Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] [ScreenOS] How to interpret the output of 'debug ip ip'

0

0

Article ID: KB31758 KB Last Updated: 25 Sep 2020Version: 2.0
Summary:

This article explains the meaning of the output from 'debug ip ip'.

Solution:

This debug is only for self traffic, which means it is for IP packets destined to a device or originated from a device owned IP address. It is helpful in cases where requests come in to the firewall but no response is being generated or when the responses received are not being processed by the device or silently discarded.

Example output for an Internet Control Message Protocol (ICMP) packet initiated from the Secure Services Gateway (SSG):

## 2017-05-14 14:17:11 : out_if is not set in the packet
## 2017-05-14 14:17:11 : out_ifp ethernet0/0 and src_ifp ethernet0/0 src-ip 0.0.0.0, gateway 10.219.29.193 flag 0x00200080
## 2017-05-14 14:17:11 : Decide src ip ethernet0/0 src_addr 0.0.0.0 dst_addr 10.222.0.77 pak 2b06508
## 2017-05-14 14:17:11 : src ip 10.219.29.206 address for interface ethernet0/0
## 2017-05-14 14:17:11 : found a route via 10.219.29.193 through interface ethernet0/0

The above debug output shows how the device decides on the out interface pointer and the source interface pointer. Based on the source interface pointer and the route lookup, IPs are added in the packet and the IP header is built. 

## 2017-05-14 14:17:11 : ip out(-1/0):10.219.29.206->10.222.0.77/1,08000a62/04004dd0,128

The response packet then follows the output:

## 2017-05-14 14:17:11 : ip in(0/3):10.222.0.77->10.219.29.206/1,00001262/04004dd0,128
## 2017-05-14 14:17:11 : ip up(0/3):10.222.0.77->10.219.29.206/1,00001262/04004dd0,128
## 2017-05-14 14:17:11 : calling registered client on sock 1 10.222.0.77->10.219.29.206, protocol 1

Other than the source IP (10.219.29.206), destination IP (10.222.0.77) and the protocol number(1) for ICMP, there are 3 fields at the end of the string, like 08000a62/04004dd0,128. It can be interpreted as 008000a62, where:

  • The first two digits represent the ICMP type: 08
  • The next two digits represent ICMP code: 00
  • The rest of the digits comprise of the checksum : 0a62

04004dd0 consists of:

  • 0400: ICMP identifier
  • 4dd0 : ICMP sequence

The values are in hex and they need to be converted to decimal before comparing it with the actual packet.

128: Total length in IP header, in decimal.

For an ICMP received by the device, there would be a slight change in the order of the output in the debug:

## 2017-05-14 14:03:53 : ip in(0/3):10.222.0.77->10.219.29.206/1,08004cef/0001006c,60
## 2017-05-14 14:03:53 : ip up(0/3):10.222.0.77->10.219.29.206/1,08004cef/0001006c,60
## 2017-05-14 14:03:53 : calling registered client on sock 1 10.222.0.77->10.219.29.206, protocol 1

Thus, the incoming ICMP is recorded. This is then followed by selecting the interfaces and building the IP header of the response packet as below:

## 2017-05-14 14:03:53 : out_if is set in the packet as ethernet0/0
## 2017-05-14 14:03:53 : out_ifp ethernet0/0 and src_ifp ethernet0/0 src-ip 10.219.29.206, gateway 10.219.29.193 flag 0x00000000
## 2017-05-14 14:03:53 : Decide src ip ethernet0/0 src_addr 10.219.29.206 dst_addr 10.222.0.77 pak 2b06508
## 2017-05-14 14:03:53 : src ip 10.219.29.206 address for interface ethernet0/0
## 2017-05-14 14:03:53 : found a route via 10.219.29.193 through interface ethernet0/0
## 2017-05-14 14:03:53 : ip out(-1/0):10.219.29.206->10.222.0.77/1,000054ef/0001006c,60

Example of TCP packet initiated by the device:

## 2017-05-14 14:25:37 : out_if is not set in the packet
## 2017-05-14 14:25:37 : out_ifp ethernet0/0 and src_ifp ethernet0/0 src-ip 0.0.0.0, gateway 10.219.29.200 flag 0x00000000
## 2017-05-14 14:25:37 : Decide src ip ethernet0/0 src_addr 0.0.0.0 dst_addr 10.219.29.200 pak 2b065c0
## 2017-05-14 14:25:37 : src ip 10.219.29.206 address for interface ethernet0/0
## 2017-05-14 14:25:37 : found a route via 10.219.29.200 through interface ethernet0/0

Thus, the debug output remains the same. It consists of determining the source and the destination IP in the IP header based on the interface and route lookup.

Once the packet is built we see it in the debugs as follows:

## 2017-05-14 14:25:37 : ip out(-1/0):10.219.29.206->10.219.29.200/6,6ef30017/75aefbe5,44

The response is recorded as below:

## 2017-05-14 14:25:37 : ip in(0/3):10.219.29.200->10.219.29.206/6,00176ef3/201158a4,44
## 2017-05-14 14:25:37 : ip up(0/3):10.219.29.200->10.219.29.206/6,00176ef3/201158a4,44

 

  • 6ef30017: Comprise of the source port (6ef3) and the destination port (0017). 
  • 75aefbe5 : Indicates the Sequence number in the packet.

The values are in hex and they must be converted to decimal before comparing it with the actual packet.

44: Shows the value of total length field in the IP header. This is a decimal value.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search