Debugging ScreenOS on Juniper Netscreen get debug - to check if there are any debugs currently running.

get debug flow : basic This tells that there is a scape key. flow basic debug already running. To turn it off press e

All debug off clear dbuf - Which clears the buffer of debug information. set ff src-ip 192.168.1.10 get ff Flow filter based on: id:0 src ip 195.232.226.225 id:1 src ip 195.232.226.226 id:2 src ip 192.168.1.10 You can see that a get ff will display for the flow filter you have created. Note that you have many entries in the flow filter. netscreen(M)-> set ff ? dst-ip flow filter dst ip dst-port flow filter dst port ip-proto flow filter ip proto src-ip flow filter src ip src-port flow filter src port If you need to the clear the filter .. netscreen(M)-> unset ff netscreen(M)-> get ff Flow filter based on: id:0 src ip 195.232.226.226 id:1 src ip 192.168.1.10 netscreen(M)-> unset ff netscreen(M)-> get ff Flow filter based on: id:0 src ip 192.168.1.10 netscreen(M)-> debug flow basic netscreen(M)-> get debug flow: basic netscreen(M)-> get db str 76:192.168.1.2/8411->192.168.200.25/1c36,6,40 ****** 93412.0: packet received [40]****** ipid = 50294(c476), @e00c6918 packet passed sanity check. flow packet already have session. flow session id 286622 vsd 0 is active flow_tcp_fin_vector() post addr xlation: 10.33.248.81->10.102.151.20. update policy out counter info. packet send out to 00000c07ac1f through ethernet 2/1

**st: e00fd118: c477:192.168.1.2/8417->192.168.200.25/1c36,6,40 ****** 93412.0: packet received [40]****** ipid = 50295(c477), @e00fd118 packet passed sanity check. flow packet already have session. flow session id 286652 vsd 0 is active Got ack, 192.168.1.2(33815)->192.168.200.25(7222), natpflag 0200400, nspflag 01801 , 01800, timeout=900 transfer packet to hardware. **st: e00cd118: c49a:192.168.1.2/8417->192.168.200.25/1c36,6,40 ****** 93412.0: packet received [40]****** ipid = 50330(c49a), @e00cd118 packet passed sanity check. flow packet already have session. flow session id 286652 vsd 0 is active flow_tcp_fin_vector() post addr xlation: 10.33.248.81->10.102.151.20. update policy out counter info. packet send out to 00000c07ac1f through ethernet 2/1 **st: e009f918: c49d:192.168.1.2/8417->192.168.200.25/1c36,6,40 Understanding ff (Flow Filter) statements ordering

The following set of flow filters are applied as any. That is, if ANY packet mat ches ANY of of the flow filters then that packet will be matched. netscreen(M)-> get ff Flow filter based on: id:0 src ip 192.168.100.1 id:1 src ip 192.168.100.2 id:2 src ip 192.168.1.10 netscreen(M)-> So this ruleset will match any IP packets with a source address of 192.168.100.1 , 192.168.100.2 and 192.168.1. This is mostly a problem when you make the mistak e of netscreen(M)-> set ff dst-ip 192.168.1.10 filter added netscreen(M)-> set ff dst-port 80 filter added netscreen(M)-> get ff Flow filter based on: id:0 dst ip 192.168.1.10 id:1 dst port 80 netscreen(M)-> this will show you every packet, from any IP on port 80 PLUS any packets 192.168 .1.10. The correct method netscreen(M)-> set ff dst-ip 192.168.1.10 ? dst-port flow filter dst port ip-proto flow filter ip proto src-port flow filter src port netscreen(M)-> set ff dst-ip 192.168.1.10 dst-port 80 filter added netscreen(M)-> This will correctly match packets with a destination of 192.168.1.10 on port 80. Virtual Systems Remember that you cannot do debugging from within a virtual system. You must be in the root vsys to be able to run a debug commands.