快速查找异常流量

Fortilink部署场景下, 如果网络中有大流量的异常流量(如大量广播、未知组播影响到网络正常运行),可以通过下面的步骤来查找异常流量的来源。

排查举例

  1. 在FortiGate抓包(sniffer 4),发现网络中有大量的ARP广播流量(抓包时指定抓包数量,可以看到在某一段时间内哪些报文出现较多)。

    FortiGate # diagnose sniffer packet any "" 4 100 l
    interfaces=[any]
    filters=[]
    2023-05-30 09:16:42.833594 port6 in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833594 port6 in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833595 fortilink in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833595 fortilink in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833596 default in arp who-has 183.230.156.254 tell 183.230.156.148
    2023-05-30 09:16:42.833596 default in arp who-has 183.230.20.126 tell 183.230.20.89
    2023-05-30 09:16:42.833597 port6 in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833597 port6 in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833598 fortilink in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833598 fortilink in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833598 default in arp who-has 183.230.156.254 tell 183.230.156.148
    2023-05-30 09:16:42.833598 default in arp who-has 58.254.217.97 tell 58.254.217.99
    2023-05-30 09:16:42.833600 port6 in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833601 port6 in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833601 fortilink in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833602 fortilink in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833602 default in arp who-has 192.168.100.118 tell 192.168.100.99
    2023-05-30 09:16:42.833602 default in arp who-has 183.230.156.254 tell 183.230.156.148
    2023-05-30 09:16:42.833604 port6 in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833604 fortilink in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833605 default in arp who-has 113.204.198.1 tell 113.204.198.2
    2023-05-30 09:16:42.833607 port6 in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833608 fortilink in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833608 default in arp who-has 183.230.156.254 tell 183.230.156.148
    2023-05-30 09:16:42.833611 port6 in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833612 fortilink in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833612 default in arp who-has 192.168.110.99 tell 192.168.110.7
    2023-05-30 09:16:42.833618 port6 in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833618 fortilink in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833619 port6 in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833619 default in arp who-has 183.230.156.254 tell 183.230.156.148
    2023-05-30 09:16:42.833619 fortilink in 802.1Q vlan#1 P0 
    2023-05-30 09:16:42.833620 default in arp who-has 183.230.20.126 tell 183.230.20.89
    
  2. 在FortiGate使用sniffer 6抓ARP包,确认异常ARP广播流量的源MAC,源MAC可以在sniffer 6的输出中直接看到,在“0x0000”行的第4~6段,如下所示,“ac71 2ed2 35f2”和“0009 0f09 3c0e”。

    FortiGate # diagnose sniffer packet any "arp" 6 100 l
    interfaces=[any]
    filters=[arp]
    2023-05-30 09:16:50.423541 default in arp who-has 58.254.217.97 tell 58.254.217.99
    0x0000   ffff ffff ffff **→ac71 2ed2 35f2←** 0806 0001        .......q..5.....
    0x0010   0800 0604 0001 ac71 2ed2 35f2 3afe d963        .......q..5.:..c
    0x0020   0000 0000 0000 3afe d961 0000 0000 0000        ......:..a......
    0x0030   0000 0000 0000 0000 0000 0000                  ............
    
    2023-05-30 09:16:50.423554 default in arp who-has 222.178.231.33 tell 222.178.231.34
    0x0000   ffff ffff ffff **→0009 0f09 3c0e←** 0806 0001        ..........<.....
    0x0010   0800 0604 0001 0009 0f09 3c0e deb2 e722        ..........<...."
    0x0020   0000 0000 0000 deb2 e721 0000 0000 0000        .........!......
    0x0030   0000 0000 0000 0000 0000 0000                  ............
    
    2023-05-30 09:16:50.423556 default in arp who-has 222.178.231.33 tell 222.178.231.34
    0x0000   ffff ffff ffff 0009 0f09 3c0e 0806 0001        ..........<.....
    0x0010   0800 0604 0001 0009 0f09 3c0e deb2 e722        ..........<...."
    0x0020   0000 0000 0000 deb2 e721 0000 0000 0000        .........!......
    0x0030   0000 0000 0000 0000 0000 0000                  ............
    
    2023-05-30 09:16:50.423560 default in arp who-has 58.254.217.97 tell 58.254.217.99
    0x0000   ffff ffff ffff ac71 2ed2 35f2 0806 0001        .......q..5.....
    0x0010   0800 0604 0001 ac71 2ed2 35f2 3afe d963        .......q..5.:..c
    0x0020   0000 0000 0000 3afe d961 0000 0000 0000        ......:..a......
    0x0030   0000 0000 0000 0000 0000 0000                  ............
    
    2023-05-30 09:16:50.423563 default in arp who-has 58.254.217.97 tell 58.254.217.99
    0x0000   ffff ffff ffff ac71 2ed2 35f2 0806 0001        .......q..5.....
    0x0010   0800 0604 0001 ac71 2ed2 35f2 3afe d963        .......q..5.:..c
    0x0020   0000 0000 0000 3afe d961 0000 0000 0000        ......:..a......
    0x0030   0000 0000 0000 0000 0000 0000                  ............
    
    2023-05-30 09:16:50.423574 default in arp who-has 58.254.217.97 tell 58.254.217.99
    0x0000   ffff ffff ffff ac71 2ed2 35f2 0806 0001        .......q..5.....
    0x0010   0800 0604 0001 ac71 2ed2 35f2 3afe d963        .......q..5.:..c
    0x0020   0000 0000 0000 3afe d961 0000 0000 0000        ......:..a......
    0x0030   0000 0000 0000 0000 0000 0000                  ............
    
    2023-05-30 09:16:50.423584 default in arp who-has 58.254.217.97 tell 58.254.217.99
    0x0000   ffff ffff ffff ac71 2ed2 35f2 0806 0001        .......q..5.....
    0x0010   0800 0604 0001 ac71 2ed2 35f2 3afe d963        .......q..5.:..c
    0x0020   0000 0000 0000 3afe d961 0000 0000 0000        ......:..a......
    0x0030   0000 0000 0000 0000 0000 0000                  ............
    
  3. 查看“0009 0f09 3c0e”这个MAC地址是接入在哪个交换机的哪个端口,可以看到这个源MAC地址是从交换机S548DN4K16000312的port34口学习到的。

    FortiGate # diagnose switch-controller mac-cache show | grep 00:09:0f:09:3c:0e -B 50
    ...............................................                
    managed-switch: S548DN4K16000312 vfid:   0
    running-clients:
    VLANID   PORTID   ACCESS   MAC                LAST-SEEN(secs ago) INTF-NAME
    1        34       accept   00:09:0f:09:3c:0a  52                 port34
    
  4. 在FortiLink成员交换机S548DN4K16000312上检查流量,发现这个交换机的port34口和port35口的流量异常。

    S548DN4K16000312 # diagnose switch physical-ports linerate up
    

    image-20230605103910650

  5. 查找异常的流量的来源设备,通过LLDP可以查询到接入的设备信息,从而确定异常流量的来源设备。

    S548DN4K16000312 # get switch lldp neighbors-summary
    ......
      port34      Up       **→FortiGate-601F-down-Test←**  120   BR          -         port13
      port35      Up       **→FortiGate-601F-down-Test←**  120   BR          -         port14
    ......
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2023-09-18 16:28:10

results matching ""

    No results matching ""