Author Topic: Netscreen Session Analyzer  (Read 56634 times)

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Netscreen Session Analyzer
« on: November 06, 2006, 06:08:59 pm »
Hey guys,

I wanted to allow some of you the opportunity to test a program I created I call NSSA (Netscreen Session Analyzer)

I wrote NSSA because at the time all I had to analyze my session tables were JTAC's perl scripts. While useful, they tend to be slow and a bit of a hassle. I designed this program to be fast and portable. It is written completely in python and requires nothing other than what is in the .rar file.

Please try it out and let me know what you think. This is early beta but all core functions work just fine. NSSA does everything Juniper's scripts do & more.

This file is clean, there are no trojens or anything of the sort. NSSA requires no connection to the internet.

To download the file please click here: http://performanceclassifieds.net/NSSA.zip


Again, please let me know what you think. I appreciate your input. Source available upon request (as long as you don't rip off my code)

Tim
« Last Edit: November 30, 2006, 11:32:19 pm by Tim Eberhard »
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

technoplague

  • Jr. Member
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #1 on: November 06, 2006, 11:45:34 pm »
Great tool!

Thank you..it seems much more better than Juniper's web tool.
Extremely handy for a policy planning phase to determine the most used services.
« Last Edit: November 07, 2006, 03:20:08 am by technoplague »

oldo

  • Sr. Member
  • ****
  • Posts: 496
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #2 on: November 07, 2006, 01:48:55 am »
really good work, great tool!
JNCIA-FW, JNCIA-AC, JNCIS-SSL, Ironport ICSP, xSeries Specialist,

TuomasK

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #3 on: November 07, 2006, 03:36:31 am »
Umm.. silly me.

I don't see tftp option in get sessions, on command line.

Using NS25 with 5.3.0r5.0.

Tuomas

technoplague

  • Jr. Member
  • **
  • Posts: 77
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #4 on: November 07, 2006, 03:46:57 am »
Hey, TuomasK!

It definitely should be there!
It is implemented through the redirecting ( ">" )

e.g get sess > tftp host file.nss

TuomasK

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #5 on: November 07, 2006, 04:34:44 am »
hi technoplague.

I forgot to use the magical > swtich.. :)

Thanks.

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #6 on: November 30, 2006, 11:31:29 pm »
#######################Change log##################################
#
#11/28/06- Added protocol name lookup to the protocol filter to make it easier to read.
###############################################################
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #7 on: January 10, 2007, 12:01:49 am »
New features in NSSA.

You can now input IP/Port/custom filters. Added per the request of some Juniper employees.

Please let me know if you think of any features that you think would be worth while or if you encounter a bug.

#######################Change log##################################
#
#01/09/07- Version 1.4 Added Port number guessing. Also adjusted some math on reports to fix some miscalculations.
#01/08/07- Version 1.3 Simple IP, port and custom filters are now working. Top 5 results are shown. Cleaned up UI a bit more.
#01/05/07- Version 1.2 Adjusted some buttoms. Started work on single IP and single port filters. Cleaned up the UI a bit.
###############################################################

Tim
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

thextreme

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #8 on: February 13, 2007, 12:03:53 pm »
Hi Tim

thanks for a fantastic app , it has helped us to easily solve a cpu/session problem.

Many thanks
Ian

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #9 on: February 13, 2007, 01:46:54 pm »
Hi Tim

thanks for a fantastic app , it has helped us to easily solve a cpu/session problem.

Many thanks
Ian

Thanks Ian I appreciate the words of encouragement.

As a sneak peak to everyone here, I am currently working on a few addons to NSSA. In the works:

OS Task Reader- This will tell you what processes (and what they do) are taking up the most CPU.

Debug Tag info reader- This will read the debug tag info (debug tag info shows packets that are being processed by the firewalls CPU)

I am currently working on both, in addition to a few other features for NSSA. More to come :)

Tim Eberhard
« Last Edit: February 13, 2007, 01:50:38 pm by Tim Eberhard »
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #10 on: February 20, 2007, 10:33:26 pm »
Announcing NSSA Version 1.5. Now with Debug Tag info Reader and OS Task reader.

To download the file please click here: http://performanceclassifieds.net/NSSA.zip

Also some minor bug fixes and base features added. The port guess list is now external and can be edited by users. Feel free to submit some adjustments if you find anything.

As always your input is welcome. I couldn't have done this much without the input from the Netscreen user community.

From the Readme file:
------------------------------------------------------------------------
   Debug Tag Info Reader:
In the event of a high flow CPU it's worth while to see what exactly is going to the flow CPU. To do this you enter in "debug tag info" into the firewall
It is critical that you do this from the console. After a few seconds press the ESC button. Note: This WILL be impacting to the firewall traffic, the firewall CPU will spike up
to 100% for a few seconds. Once that is done you can either grab the output directly from the screen or tftp it off.
Load the data into the Analyzer and it will read the traffic for you. This has been a critical role in troubleshooting high flow CPU to us.
      
   OS Task Anaylzer:
OS Task Analyzer is useful when troubleshooting high task CPU. Log into the firewall and enter in "get os task" then wait a few seconds/minutes, enter it again.
Paste both results into the two fields and it will list the tasks with the highest task CPU usage.    


Comments? Bugs? Questions?
Send them my way, timothy.l.eberhard@sprint.com or xmin0s@gmail.com
#######################Change log##################################
#
#02/19/07- Version 1.5 OS Task Reader & Debug Tag info Reader completed and working. You can find it the Plugins drop down menu   
###############################################################
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

mwdmeyer

  • Full Member
  • ***
  • Posts: 245
  • Karma: +0/-0
    • View Profile
    • Bluetrait
Re: Netscreen Session Analyzer
« Reply #11 on: February 21, 2007, 12:13:22 am »
Hey. Just tried to download it; I'm getting a 404.

