Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Bob_Zimmerman
Authority
Authority

As you discovered, NAT changes the packet so it no longer matches your capture filter. The biggest issue with capture filters in fw monitor is they are evaluated individually at each step. If the traffic no longer matches the filter because something about it has been changed, the capture just won’t record anything further.

A kernel debug on xlate should make this situation more obvious in the future. You can run it with zdebug, since that’s just a macro which sets up the buffer and so forth. It's much more verbose than just debugging on drop, but when troubleshooting a connection which isn't working, it shouldn't be too bad. Here's an example from one of my lab standalone boxes showing the debug command, plus the output generated when I have the standalone send a single ping from itself to a destination which matches a rule to hide the source:

[Expert@DallasSA]# fw ctl zdebug -T -F "10.0.1.253,0,192.168.144.120,0,0" -m fw xlate drop
Defaulting all kernel debugging options
Debug state was reset to default.
PPAK 0: Get before set operation succeeded of simple_debug_filter_off
Initialized kernel debugging buffer to size 1023K
fw ctl set string simple_debug_filter_saddr_1 10.0.1.253 -a
PPAK 0: Get before set operation succeeded of simple_debug_filter_saddr_1
fw ctl set int simple_debug_filter_sport_1 0 -a
PPAK 0: Get before set operation succeeded of simple_debug_filter_sport_1
fw ctl set string simple_debug_filter_daddr_1 192.168.144.120 -a
PPAK 0: Get before set operation succeeded of simple_debug_filter_daddr_1
fw ctl set int simple_debug_filter_dport_1 0 -a
PPAK 0: Get before set operation succeeded of simple_debug_filter_dport_1
fw ctl set int simple_debug_filter_proto_1 0 -a
PPAK 0: Get before set operation succeeded of simple_debug_filter_proto_1
Updated debug variable for module fw
Kernel debugging buffer size: 1023KB
...
HOST:
Module: fw 
Enabled Kernel debugging options: xlate ipv6 drop 
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
...
Debug filter not set.
-----------------------------------------------------
VPN Simple Debug Filter Not Activated
-----------------------------------------------------
Simple Debug Filter Is Activated
Tuple   Protocol       Source:Port        Destination:Port
(1)      *         10.0.1.253:*       192.168.144.120:*
(2)      NOT DEFINED
(3)      NOT DEFINED
(4)      NOT DEFINED
(5)      NOT DEFINED

