How do I configure the Berkeley Packet Filter and capture tcpdump traces?
1) Installing packet filter support
tcpdump relies on a kernel option that ordinarily isn't enabled. You can fix
this either by adding "options PACKETFILTER" to the system's configuration
file and rebuilding (via doconfig -c ) or by:
# doconfig
*** KERNEL CONFIGURATION AND BUILD PROCEDURE ***
Enter a name for the kernel configuration file. [ALINGO]: FILTER
You want to name the configuration file 'FILTER'
Is that correct? (y/n) [y]: y
*** KERNEL OPTION SELECTION ***
Selection Kernel Option
---------------------------------------------------------------
1 System V Devices
2 Logical Volume Manager (LVM)
3 Kernel Breakpoint Debugger (KDEBUG)
4 Packetfilter driver (PACKETFILTER)
5 STREAMS pckt module (PCKT)
6 Data Link Bridge (DLPI V2.0 Service Class 1)
7 X/Open Transport Interface (XTISO, TIMOD, TIRDWR)
8 File on File File System (FFM)
9 ISO 9660 Compact Disc File System (CDFS)
10 Audit Subsystem
11 Local Area Transport Support
12 All of the above
13 None of the above
---------------------------------------------------------------
Enter the selection number for each kernel option you want.
For example, 1 3 : 4
You selected the following kernel options:
Packetfilter driver (PACKETFILTER)
Is that correct? (y/n) [y]:
...
Rebuild and boot the new kernel.
2) Create the packetfilter devices:
# cd /dev
# ./MAKEDEV pfilt
MAKEDEV: special file(s) for pfilt:
pfilt0 pfilt1 pfilt2 pfilt3 pfilt4 pfilt5 pfilt6 ... pfilt63
3) Get a better tcpdump (pre V4.0 systems only)
Email me for a compressed, uuencoded file of a tcpdump that decodes NFS V3
and several other Sun RPC protocols (MOUNT, NIS, NLM, PORTMAP, and STATMON).
4) Enable local copy promiscuous mode
# pfconfig +p +c ln0 (or tu0 or whatever)
5) Run tcpdump
Please read the man pages before doing serious monitoring! To look at some
NFS traffic, try:
# tcpdump -s300 -c100 -Nt udp port 2049 [to look at all NFS traffic]
# tcpdump -s300 -c100 -Nt host foo [to look at all to/from foo]
-s300 "snaps" up the first 300 bytes of each message, generally enough to
get lower level headers, RPC, and enough NFS protocol to make sense of
the requests. -c100 says to capture 100 messages and exit. -N says to
suppress the domain name (e.g. .zk3.dec.com) in hostnames. -t says to
suppress printing timestamps. The result is usually still too long for
a 80 column screen, I keep a wide xterm lying around for most of my tcpdump
monitoring. The -m option splits some messages over multiple lines.
If you send people traces, I generally recommend that you capture data to
a binary file and send that. If the recipient needs to, he can run
tcpdump with extra filtering or -x (hex dump) to really dig into problems.
Do something like:
# tcpdump -w /usr/tmp/foo.dmp -s300 udp port 2049
tcpdump: listening on ln0
Using kernel BPF filter
^C
1040 packets
# compress foo.dmp
# uuencode foo.dmp.Z foo.uu
Capturing to a file bypasses all the decoding code which can be very slow
and can generate its own IP traffic (e.g. resolving host names).
FAQ Home |