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #12 on: February 21, 2007, 07:13:51 am »
Hrmm, perhaps some kind of maintence was going on. Appears to be working just fine now.

Alternatively I put a .rar up there as well(it's much smaller..god I love rar compression).
http://performanceclassifieds.net/NSSA.rar
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

mwdmeyer

  • Full Member
  • ***
  • Posts: 245
  • Karma: +0/-0
    • View Profile
    • Bluetrait
Re: Netscreen Session Analyzer
« Reply #13 on: February 22, 2007, 11:51:23 pm »
Hey Tim,

I'm unable to get the os task plugin to work.

I've cut and paste the results of 2 os tasks (about 30 seconds apart) yet I am just getting:

-OS Task Report-

Any ideas?

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #14 on: February 22, 2007, 11:57:16 pm »
Hey Tim,

I'm unable to get the os task plugin to work.

I've cut and paste the results of 2 os tasks (about 30 seconds apart) yet I am just getting:

-OS Task Report-

Any ideas?

Hrmm..

I just re-tested the OS task reader from the release I posted and I got it to work fine.

Mind sharing with me exactly what you're inputting? Email it over to me if possible and I'll take a look at the back end to see what OTA is doing with it exactly..

xmin0s@gmail.com

Thanks for your help! Hopefully I'll find out exactly what the issue is.
Tim Eberhard
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #15 on: February 23, 2007, 12:44:31 am »
Hey Tim,

I'm unable to get the os task plugin to work.

I've cut and paste the results of 2 os tasks (about 30 seconds apart) yet I am just getting:

-OS Task Report-

Any ideas?

A big thanks to Mike for finding a bug. It appears that Juniper's output was slightly different from various code trains. Everything is fixed and I'll upload the new code here shortly.
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

joezhou

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #16 on: March 05, 2007, 03:17:23 am »
Hi Tim,

May i know how to use debug tag info? After i key in them into the console,
nothing happen. Any detailed explaination of how to get input for Debug Tag Info Reader?

Joe

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #17 on: March 05, 2007, 12:57:19 pm »
Joe,

I believe there is a minor issue when choosing the "Load from a file" option in debug tag info. Depending on the version of windows being used sometimes it works, sometimes it doesn't. It in addition to some adjustments to the os task reader are on my to do list to get fixed when I get time.

Until then I would suggest coping & pasting within the window. That *should* work without issues. If you were using this method then please shoot me over an email to troubleshoot this with me. xmin0s a-t gmail d-o-t com
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #18 on: March 12, 2007, 03:10:48 pm »
I have uploaded (Last week) a new version of NSSA. The is a minor update to get the OS task piece working across all known code trains. This should work on 5.4 no problem.

Hey Tim,

I'm unable to get the os task plugin to work.

I've cut and paste the results of 2 os tasks (about 30 seconds apart) yet I am just getting:

-OS Task Report-

Any ideas?
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Netscreen Session Analyzer
« Reply #19 on: July 12, 2007, 03:29:06 pm »
I have uploaded a new version. Sorry for the delay. Fixed some pretty big bugs since the last public beta release.

#######################To do####################################
#   
#A tool to analyze saturn traffic perhaps?
#Debug flow Drop reader
#Debug Flow basic top 10
#Percentage of usage in that portion of the session table
#Add protocols to port list if possible
###############################################################

##################Known Issues##################################
#Os Task Analyzer- If two tasks have the same run time, their names are removed and no information is provided
#
#
#
##############################################################

#######################Change log##################################
#07/12/05- Version 1.5.5.07.12 Fixed issue with OS Task Reader and "--- mores ---"
#03/29/07- Version 1.5.4.03.28 Minor adjustments to naming and such.
#03/23/07- Version 1.5.03.22 Created the Sprint Internal Fork due to some confidential information
#03/22/07- Version 1.5.3 Added Debug flow basic analyzer. Changed the way the Debug files are loaded. The only option is now to load from a file,
#        -the clipboard method wasn't stable due to various python issues.
#03/07/07- Version 1.5.2 Resolved issues with os task analyzer and 5.4 code train. OTA Can now read all known code train variations.
#03/01/07- Version 1.5.1 Fixed OS Task Analyzer to work on more code trains(Juniper appears to change the output often), also added demux menu
#02/19/07- Version 1.5 OS Task Reader & Debug Tag info Reader completed and working. You can find it the Plugins drop down menu   
#02/18/07- Version 1.4.7 UI finished. Got the data loading and parsing properly. Just a few bugs to iron out left.
#02/17/07- Version 1.4.6 Finished writing code for os-task/debug-tag-info back end. Code added.
#02/15/07- Version 1.4.5 Added OS-Task window, Debug Tag Info, Debug Flow Basic all under the new plugin menu.
#01/22/07- Version 1.4.1 Edit > Copy to Clipboard  now works. File>Save also works.
#01/09/07- Version 1.4 Added Port number guessing. Also adjusted some math on reports to fix some miscalculations.
#01/08/07- Version 1.3 Simple IP, port and custom filters are now working. Top 5 results are shown. Cleaned up UI a bit more.
#01/05/07- Version 1.2 Adjusted some buttons. Started work on single IP and single port filters. Cleaned up the UI a bit.
#11/28/06- Version 1.1 Added protocol name lookup to the protocol filter to make it easier to read.
#10/08/06- Version 1.0 Official beta release. All base filters work and some "quick" buttons. Ready for internal use.
###############################################################
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT