用什么命令可以debug网络层的通信过程

如命令diagnose debug application......

我该如何debug查看网络层路由方面的通信过程,或者怎么确认数据包是否已经从设备发送出去。
已邀请:

滕寄坤 - 曾经的飞塔代理工程师

赞同来自: jony

附件 是 sniffer抓包命令,这个 只会看到 包, 想看报的过程用debug flow 看,命令如下
FGT# diag debug enable
FGT# diag debug flow show console enable
FGT# diag debug flow filter add 10.160.0.10
FGT# diag debug flow trace start 100

jony - XDF_ShiJie

赞同来自:

非常感谢

jony - XDF_ShiJie

赞同来自:

我抓到的都是去方向的,没有回来的包,是我的过滤没有设置对,还是实际对端根本没有回包呢?

FW-2 # diag debug enable

FW-2 # diag debug flow show console enable
show trace messages on console

FW-2 # diag debug flow filter add 110.0.130.254

FW-2 # diag debug flow trace start 10

FW-2 #
FW-2 # id=0 trace_id=21 msg="vd-root received a packet(proto=1, 101.0.130.1:9984->110.0.130.254:8) from local."
id=0 trace_id=21 msg="allocate a new session-00071951"
id=0 trace_id=21 msg="enter IPsec interface-to-srx"
id=0 trace_id=21 msg="send to 60.0.130.50 via intf-port1"
id=0 trace_id=22 msg="vd-root received a packet(proto=1, 101.0.130.1:9984->110.0.130.254:8) from local."
id=0 trace_id=22 msg="Find an existing session, id-00071951, original direction"
id=0 trace_id=22 msg="enter IPsec interface-to-srx"
id=0 trace_id=22 msg="send to 60.0.130.50 via intf-port1"
id=0 trace_id=23 msg="vd-root received a packet(proto=1, 101.0.130.1:9984->110.0.130.254:8) from local."
id=0 trace_id=23 msg="Find an existing session, id-00071951, original direction"
id=0 trace_id=23 msg="enter IPsec interface-to-srx"
id=0 trace_id=23 msg="send to 60.0.130.50 via intf-port1"
id=0 trace_id=24 msg="vd-root received a packet(proto=1, 101.0.130.1:9984->110.0.130.254:8) from local."
id=0 trace_id=24 msg="Find an existing session, id-00071951, original direction"
id=0 trace_id=24 msg="enter IPsec interface-to-srx"
id=0 trace_id=24 msg="send to 60.0.130.50 via intf-port1"
id=0 trace_id=25 msg="vd-root received a packet(proto=1, 101.0.130.1:9984->110.0.130.254:8) from local."
id=0 trace_id=25 msg="Find an existing session, id-00071951, original direction"
id=0 trace_id=25 msg="enter IPsec interface-to-srx"
id=0 trace_id=25 msg="send to 60.0.130.50 via intf-port1"

jony - XDF_ShiJie

赞同来自:

找到问题原因了,通过在对端SRX防火墙debug抓包发现,对端untrust to trust策略是deny,导致从飞塔到对端的icmp包被drop了,调整策略后,从飞塔到对端的ping连通了

从飞塔到SRX的ping测试,可以抓到SRX上包了,是策略deny,包被drop了。由于防火墙是基于会话的,这是一个新session,因此会建立一个新会话,然后查找policy后,发现从untrust到trust是deny的,所以从对端发起到SRX的ping被拒绝了。

而从SRX到飞塔的ping,能够通过是因为trust to untrust是permit的,从对端返回的包到达SRX时,首先匹配了会话,所以是可以完成icmp的。


Aug 13 11:09:23 11:09:23.157458:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone trust (0x0,0x2800,0x2800)

Aug 13 11:09:23 11:09:23.157458:CID-0:RT:Policy lkup: vsys 0 zone(7:untrust) -> zone(6:trust) scope:0

Aug 13 11:09:23 11:09:23.157458:CID-0:RT: 101.0.130.1/2048 -> 110.0.130.254/35687 proto 1

Aug 13 11:09:23 11:09:23.157458:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Aug 13 11:09:23 11:09:23.157458:CID-0:RT: packet dropped, denied by policy

Aug 13 11:09:23 11:09:23.157458:CID-0:RT: denied by policy default-deny(6), dropping pkt

Aug 13 11:09:23 11:09:23.157458:CID-0:RT: packet dropped, policy deny.

Aug 13 11:09:23 11:09:23.157458:CID-0:RT: flow find session returns error.

要回复问题请先登录注册