Netscreen Session Analyzer


  • Engineer

    Hey guys,

    I wanted to allow some of you the opportunity to test a program I created I call NSSA (Netscreen Session Analyzer)

    I wrote NSSA because at the time all I had to analyze my session tables were JTAC’s perl scripts. While useful, they tend to be slow and a bit of a hassle. I designed this program to be fast and portable. It is written completely in python and requires nothing other than what is in the .rar file.

    Please try it out and let me know what you think. This is early beta but all core functions work just fine. NSSA does everything Juniper’s scripts do & more.

    This file is clean, there are no trojens or anything of the sort. NSSA requires no connection to the internet.

    To download the file please click here: http://performanceclassifieds.net/NSSA.zip

    Again, please let me know what you think. I appreciate your input. Source available upon request (as long as you don’t rip off my code)

    Tim



  • it is really helpful for us to analyse the session of firewall.



  • Hi Tim,

    I am a bit curious, does the tool work properly on old screenos like 5.0.0r9? I’ve been trying to use the os task but the output was alway blank, session analyser work well though. not sure if the os task i got is the same with newer screenos version. I currently have encounter high cpu with low session usage. Thank a lot.

    the os task sample:
    Interrupt: 775119040/413277608
    ID     Task Name     State               Stack            Scheduled     Run Time
    1  100ms timer     BLOCK (Suspend)      40001fb0/02000  453474377   63352.933
    2  1s timer        BLOCK (Suspend)      40021fb0/02000   48475752   19419.443
    3  10s timer       BLOCK (Suspend)      40041fb0/02000    5021265     350.106
    4  1s stimer       BLOCK (Semaphore)    40061fa8/02000   95151122   86200.918
    5  10s stimer      BLOCK (Mail)         40081fb8/02000    4761310     282.561
    6  min stimer      BLOCK (Mail)         400a1fb8/02000     793552    1937.418


  • Engineer

    @bongo:

    Hi Tim,

    Very usefull. Thank you very much !

    BR

    Thanks for the words of encouragement! I appreciate it



  • Hi Tim,

    Very usefull. Thank you very much !

    BR


  • Engineer

    @jhrbek:

    Tim,

    Any chance you could make the source available?  This is a great application you’ve created.

    -j

    I have given out the source when requested if someone wants to make improvements of fix bugs. Im hesitant to post it publicly though. Feel free to email me requesting it, xmin0s <(at)> gmail <(Dot)> com



  • Tim,

    Any chance you could make the source available?  This is a great application you’ve created.

    -j



  • I like…  :evil:


  • Engineer

    I’ve updated NSSA with the windows 7 bug fix. I’ve also included a sneak peak semi working new plugin.

    I incorporated my counter analyzer (that I’ve been working on lately) into NSSA. It’s via the plugins drop down menu. It’s worth mentioning that at the moment this doesn’t appear to work on lower end firewalls (NS50-208).

    This will take the output of two get clocks and the counters and do a bit of math on them. Telling you how many packets per second passed through the firewall or megabits per second (depending on the counter type).

    This would hopefully help us better understand WHERE the traffic is coming from as well as more details on what kind of traffic it is when it’s at abnormal levels real time. It will also tell you if say we receive a large number of errors, over/under runs, etc…

    Give it a try, let me know if you encounter any bugs/issues. Thanks guys!

    Here is the format that it needs to be collected:

    set console page 0
    get clock
    get counter stat
    get counter flow
    get clock
    get counter stat
    get counter flow
    unset console page

    note It will work without doing a set console page 0 but then the time/math maybe slightly off as you have to type them in manually.

    Here is a chopped down example to show you what kind of data is gathered:

    -Hardware Stat/Flow Report-

    STAT HARDWARE COUNTERS:

    ethernet4/1 in bytes  39799350 (17.69/Megs Sec)
      ethernet4/1 out bytes  41303290 (18.36/Megs Sec)
      ethernet4/1 in packets  535963 (29775.72/Sec)
      ethernet4/1 out packets  554120 (30784.44/Sec)
      ethernet4/2 in bytes  73759600 (32.78/Megs Sec)
      ethernet4/2 in packets  568698 (31594.33/Sec)
      ethernet4/3 in bytes  720 (0.0/Megs Sec)
      ethernet4/3 in packets  10 (0.56/Sec)

