Fortigate防火墙抓包命令

Fortigate防火墙抓包命令在Fortigate防火墙上Troubleshooting，绝大多数情况下，用好DiagnoseSniffer和Diagnosedebug这两个命令就能解决很多问题。一般来说，Troubleshooting时，先用Sniffer命令查看数据包到底有没有到达防火墙，然后用Debug命令来查看数据包达到防火墙后是怎样的处理流程。Sniffer命令格式：Fortigate#diagnosesnifferpacketinterface-name'filter'举例：抓包IP地址10.2.22.21与202.103.24.68之间所有的DNS通信FG200D3915807028#diagnosesnifferpacketany'port53andhost10.2.22.21and202.103.24.68'输出结果示例：interfaces=[any]filters=[port53andhost10.2.22.21and202.103.24.68]23.01556310.2.22.21.53751-202.103.24.68.53:udp4823.043507202.103.24.68.53-10.2.22.21.53751:udp6423.04474310.2.22.21.53752-202.103.24.68.53:udp48Sniffer命令支持几种不同详尽程度的输出方式，在输入完抓包命令之后打个问号可以显示输出详尽程度的选项FG200D3915807028#diagnosesnifferpacketany'port53andhost10.2.22.21and202.103.24.68'?verbose1:printheaderofpackets2:printheaderanddatafromipofpackets3:printheaderanddatafromethernetofpackets(ifavailable)4:printheaderofpacketswithinterfacename5:printheaderanddatafromipofpacketswithinterfacename6:printheaderanddatafromethernetofpackets(ifavailable)withintfname或者直接在抓包命令后加个“空格+数字1-6，例如FG200D3915807028#diagnosesnifferpacketany'port53andhost10.2.22.21and202.103.24.68'6输出的结果示例如下：interfaces=[any]filters=[port53andhost10.2.22.21and202.103.24.68]21.327456OA-Zonein10.2.22.21.61158-202.103.24.68.53:udp470x000000000000000118c58a1b3cdc08004500.............E.0x0010004b05d000007f1133100a021615ca67.K......3......g0x00201844eee600350037daef000301000001.D...5.7........0x00300000000000000377777704736f687503.......[..@.;...g.D..0x002016150035eee6004782d7000381800001...5...G........0x00300001000000000377777704736f687503.......:udp900x0000000000000000906cac02557908004500.......l..Uy..E.0x00100076000040003b113cb5ca6718440a02.v..@.;...g.D..0x002016150035eee70062f73e000481800001...5...b.......0x00300000000100000377777704736f687503.......命令用于观察防火墙对数据流的处理，可以得知该数据流被处理后的结果，在命令行下输入一下命令，开启对数据流的监控，然后在客户端上模拟产生触发条件的流量，再返回FortiGate终端查看输出结果。Fortigate#diagnosedebugenable#开启Debug功能Fortigate#diagnosedebugflowshowconsoleenableshowtracemessagesonconsole#将Debug信息输出到终端Fortigate#diagnosedebugflowfilterfilter#设置过滤条件Fortigate#diagnosedebugflowtracestart20#抓取数据包的数量举例抓取客户端地址10.2.22.21使用DNS服务器202.103.24.68做DNS解析时防火墙的数据包处理过程：FG200D3915807028#diagnosedebugenableFG200D3915807028#diagnosedebugflowshowconsoleenableshowtracemessagesonconsoleFG200D3915807028#diagnosedebugflowfilterport53FG200D3915807028#diagnosedebugflowfiltersaddr10.2.22.21FG200D3915807028#diagnosedebugflowfilterdaddr202.103.24.68FG200D3915807028#diagnosedebugflowtracestart10模拟产生流量后，输出结果如下：FG200D3915807028#id=20085trace_id=1func=print_pkt_detailline=4378msg=vd-rootreceivedapacket(proto=17,10.2.22.21:65401-202.103.24.68:53)fromOA-Zone.id=20085trace_id=1func=init_ip_session_commonline=4527msg=allocateanewsession-006eacf3id=20085trace_id=1func=vf_ip4_route_inputline=1596msg=findaroute:flags=00000000gw-**.**.**.yx,viawan2id=20085trace_id=1func=fw_forward_handlerline=670msg=AllowedbyPolicy-26:SNATid=20085trace_id=1func=__ip_session_run_tupleline=2523msg=SNAT10.2.22.21-**.**.**.yy:65401id=20085trace_id=1func=__ip_session_run_tupleline=2574msg=runhelper-dns-udp(dir=original)其他常用Troubleshooting命令diagnoseiprtcachelist//调试ip包收发情况showrouterpolicygetrouterinforoutingtableall//查看路由表（生效的路由表）executeping-optionssource192.168.1.1----带源pinggetrouterinfokernel//查看fib表diagipaddresslist//查看ip地址列表diagiparplist//查看ARP表getrouterinfoprotocols//查看协议状况