抓包数据分析,tcp及udp状态分析

ICMP (proto 1).

Note: There are no states for ICMP. It always shows proto_state=00.

TCP (proto 6)

UDP (proto 17)

SCTP (proto 132)

State

bash 复制代码
To display the session table:
diagnose sys session list
To set up a session filter:
diagnose sys session filter <options>
clear       clear session filter
dport       dest port
dst         dest ip address
duration    duration
expire      expire
negate      inverse filter
policy      policy id
proto       protocol number
sport       source port
src         source ip address
vd          index of virtual domain. -1 matches all
Starting with FortiOS versions 7.2.x and above, more filters will be visible:
di sys session filter ?    <- Use '?' after 'filter' in this command to list all filter options.
vd               Index of virtual domain. -1 matches all.
vd-name          Name of virtual domain. -1 or "any" matches all.
sintf            Source interface.
dintf            Destination interface.
src              Source IP address.
nsrc             NAT'd source ip address
dst              Destination IP address.
proto            Protocol number.
sport            Source port.
nport            NAT'd source port
dport            Destination port.
policy           Policy ID.
expire           expire
duration         duration
proto-state      Protocol state.
session-state1   Session state1.
session-state2   Session state2.
ext-src          Add a source address to the extended match list.
ext-dst          Add a destination address to the extended match list.
ext-src-negate   Add a source address to the negated extended match list.
ext-dst-negate   Add a destination address to the negated extended match list.
clear            Clear session filter.
negate           Inverse filter.

TCP,状态ESTABLISHED

bash 复制代码
Example of session table entry:

session info: proto=6 proto_state=01 duration=142250 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=rsh vlan_cos=255/255
state=local
statistic(bytes/packets/allow_err): org=9376719/61304/1 reply=3930213/32743/1 tuples=2
tx speed(Bps/kbps): 65/0 rx speed(Bps/kbps): 27/0
orgin->sink: org out->post, reply pre->in dev=13->0/0->13 gwy=0.0.0.0/10.5.27.238
hook=out dir=org act=noop 10.5.27.238:16844->173.243.132.165:514(0.0.0.0:0)
hook=in dir=reply act=noop 173.243.132.165:514->10.5.27.238:16844(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0161f3cf tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0

 

proto: protocol number
proto_state: state of the session (depending on protocol)
bash 复制代码
                                                                                                                                    

dev: an interface index can be obtained via 'diagnose netlink interface list':

 

if=port1 family=00 type=1 index=3 mtu=1500 link=0 master=0

 

NAT information:


hook=out dir=org act=noop 10.5.27.238:16844->173.243.132.165:514(20.30.40.50:20000)
hook=in dir=reply act=noop 173.243.132.165:514->20.30.40.50:20000(10.5.27.238:16844)

 

LEGEND: <source_IP>:<source_port>-><destination_IP>:<destination_port>(<NAT_IP>:<NAT_port>).

 

When applying SNAT, NAT information overwrites the <source_IP>:<source_port>.
When applying DNAT, NAT information overwrites the <destination_IP>:<destination_port>.
 

policy_id: policy ID, which is utilized for the traffic.
auth_info: indicates if the session holds any authentication data (1) or not (0).

vd: VDOM index can be obtained via 'diagnose sys vd list':

 

name=root/root index=0 enabled use=237 rt_num=144 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0

 

serial: unique session identifier.

tos:

The policy has tos/dscp configured to override this value on a packet.
A proxy-based feature is enabled and it is necessary to preserve the tos/dscp on packets in the flow by caching the tos/dscp on the kernel session from the original packet and then setting it on any subsequent packets that are generated by the proxy.
 

app: application ID.

url_cat: See the following table:
相关推荐
Databend14 小时前
2KB histogram 背后:Databend 如何低成本追踪长尾延迟
大数据·数据分析·agent
Aloudata技术团队17 小时前
正当红的 Context Layer 到底是什么?
数据分析
MrSYJ6 天前
TCP协议理解
后端·tcp/ip
饼干哥哥8 天前
开源Skills|搭建亚马逊动态关键词库系统,每天抓SSS级机会词
人工智能·深度学习·数据分析
倔强的石头_9 天前
企业工商数据源站点:无验证无拦截,批量获取工商数据完整方案
数据分析
hboot15 天前
AI工程师第二课 - 数据处理
人工智能·python·数据分析
王小王-12317 天前
基于 Hive 的网易云音乐数据分析及可视化系统
hive·hadoop·数据分析·音乐数据分析·网易云音乐分析·hive音乐分析·hadoop网易云
treesforest17 天前
AI安全系统如何识别异常访问?IP风险识别正在成为关键能力
网络·人工智能·tcp/ip·安全·web安全
Database_Cool_17 天前
大规模数据分析降本指南:AnalyticDB Serverless 弹性架构实战
数据仓库·阿里云·架构·数据分析·serverless
YangYang9YangYan17 天前
2026初入职场学习数据分析的价值
学习·数据挖掘·数据分析