Troubleshooting guide

Chapter 2 Troubleshooting Tools VPN-1/FireWall-1 Control Commands

Advanced Technical Reference Guide 4.1 • June 2000 10

fw ctl debug

The fw ctl debug command is a powerful debugging tool, which is very helpful when debugging

VPN-1/FireWall-1.

With its many commands it is possible to see nearly everything that happens in the kernel module.

Syntax

balance | chain

To start debug mode;

fw ctl debug [command]

To cancel the debugging;

fw ctl debug 0

Apart from this method of operation there is an option to use the debug commands from a window rather than

from the console (console being the default option).

In most cases, you would need to run the debug as follows:

% fw ctl debug –buf [buffer size] /* direct the information to a buffer */

% fw ctl debug command1 command2 /* generate the required data in that buffer */

% fw ctl kdebug –f > output_file /* Read the kernel buffer and print it to a file */

After all the necessary data is gathered, interrupt the last command using Ctrl-C

Cancel the debugging using fw ctl debug 0

The available fw ctl debug commands

Option Meaning

all All the switches. This option is not recommended. The amount of data massive and it will be

almost impossible to get any useful information. On some platforms it could crash the machine,

as the operating system will try to write massive amounts of data to the console.

Cookie With the cookie switch turned on, all the cookies (the data structure that holds the packets) are

shown. (cookies are used in order to avoid the problems that arise from the ways different

Operating Systems handle packets).

Example:

M_dup(fwcookie.c:2464): 7E492D0

m_dup(fwcookie.c:2464): 7E492D0

Explanation

Those are just pointers to the data. (the actual cookies)

crypt With this option turned on, all the encrypted/decrypted packets are printed in clear text and

cipher text. The algorithms and keys that used are also printed

See “crypt” Example, Output and Explanation, on page 12.