This article explains how to analyze the output of get session
.
How do I analyze the output of get session
?
Output of the get session
command:
>get session
alloc 176/max 128000, alloc failed 0, di alloc failed 0
id 25599/s**,vsys 0,flag 00000040/0000/00,policy 1,time 6, dip 0
0(8801):192.168.1.10/4000->192.168.2.10/1024,1,0010db103040,2,vlan 0,tun 0,vsd 0,route 0
6(2800):192.168.1.10/4000<-192.168.2.10/1024,1,000000000000,3,vlan 0,tun 40000001,vsd 0,route 5
id: This field represents the session ID.
vsys: This field determines the VSYS, to which the session is applicable (0 represents the Root system).
flag: Used by engineering to help determine the status of the session.
policy: This field refers to the policy ID that the session matched. In this example, the session matched the policy ID of 1.
time: This field refers to the session timeout value in ticks (1 tick = 10 seconds). In this example, the session is valid for 60 seconds (6 ticks x 10 seconds = 60 seconds).
If the policy NAT-src via DIPs has been applied to the traffic, you can determine which DIP pool was used by referring to the dip
field. In this example, no policy NAT-src was applied.
The beginning of the session line displays the ingress interface and the session token number. In this instance, the first line refers to the Ethernet1/1 interface 0 (8801) and the second line refers to the Ethernet1/3 interface 6 (2800).
The first characters (here
0
and
6
) in these line shows the interface number for the source interface of the traffic in that direction. Here
0
represents the interface number for
Ethernet 1/1 and
6 represent the interface number for
Ethernet 1/3.
The interface numbers for all the interfaces can be viewed with the
get sys command. You can confirm the interface number with the
get int <interface >
command:
> get int e1/1
Interface ethernet1/1:
description ethernet1/1
number 0, if_info 229320, if_index 0, mode nat
link down, phy-link down, admin status up
status change:0
You can then observe the source IP, source port, destination IP, and destination port for the session. The next field displays the IP protocol being used for the session. In this example, it is
IP protocol 1
(ICMP).
The next field displays the MAC address of the next-hop router. If a NetScreen device has been configured with Subinterfaces and VLANs, the VLAN ID of the packet is displayed in the vlan field. In this example, the packets have a VLAN ID of 2. The tun
field refers to the VPN tunnel being used (if one is used). The vsd
field refers to the VSD group, in which the interface resides, if the firewall is in a NSRP cluster. Finally, the route
field displays the route ID, which was used to route traffic for the session.