<

Juniper ScreenOS traffic profiling with fprofile

Published on
15,802 Points
8,602 Views
2 Endorsements
Last Modified:
Approved
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is available starting with 6.0.

The profiling is only available in CLI, so you need to know how to get there by a serial attached terminal emulation, or telnet / ssh. This is not covered here.

General CLI tip
At all times, you can type unique starting parts of the commands:
 
get fpro pac stop

Open in new window

and if you can't remember the syntax, just put a question mark after your command to get further help:
 
get fpro pac ?

Open in new window

or press [Tab] for auto-complete and help

How to

1. Preparation of profiling


The preparation can be done at any time, and needs not to be changed once set up.
 
unset fprofile packet wrap
set fprofile packet enable
set fprofile packet count 16

Open in new window

The count is measured in kilo-packets, allowed are 1-256
 

2. Start and stop profiling

 

clear fprofile
set fprofile packet start

Open in new window

If you set up nowrap (like above), profiling ends automatically as soon as the packet count is reached. If you set wrap mode, the buffer used is overwritten until you issue a
 
set fprofile packet stop

Open in new window

I've seen no CPU effect if you leave fprofile enabled (but stopped), however you can disable that to be safe:
 
unset fprofile packet enable

Open in new window

After disabling fprofile, the collected profile data is not available anymore, even after reenabling.
If you want to check the actual state of the profiling enginge:
 
get fprofile

Open in new window

shows state of fprofile: enabled and start or stop.
 

3. Viewing the profile


After profiling, you want to evaluate the collected data, of course.
 
get fprofile packet			shows complete profile with packet type, protocol, src/dst ip, src/dst port, time and percentage
get fprofile packet ip dst-ip		shows top 10 destination IPs, summing up disregarding src info and dst ports.
get fprofile packet ip dst-ip all	shows all destination IPs, ...
get fprofile packet ip dst-ip top 5	shows top 5 ...

Open in new window

Similar aggregation is available for protocols, ports, IPs - see complete syntax below.


Complete syntax variants

clear fprofile
 
get fprofile packet ip proto top <NUMBER>
get fprofile packet ip proto all
get fprofile packet ip proto
get fprofile packet ip src-ip top <NUMBER>
get fprofile packet ip src-ip all
get fprofile packet ip src-ip
get fprofile packet ip dst-ip top <NUMBER>
get fprofile packet ip dst-ip all
get fprofile packet ip dst-ip
get fprofile packet ip sport top <NUMBER>
get fprofile packet ip sport all
get fprofile packet ip sport
get fprofile packet ip dport top <NUMBER>
get fprofile packet ip dport all
get fprofile packet ip dport
get fprofile packet ip top <NUMBER>
get fprofile packet ip all
get fprofile packet ip
get fprofile packet none-ip proto top <NUMBER>
get fprofile packet none-ip proto all
get fprofile packet none-ip proto
get fprofile packet none-ip src-mac top <NUMBER>
get fprofile packet none-ip src-mac all
get fprofile packet none-ip src-mac
get fprofile packet none-ip dst-mac top <NUMBER>
get fprofile packet none-ip dst-mac all
get fprofile packet none-ip dst-mac
get fprofile packet none-ip top <NUMBER>
get fprofile packet none-ip all
get fprofile packet none-ip
get fprofile packet top <NUMBER>
get fprofile packet all
get fprofile packet
get fprofile
 
set fprofile packet enable
set fprofile packet count <NUMBER>
set fprofile packet wrap
set fprofile packet start
set fprofile packet stop

Open in new window

2
Comment
Author:Qlemo
0 Comments

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Join & Write a Comment

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month