https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930624#M558446 You can also install tcpdump from the HP Internet Express bundle (software.hp.com) and say:<BR /><BR />tcpdump -i <INTERFACENAME> -w <TRACEFILE> port <PORTNUMBER><BR /><BR />and later post-process the file via:<BR /><BR />tcpdump -r <TRACEFILE><BR /><BR />and/or use any of the tools that know how to read a tcpdump trace.<BR /><BR />Another consideration, albeit with at least as much overhead if not possibly more, is to use tusc to system call trace the specific application - that will of course not give you the TCP/IP/Ethernet headers, but you can still see the application data, and get some idea of what the application does with the data.</TRACEFILE></PORTNUMBER></TRACEFILE></INTERFACENAME> Mon, 03 Oct 2005 11:41:42 GMT rick jones 2005-10-03T11:41:42Z https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930622#M558444 I have a request to collect/report on data transmitted across port 26204, which is used to transmit information for a particular application. How would I configure nettladm to filter information at this level? Or is there a better tool to use? Fri, 30 Sep 2005 17:42:58 GMT https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930622#M558444 Ted Ellis_2 2005-09-30T17:42:58Z https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930623#M558445 Hi Ted,<BR /><BR />to collect data transmitted across specific port, you need to start tracing on data across that port. to do so :<BR /><BR />first: start the nettladm, then choose traceing subsystem from the list menu.<BR /><BR />select the appropriate subsystem (NS_LS_TCP or NS_LS_UDP)from the subsystems listed. from the action menu choose modify tracing.<BR /><BR />in the modify tracing set the "Include in Tracing" to "yes", check the "Incomming Protocol Data Unit" and "Outgoing Protocol Data Unit" as appropriate.<BR /><BR />in the "Specify Filter (Optional)" specify your source/destination ip/port. then click on "ok"<BR /><BR />After that you have to start the configured tracing from the Action menu.<BR /><BR />Note: * You can control the trace file size &amp; location from "Modify Startup Parameters" in the Action Menu.<BR /> ** To create a report from the collected data use Create report from File menu.<BR /> *** to stop tracing, choose stop tracing from Action menu. and toggle the "Include in Trace" to No in "Modify tracing"<BR /><BR />Regards<BR /><BR /><BR /> Sat, 01 Oct 2005 03:45:48 GMT https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930623#M558445 Nemer_1 2005-10-01T03:45:48Z https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930624#M558446 You can also install tcpdump from the HP Internet Express bundle (software.hp.com) and say:<BR /><BR />tcpdump -i <INTERFACENAME> -w <TRACEFILE> port <PORTNUMBER><BR /><BR />and later post-process the file via:<BR /><BR />tcpdump -r <TRACEFILE><BR /><BR />and/or use any of the tools that know how to read a tcpdump trace.<BR /><BR />Another consideration, albeit with at least as much overhead if not possibly more, is to use tusc to system call trace the specific application - that will of course not give you the TCP/IP/Ethernet headers, but you can still see the application data, and get some idea of what the application does with the data.</TRACEFILE></PORTNUMBER></TRACEFILE></INTERFACENAME> Mon, 03 Oct 2005 11:41:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930624#M558446 rick jones 2005-10-03T11:41:42Z https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930625#M558447 Ted,<BR />I have just started using Snort on HP-UX and find it to be a great and easy tool to use. You can get Snort (and also download pcre-6.2) from the HP-UX porting and archiving center. You will also need libpcap. The install takes less than a minute for all 3. Then you can simply do:<BR />snort -vde port 26204<BR />You can also pipe that into a file. Snort has many powerful features that you might find useful. Here are the links to the 3 downloads:<BR />snort:<BR /><A href="http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/snort-2.3.3/" target="_blank">http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/snort-2.3.3/</A><BR />pcre:<BR /><A href="http://hpux.cs.utah.edu/hppd/hpux/Languages/pcre-6.2/" target="_blank">http://hpux.cs.utah.edu/hppd/hpux/Languages/pcre-6.2/</A><BR />libpcap:<BR /><A href="http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/libpcap-0.9.3/" target="_blank">http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/libpcap-0.9.3/</A><BR /><BR />HTH<BR />-Hazem Mon, 03 Oct 2005 12:12:15 GMT https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930625#M558447 Hazem Mahmoud_3 2005-10-03T12:12:15Z https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930626#M558448 this system is HPUX 11.0. I would like to grab a pre-compiled version or depot for installation. the sites listed here only have packages for 11.11. Anyone know where to locate 11.0 ones? Tue, 04 Oct 2005 14:48:34 GMT https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930626#M558448 Ted Ellis_2 2005-10-04T14:48:34Z https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930627#M558449 tcpdump and libpcap sources from <A href="http://www.isc.org" target="_blank">www.isc.org</A> will likely compile and run just fine on 11.0 - I used to build them on 11.0 with the HP compilers.<BR /><BR />If you haven't done so already, getting started on an OS upgrade might not be a bad idea. If you can jump all the way up to 11.23 (11iv2) that would be best, but going to 11.11 (11iv1) would be better than nothing. Tue, 04 Oct 2005 14:51:03 GMT https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930627#M558449 rick jones 2005-10-04T14:51:03Z https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930628#M558450 You can use TCPDUMP, Ethereal for capturing and analysis. For 11.0, you need to download source code and compile yourself. <BR /><BR /><A href="http://www.tcpdump.org" target="_blank">www.tcpdump.org</A><BR /><A href="http://www.ethereal.com" target="_blank">www.ethereal.com</A><BR /><BR />-Arun Tue, 04 Oct 2005 22:36:53 GMT https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930628#M558450 Arunvijai_4 2005-10-04T22:36:53Z https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930629#M558451 Ofcourse, another option would be to use <BR />HP-UX IPFilter. Takes 10 seconds to configure<BR />it for the logging you want. If you are using<BR />HP-UX 11i v2, it would be already installed<BR />on your system.<BR /><BR />- Biswajit<BR /> Wed, 05 Oct 2005 01:05:49 GMT https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930629#M558451 Biswajit Tripathy 2005-10-05T01:05:49Z https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930630#M558452 thanks all... I have compiled tcpdump successfully. No more replies required Wed, 05 Oct 2005 15:10:25 GMT https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930630#M558452 Ted Ellis_2 2005-10-05T15:10:25Z https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930631#M558455 solution in hand Wed, 05 Oct 2005 15:13:39 GMT https://community.hpe.com/t5/operating-system-hp-ux/nettladm-to-capture-data-on-single-port/m-p/4930631#M558455 Ted Ellis_2 2005-10-05T15:13:39Z