.40772 > 10.120.16.250.514: SYSLOG daemon.info, length: 781 How To – Monitor Packet Flow in Cyberoam Generate binary file of traffic log generated with custom parameters Cyberoam also supports to save and download the tcpdump output in a binary file from Telnet Console. File tcpdump contains the troubleshooting information useful to analyze the traffic with advanced tool like ethereal for Cyberoam Support team. To save the output in the downloadable file, log on to Telnet Console:   Go to Option 4 Cyberoam Console At the command prompt, issue the command: tcpdump filedump Cyberoam saves this file under the name tcpdump.pcap Download from http:///documents/tcpdump.pcap and email this file to Cyberoam Support team at [email protected]. Monitoring VPN traffic Cyberoam automatically configures VPN IPSec interface for each WAN port configured. For example, if Port B and Port C are configured as WAN ports then Cyberoam configures ipsec0 and ipsec1 for Port B and Port C respectively. Use these ipsec ports to monitor VPN traffic e.g. tcpdump “-i ipsec0” Document Version: 3.0 - 27/09/2012

How To – Monitor Packet Flow In Cyberoam

Rating

Date

Size

Views

Categories

Share

Transcript

Forgot your password?.