Number      IP Address
(1)          NOT DEFINED
(2)          NOT DEFINED
(3)          NOT DEFINED
-----------------------------------------------------
@;1;kiss_debug_report: start
@;1;kiss_debug_report: start
@;73882690;26Oct2024 14:47:28.051001;[cpu_0];[fw4_1];fwx_key_get_client_conn_key: possible security server gw->srv conn before rulebase.;
@;73882690;26Oct2024 14:47:28.051150;[cpu_0];[fw4_1];fwx_key_get_client_conn_key: possible security server gw->srv conn before rulebase.;
@;73882690;26Oct2024 14:47:28.051253;[cpu_0];[fw4_1];fwx_key_get_client_conn_key: possible security server gw->srv conn before rulebase.;
@;73882690;26Oct2024 14:47:28.051350;[cpu_0];[fw4_1];fwx_key_get_client_conn_key: possible security server gw->srv conn before rulebase.;
@;73882690;26Oct2024 14:47:28.051475;[cpu_0];[fw4_1];fw_xlate_new_conn: connection <dir 1, 10.0.1.253:6157 -> 192.168.144.120:0 IPP 1> ifnum=1, dir=1;
@;73882690;26Oct2024 14:47:28.051485;[cpu_0];[fw4_1];fwx_get_xlation: conn = dir 1, 10.0.1.253:6157 -> 192.168.144.120:0 IPP 1, mthd=ffffffff;
@;73882690;26Oct2024 14:47:28.051509;[cpu_0];[fw4_1];fwx_cache_lookup: flags = 0x0;
@;73882690;26Oct2024 14:47:28.051511;[cpu_0];[fw4_1];fwx_cache_lookup: NAT_X_SRC_IS_RANGE_L4: 0;
@;73882690;26Oct2024 14:47:28.051517;[cpu_0];[fw4_1];fw_xlate_match_epilog: There is already NAT on src/sport;
@;73882690;26Oct2024 14:47:28.051521;[cpu_0];[fw4_1];fw_xlate_match: connection matches rule:;
@;73882690;26Oct2024 14:47:28.051524;[cpu_0];[fw4_1];fw_xlate_match: < 7;
@;73882690;26Oct2024 14:47:28.051526;[cpu_0];[fw4_1];xlation type: ff000001,;
@;73882690;26Oct2024 14:47:28.051532;[cpu_0];[fw4_1];10.0.0.0, 10.255.255.255, 10.74.255.1,;
@;73882690;26Oct2024 14:47:28.051534;[cpu_0];[fw4_1];xlation type: ff010202,;
@;73882690;26Oct2024 14:47:28.051540;[cpu_0];[fw4_1];192.168.0.0, 192.168.255.255, 192.168.0.0,;
@;73882690;26Oct2024 14:47:28.051541;[cpu_0];[fw4_1];xlation type: 0,;
@;73882690;26Oct2024 14:47:28.051547;[cpu_0];[fw4_1];0.0.0.0, 0.0.0.0, 0.0.0.0,;
@;73882690;26Oct2024 14:47:28.051548;[cpu_0];[fw4_1];xlation type: 0,;
@;73882690;26Oct2024 14:47:28.051553;[cpu_0];[fw4_1];0.0.0.0, 0.0.0.0, 0.0.0.0>;
@;73882690;26Oct2024 14:47:28.051566;[cpu_0];[fw4_1];fwx_create_xlation: xlconn=dir 1, 10.74.255.1:6157 -> 192.168.144.120:0 IPP 1 mthd=ff000001, flags=100008;
@;73882690;26Oct2024 14:47:28.051569;[cpu_0];[fw4_1];fwx_get_xlation: fwxl->ex_flags = 0x0;
@;73882690;26Oct2024 14:47:28.051585;[cpu_0];[fw4_1];allocate_port_impl_static: using range: 35000 - 59999;
@;73882690;26Oct2024 14:47:28.051595;[cpu_0];[fw4_1];allocate_port_impl_static: hide_src=10.74.255.1, new_dst=192.168.144.120, new dport=0, first=88b8, last=ea5f, start=88c0, old_port=180d, not synchronized;
@;73882690;26Oct2024 14:47:28.051603;[cpu_0];[fw4_1];allocate_port: found a free port <1,10.74.255.1,88c1,192.168.144.120>;
@;73882690;26Oct2024 14:47:28.051610;[cpu_0];[fw4_1];fwx_alloc_get_port_type_and_member: ACTIVE + HIGH;
@;73882690;26Oct2024 14:47:28.051613;[cpu_0];[fw4_1];fwx_alloc_stats_update: called with update amount 1;
@;73882690;26Oct2024 14:47:28.051619;[cpu_0];[fw4_1];fwx_alloc_stats_update: stats_key: <1,10.74.255.1,14,192.168.144.120>;
@;73882690;26Oct2024 14:47:28.051622;[cpu_0];[fw4_1];fwx_alloc_stats_update: entry not found - setting a new entry.;
@;73882690;26Oct2024 14:47:28.051624;[cpu_0];[fw4_1];fwx_alloc_stats_update: updated amount to 1;
@;73882690;26Oct2024 14:47:28.051637;[cpu_0];[fw4_1];fwx_alloc_fill_conn_data: conn: dir 1, 10.0.1.253:6157 -> 192.168.144.120:0 IPP 1;
@;73882690;26Oct2024 14:47:28.051640;[cpu_0];[fw4_1];fwx_alloc_get_port_type_and_member: ACTIVE + HIGH;
@;73882690;26Oct2024 14:47:28.051647;[cpu_0];[fw4_1];fwx_apply_hide: xlation enabled;
@;73882690;26Oct2024 14:47:28.051693;[cpu_0];[fw4_1];fw_xlate_packet: connection <dir 1, 10.0.1.253:6157 -> 192.168.144.120:0 IPP 1>, OUTBOUND(1);

The -T adds timestamps to the output. The -F specifies a simple filter using the same syntax as fw monitor.

My real source is 10.0.1.253, translated source is 10.74.255.1, and the destination (which doesn't change in my rule) is 192.168.144.120. You can see that even though my filter only catches the original source, the debug records that the traffic is being translated. When there's no translation, the xlate debug produces no additional output.

(1)
Who rated this post