快速查找异常流量
Fortilink部署场景下, 如果网络中有大流量的异常流量(如大量广播、未知组播影响到网络正常运行),可以通过下面的步骤来查找异常流量的来源。
排查举例
在FortiGate抓包(sniffer 4),发现网络中有大量的ARP广播流量(抓包时指定抓包数量,可以看到在某一段时间内哪些报文出现较多)。
FortiGate # diagnose sniffer packet any "" 4 100 l interfaces=[any] filters=[] 2023-05-30 09:16:42.833594 port6 in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833594 port6 in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833595 fortilink in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833595 fortilink in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833596 default in arp who-has 183.230.156.254 tell 183.230.156.148 2023-05-30 09:16:42.833596 default in arp who-has 183.230.20.126 tell 183.230.20.89 2023-05-30 09:16:42.833597 port6 in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833597 port6 in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833598 fortilink in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833598 fortilink in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833598 default in arp who-has 183.230.156.254 tell 183.230.156.148 2023-05-30 09:16:42.833598 default in arp who-has 58.254.217.97 tell 58.254.217.99 2023-05-30 09:16:42.833600 port6 in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833601 port6 in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833601 fortilink in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833602 fortilink in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833602 default in arp who-has 192.168.100.118 tell 192.168.100.99 2023-05-30 09:16:42.833602 default in arp who-has 183.230.156.254 tell 183.230.156.148 2023-05-30 09:16:42.833604 port6 in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833604 fortilink in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833605 default in arp who-has 113.204.198.1 tell 113.204.198.2 2023-05-30 09:16:42.833607 port6 in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833608 fortilink in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833608 default in arp who-has 183.230.156.254 tell 183.230.156.148 2023-05-30 09:16:42.833611 port6 in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833612 fortilink in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833612 default in arp who-has 192.168.110.99 tell 192.168.110.7 2023-05-30 09:16:42.833618 port6 in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833618 fortilink in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833619 port6 in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833619 default in arp who-has 183.230.156.254 tell 183.230.156.148 2023-05-30 09:16:42.833619 fortilink in 802.1Q vlan#1 P0 2023-05-30 09:16:42.833620 default in arp who-has 183.230.20.126 tell 183.230.20.89在FortiGate使用sniffer 6抓ARP包,确认异常ARP广播流量的源MAC,源MAC可以在sniffer 6的输出中直接看到,在“0x0000”行的第4~6段,如下所示,“ac71 2ed2 35f2”和“0009 0f09 3c0e”。
FortiGate # diagnose sniffer packet any "arp" 6 100 l interfaces=[any] filters=[arp] 2023-05-30 09:16:50.423541 default in arp who-has 58.254.217.97 tell 58.254.217.99 0x0000 ffff ffff ffff **→ac71 2ed2 35f2←** 0806 0001 .......q..5..... 0x0010 0800 0604 0001 ac71 2ed2 35f2 3afe d963 .......q..5.:..c 0x0020 0000 0000 0000 3afe d961 0000 0000 0000 ......:..a...... 0x0030 0000 0000 0000 0000 0000 0000 ............ 2023-05-30 09:16:50.423554 default in arp who-has 222.178.231.33 tell 222.178.231.34 0x0000 ffff ffff ffff **→0009 0f09 3c0e←** 0806 0001 ..........<..... 0x0010 0800 0604 0001 0009 0f09 3c0e deb2 e722 ..........<...." 0x0020 0000 0000 0000 deb2 e721 0000 0000 0000 .........!...... 0x0030 0000 0000 0000 0000 0000 0000 ............ 2023-05-30 09:16:50.423556 default in arp who-has 222.178.231.33 tell 222.178.231.34 0x0000 ffff ffff ffff 0009 0f09 3c0e 0806 0001 ..........<..... 0x0010 0800 0604 0001 0009 0f09 3c0e deb2 e722 ..........<...." 0x0020 0000 0000 0000 deb2 e721 0000 0000 0000 .........!...... 0x0030 0000 0000 0000 0000 0000 0000 ............ 2023-05-30 09:16:50.423560 default in arp who-has 58.254.217.97 tell 58.254.217.99 0x0000 ffff ffff ffff ac71 2ed2 35f2 0806 0001 .......q..5..... 0x0010 0800 0604 0001 ac71 2ed2 35f2 3afe d963 .......q..5.:..c 0x0020 0000 0000 0000 3afe d961 0000 0000 0000 ......:..a...... 0x0030 0000 0000 0000 0000 0000 0000 ............ 2023-05-30 09:16:50.423563 default in arp who-has 58.254.217.97 tell 58.254.217.99 0x0000 ffff ffff ffff ac71 2ed2 35f2 0806 0001 .......q..5..... 0x0010 0800 0604 0001 ac71 2ed2 35f2 3afe d963 .......q..5.:..c 0x0020 0000 0000 0000 3afe d961 0000 0000 0000 ......:..a...... 0x0030 0000 0000 0000 0000 0000 0000 ............ 2023-05-30 09:16:50.423574 default in arp who-has 58.254.217.97 tell 58.254.217.99 0x0000 ffff ffff ffff ac71 2ed2 35f2 0806 0001 .......q..5..... 0x0010 0800 0604 0001 ac71 2ed2 35f2 3afe d963 .......q..5.:..c 0x0020 0000 0000 0000 3afe d961 0000 0000 0000 ......:..a...... 0x0030 0000 0000 0000 0000 0000 0000 ............ 2023-05-30 09:16:50.423584 default in arp who-has 58.254.217.97 tell 58.254.217.99 0x0000 ffff ffff ffff ac71 2ed2 35f2 0806 0001 .......q..5..... 0x0010 0800 0604 0001 ac71 2ed2 35f2 3afe d963 .......q..5.:..c 0x0020 0000 0000 0000 3afe d961 0000 0000 0000 ......:..a...... 0x0030 0000 0000 0000 0000 0000 0000 ............查看“0009 0f09 3c0e”这个MAC地址是接入在哪个交换机的哪个端口,可以看到这个源MAC地址是从交换机S548DN4K16000312的port34口学习到的。
FortiGate # diagnose switch-controller mac-cache show | grep 00:09:0f:09:3c:0e -B 50 ............................................... managed-switch: S548DN4K16000312 vfid: 0 running-clients: VLANID PORTID ACCESS MAC LAST-SEEN(secs ago) INTF-NAME 1 34 accept 00:09:0f:09:3c:0a 52 port34在FortiLink成员交换机S548DN4K16000312上检查流量,发现这个交换机的port34口和port35口的流量异常。
S548DN4K16000312 # diagnose switch physical-ports linerate up
查找异常的流量的来源设备,通过LLDP可以查询到接入的设备信息,从而确定异常流量的来源设备。
S548DN4K16000312 # get switch lldp neighbors-summary ...... port34 Up **→FortiGate-601F-down-Test←** 120 BR - port13 port35 Up **→FortiGate-601F-down-Test←** 120 BR - port14 ......