    STAT FLOW COUNTERS: 
      ethernet4/1 in bytes  571133 (0.25/Megs Sec)
      ethernet4/1 out bytes  147431 (0.07/Megs Sec)
      ethernet4/1 in vlan  4856 (269.78/Sec)
      ethernet4/1 out vlan  1230 (68.33/Sec)
      ethernet4/1 in permit  236069 (13114.94/Sec)
      ethernet4/1 out permit  179312 (9961.78/Sec)
      ethernet4/1 in icmp  2256 (125.33/Sec)
      ethernet4/1 connections  690 (38.33/Sec)
      ethernet4/1 unknown pak  9 (0.5/Sec)
      ethernet4/2 in bytes  71069977 (31.59/Megs Sec)
      ethernet4/2 in vlan  568757 (31597.61/Sec)
      ethernet4/2 unknown pak  9 (0.5/Sec)
      ethernet4/3 in vlan  10 (0.56/Sec)
      ethernet4/3 unknown pak  10 (0.56/Sec)


  • Engineer

    Just out of curiosity, do you have an open source version of this?  My guess is probably not, but I just thought I’d ask.


  • Engineer

    @rudolf.achter:

    Hello Mister Eberhard,

    i am an enthusiastic user of your Netscreen Session Analyzer Tool. It is a very fast and hand analyzing tool for Netscreen Session Dumps. Unfortunately the program crashes during startup on Windows 7. Is there any Windows 7 compatible version or can I get the python Sourcecode to get it running under Windows 7 myself?

    Rudolf,

    Thanks again for your help in troubleshooting this.

    For all you windows 7 users Rudolf has helped me resolve the issue that kept NSSA from running on windows 7. The fix for your existing installation is to download the following DLL and install it in the NSSA directory.

    http://www.dll-files.com/dllindex/dll-files.shtml?msvcp71

    I will update the package in the next few days to include this DLL by default so no one else runs into this issue.

    Thanks all,
    -Tim Eberhard



  • Hello Mister Eberhard,

    i am an enthusiastic user of your Netscreen Session Analyzer Tool. It is a very fast and hand analyzing tool for Netscreen Session Dumps. Unfortunately the program crashes during startup on Windows 7. Is there any Windows 7 compatible version or can I get the python Sourcecode to get it running under Windows 7 myself?



  • Hey Joeff thanks for the reply this looks like a nice application!



  • Thanks Tim. I’ve found a great tool called fwanalyzer. you probably already know about it but it was completely new to me. Excelent to graphically analyze all the traffic that’s going through the netscreens.

    But back on topic… I will definitely keep Session analyzer handy!


  • Engineer

    So policy counters and or interface counters may help…

    Honestly to view who is hogging the bandwidth (without a sniffer/netflow device in path) I would simply dump the session table and watch for people using P2P or other bandwidth hogging apps. In some cases http (youtube, myspace…etc)

    There is a good program out there if you have a server you can put in line called Ntop. Again…all of these are second to a good sniffer to find out who is really misusing the network.

    Good luck on your problems Jeoff, you’ll track them down 🙂

    Tim Eberhard



  • Thanks for this tool. It’s already helping us out here. But do I understand it right if there’s not really a tool out there yet that can give me an easy report of the basic flow of a netscreen?

    We need to find out which IP is hogging our bandwith and it’s hard to figure that out by manually browsing the basic flow. I think we can’t really tell by whoever has the most sessions, cause that doesn’t tell us who is using all the bandwith.

    Can this be done using another reporting tool?



  • Debug tag info only applies to NetScreen platforms with ASICs. That means the NS5000 series and ISGs only. Basically the debug shows what packets are being sent to CPU and is useful for high CPU troubleshooting on ASIC platforms.

    So on a non-asic platform, debug tag info is useless since ALL traffic goes to CPU anyway.


  • Engineer

    to view the output of debug tag info you will need to issue the following command:

    “get db stream”



  • I called up Juniper and they didn’t even know what “Debug Tag Info” does so I had to escalate the case.  When I try typing the command I let it run for a minute or two and nothing even shows up.  What should I expect after typing the comman.



  • I don’t have console access to the firewall its remote.  Will I run into issues if I try “Debug Info Tag” with SSH, instead of console?


 

30
Online

38.4k
Users

12.7k
Topics

44.5k
Posts