How can I track network packets?
TRACING - Trace all packets seen by the device driver on the HP nodes,except diskless packets. Trace packets sent by the node, or
addressed to the node.
Network tracing can be done with nettl(1M). nettl can only be used by
the
superuser, so su to root before proceeding.
1. Start Trace - put data into 1MB trace file. The data
will be stored in /tmp/raw.TRC0 and /tmp/raw.TRC1
The most recent data will always be in TRC0, when
it fills up, TRC0 is renamed TRC1, and new logging
continues in the TRC0 file. They fill up quickly!
nettl -tn all -e ns_ls_ip -size 1024 -tracemax 99999 -f /tmp/raw
This will trace packets in, packets out, and loopback packets at the
IP
Layer (ns_ls_ip). If you need link-specific packet tracing you must
specify the appropriate network driver or "-e all".
2. Stop trace as soon as an event occurs!
nettl -tf -e all
3. Format trace into a print file:
netfmt -N -n -l -f /tmp/raw.TRC0 [ -c /tmp/filter ] > /tmp/fmt0
netfmt -N -n -l -f /tmp/raw.TRC1 [ -c /tmp/filter ] > /tmp/fmt1
-N - print in "nice" format (e.g. interpret)
-n - print IP addresses, not hostnames
-l - do not highlight fields (for hpterm)
-f - input file (nettl-generated trace data)
-c - optional, use a filter file (see "filtering", below)
NOTE: netfmt takes a while to run! There will be plenty of info in
the trace file - interpretation may be necessary!
3a. Filtering. Create a filter file to tell netfmt what packets you
are interested in seeing.
E.g. only display packets to/from IP address 192.10.11.1:
filter ip_saddr 192.10.11.1
filter ip_daddr 192.10.11.1
Filter out all put NFS packets (to/from UDP port 2049)
filter udp_sport 2049
filter udp_dport 2049
Filter out all but TCP packets to/from port 25 (sendmail):
filter tcp_sport 25
filter tcp_dport 25
Filter on ethernet addresses:
filter dest 08-00-09-49-91-4a
filter source 08-00-09-49-91-4a
You can put these together (e.g. filter all NFS packets to/from IP
addr):
filter ip_saddr 192.10.11.1
filter ip_daddr 192.10.11.1
filter udp_sport 2049
filter udp_dport 2049
3b. To create timestamped 1-liner trace analysis file of all packets in
capture file:
# netfmt -N -n -l -1 -T -f /tmp/raw.TRC0 >/tmp/fmt0-1
...take note, that there is a -l (ell) and a -1 (number one)
specified!
To create a timestamped 1-liner trace analysis file using a packet
filter, first see information in Step #3a on creating a filter file,
then:
# netfmt -N -n -l -1 -T -c /tmp/filterfile -f /tmp/raw.TRC0 \
>/tmp/fmt0-1f
...take note, that there is a -l (ell) and a -1 (number one)
specified!
HP-UX 10.20 and 11.X can use tcpdump/libpcap as found at
<ftp://ftp.ee.lbl.gov/> To select the interface to trace, one uses the -i
option and gives the interface name as "/dev/dlpiN" where N is the PPA
of the device. One uses lanscan to find PPAs. On 10.20, the PPA happens
to be the same as the Network Management ID (NMID) and is not the same
as the N in "lanN." On 11.X, the PPA happens to be the same as the Card
Instance number and happens to be the same as the N in "lanN." The
/dev/dlpiN specified to tcpdump/libpcap is not the same as the device
file /dev/dlpiM. What actually happens is tcpdump/libcap opens /dev/dlpi
and bind to PPA N. The /dev/dlpiM device files are for other uses.
| Home | FAQ |
XML Feeds