Re: SRX Session Analyzer based on Perl

Can you please email me the script at pparikh@juniper.net?

---

BugHunter wrote:

The following perl code is free to modify and use to analyze SRX session dump, which can be collected by "show security flow session". It works on Windows and Linux.

 

 

How to use it?

Download the attached file ('jsa.txt"), and rename it as "jsa.pl", then run it on Windows or Linux. I have tested it for 112M bytes of session dump, and it works well.

 

For example,

 

c:\> jsa.pl

*** Tom's SRX Session Dump Analyzer 0.3 ***

Enter the file name of session dump: session.txt
How many Top Talkers do you want to see (e.g., type 10)? 10

Nov 17 13:36:31  Extract the Session ID and Session wing0 for each session
Nov 17 13:36:35  ...Done
Nov 17 13:36:35  Extract src-ip, src-port, dst-ip, dst-port, policy name, incoming interface and timeout
Nov 17 13:36:38  ...Done
Nov 17 13:36:38  Create hash tables and sort these
Nov 17 13:36:40  ...Done
Nov 17 13:36:40  Sort Top 10 Talkers
Nov 17 13:36:41  ...Done

Check out "Top10-Talkers.log" file ...

 

 

Contents of "Top10-Talkers.log" file

--------------------------------------------------------------------------------
Top 10 src-ip, src-port, dst-ip, dst-port and protocol
--------------------------------------------------------------------------------
192.168.1.33/55490 --> 10.10.219.16/20000 tcp  1
192.168.2.45/39963 --> 10.10.219.16/10000 tcp  1
10.10.10.187/34309 --> 10.10.229.17/9093 tcp  1
192.168.1.33/52626 --> 10.10.115.19/50000 tcp  1
10.10.10.12/27545 --> 10.10.229.20/9093 tcp  1
192.168.3.102/41217 --> 10.10.229.16/8098 tcp  1
192.168.4.25/48879 --> 10.10.115.220/50000 tcp  1
192.168.5.132/56143 --> 10.10.216.16/9001 tcp  1
10.10.40.234/61513 --> 10.10.229.16/9093 tcp  1
10.10.41.113/54678 --> 10.10.111.160/80 tcp  1

-----------------------------------
Top 10 src-ip
-----------------------------------
10.10.229.164  6967
10.10.229.16  2800
10.10.110.134  2745
10.10.230.61  2585
192.168.1.33  2546
10.10.230.22  2542
10.10.230.60  2486
10.10.230.24  2473
10.10.230.32  2441
10.10.231.23  2434

-----------------------------------
Top 10 dst-ip
-----------------------------------
10.10.229.16  13414
10.10.11.16  9482
10.10.216.16  7369
10.20.229.27  5567
10.20.229.24  3822
10.10.115.16  3541
10.10.219.16  3219
10.21.98.97  2514
10.21.198.200  2471
10.22.27.100  2380

-----------------------------------
Top 10 src-port
-----------------------------------
9093  415
8083  301
32769  146
32771  105
32770  101
32773  89
32772  65
8082  64
32775  63
32779  53

-----------------------------------
Top 10 dst-port
-----------------------------------
80  27057
9093  14747
9001  7374
25  6266
20000  4183
8082  3707
110  3459
50000  3452
13000  2514
9090  2179

-----------------------------------
Top 10 protocol
-----------------------------------
tcp  92963
ipv6  8
udp  3

-----------------------------------
Top 10 Policy name
-----------------------------------
2  52230
55  13257
1494  7369
6075  5548
6063  1433
1562  1346
67  1267
6035  1171
6181  1039
578  955

-----------------------------------
Top 10 Incoming interface
-----------------------------------
reth1.0  52250
reth0.0  40724

-----------------------------------
Top 10 Session Timout
-----------------------------------
9752  86
9832  76
9934  76
9798  75
9734  75
9702  74
9662  74
9634  74
9636  72
9668  72

 

---