抓包数据分析,tcp及udp状态分析

ICMP (proto 1).

Note: There are no states for ICMP. It always shows proto_state=00.

TCP (proto 6)

UDP (proto 17)

SCTP (proto 132)

State

bash 复制代码
To display the session table:
diagnose sys session list
To set up a session filter:
diagnose sys session filter <options>
clear       clear session filter
dport       dest port
dst         dest ip address
duration    duration
expire      expire
negate      inverse filter
policy      policy id
proto       protocol number
sport       source port
src         source ip address
vd          index of virtual domain. -1 matches all
Starting with FortiOS versions 7.2.x and above, more filters will be visible:
di sys session filter ?    <- Use '?' after 'filter' in this command to list all filter options.
vd               Index of virtual domain. -1 matches all.
vd-name          Name of virtual domain. -1 or "any" matches all.
sintf            Source interface.
dintf            Destination interface.
src              Source IP address.
nsrc             NAT'd source ip address
dst              Destination IP address.
proto            Protocol number.
sport            Source port.
nport            NAT'd source port
dport            Destination port.
policy           Policy ID.
expire           expire
duration         duration
proto-state      Protocol state.
session-state1   Session state1.
session-state2   Session state2.
ext-src          Add a source address to the extended match list.
ext-dst          Add a destination address to the extended match list.
ext-src-negate   Add a source address to the negated extended match list.
ext-dst-negate   Add a destination address to the negated extended match list.
clear            Clear session filter.
negate           Inverse filter.

TCP,状态ESTABLISHED

bash 复制代码
Example of session table entry:

session info: proto=6 proto_state=01 duration=142250 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=rsh vlan_cos=255/255
state=local
statistic(bytes/packets/allow_err): org=9376719/61304/1 reply=3930213/32743/1 tuples=2
tx speed(Bps/kbps): 65/0 rx speed(Bps/kbps): 27/0
orgin->sink: org out->post, reply pre->in dev=13->0/0->13 gwy=0.0.0.0/10.5.27.238
hook=out dir=org act=noop 10.5.27.238:16844->173.243.132.165:514(0.0.0.0:0)
hook=in dir=reply act=noop 173.243.132.165:514->10.5.27.238:16844(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0161f3cf tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0

 

proto: protocol number
proto_state: state of the session (depending on protocol)
bash 复制代码
                                                                                                                                    

dev: an interface index can be obtained via 'diagnose netlink interface list':

 

if=port1 family=00 type=1 index=3 mtu=1500 link=0 master=0

 

NAT information:


hook=out dir=org act=noop 10.5.27.238:16844->173.243.132.165:514(20.30.40.50:20000)
hook=in dir=reply act=noop 173.243.132.165:514->20.30.40.50:20000(10.5.27.238:16844)

 

LEGEND: <source_IP>:<source_port>-><destination_IP>:<destination_port>(<NAT_IP>:<NAT_port>).

 

When applying SNAT, NAT information overwrites the <source_IP>:<source_port>.
When applying DNAT, NAT information overwrites the <destination_IP>:<destination_port>.
 

policy_id: policy ID, which is utilized for the traffic.
auth_info: indicates if the session holds any authentication data (1) or not (0).

vd: VDOM index can be obtained via 'diagnose sys vd list':

 

name=root/root index=0 enabled use=237 rt_num=144 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0

 

serial: unique session identifier.

tos:

The policy has tos/dscp configured to override this value on a packet.
A proxy-based feature is enabled and it is necessary to preserve the tos/dscp on packets in the flow by caching the tos/dscp on the kernel session from the original packet and then setting it on any subsequent packets that are generated by the proxy.
 

app: application ID.

url_cat: See the following table:
相关推荐
软件技术NINI1 小时前
webkit简介及工作流程
开发语言·前端·javascript·udp·ecmascript·webkit·yarn
金色光环2 小时前
FreeModbus释放底层的 TCP 监听端口
服务器·网络·tcp/ip
2401_873479406 小时前
企业安全团队如何配合公安协查?IP查询在电子取证中的技术实践
tcp/ip·安全·网络安全·php
乌托邦的逃亡者6 小时前
Linux中如何检测IP冲突
linux·运维·tcp/ip
乌托邦的逃亡者7 小时前
CentOS/Openeuler主机中,为一个网卡设置多个IP地址
linux·运维·网络·tcp/ip·centos
@CLoudbays_Martin117 小时前
UniApp是否能够接入SDK游戏盾呢?
服务器·网络·网络协议·tcp/ip·安全
AIwenIPgeolocation8 小时前
IP地址数据服务:驱动电子商务精细化运营与智能风控
大数据·网络协议·tcp/ip
tang777898 小时前
代理IP质量检测实战:Python实现IP可用性、延迟、匿名度自动测试脚本
大数据·爬虫·python·网络协议·tcp/ip
科技牛牛8 小时前
街道级IP定位能解决什么问题?哪些团队更适合用
网络·网络协议·tcp/ip·街道级ip定位
程序员JerrySUN9 小时前
Jetson边缘嵌入式实战课程第二讲:JetPack 和 SDK Manager 是什么
c语言·开发语言·网络·udp·音视频