HPE Community
Operating System - HP-UX
1826573 Members
3932 Online
109695 Solutions
New Discussion

Re: How to Snoop or Trace on HPUX system

 
Greg Fraser_1
Honored Contributor

‎01-02-2002 02:42 PM

‎01-02-2002 02:42 PM

How to Snoop or Trace on HPUX system

I need to know how I can capture packets coming into my HPUX server. The problem is, every 24 hours something is doing an snmp query on my server, and failing. I need to capture the raw packets to determine where this snmp request is coming from. Is there an HPUX equivalent of the Solaris snoop tool ? Is there an HPUX tool that will allow me to capture the packets to a file and then view and search the contents of this file ?

Any suggestions are appreciated.

Thanks

GP
**Any opinions expressed in this forum are my own personal opinion and should not be interpreted as an official statement on behalf of Hewlett Packard Enterprise**
0 Kudos
Reply
6 REPLIES 6
Sridhar Bhaskarla
Honored Contributor

‎01-02-2002 02:50 PM

‎01-02-2002 02:50 PM

Re: How to Snoop or Trace on HPUX system

Hi Greg,

There are a number of ways. You can use nettl to capture the packets and then use netfmt to format the contents. Check nettl and netfmt man pages.

There is another software that works like snoop. You can get it from the hp's free site.

http://hpux.ee.ualberta.ca/hppd/hpux/Networking/Admin/snort-1.8.1/

What I like is ethereal. But there are a lot of dependencies. But it is a very nice graphic tool.

http://hpux.ee.ualberta.ca/hppd/hpux/Gtk/Applications/ethereal-0.8.20/

Unfortunately all these tools consume a lot of disk space. So, if you know precise time of this attack it will be helpful. Do not run them for more than 5 mins.

Enable logging with snmp by invoking it with -l option.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎01-02-2002 02:51 PM

‎01-02-2002 02:51 PM

Re: How to Snoop or Trace on HPUX system

Hi Greg:

Have a look at 'nettl' (see 'man 1M nettl').

Regards!

...JRF...
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎01-02-2002 02:51 PM

‎01-02-2002 02:51 PM

Re: How to Snoop or Trace on HPUX system

Hi Greg:

One very good tool that is available for free is ethereal. It includes a very nice GUI interface but you will need to download and compile/link the source.

http://hpux.cs.utah.edu/hppd/hpux/Gtk/Applications/ethereal-0.8.20/



If it ain't broke, I can fix that.
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎01-02-2002 03:01 PM

‎01-02-2002 03:01 PM

Re: How to Snoop or Trace on HPUX system

Hi (again) Greg,

If you want to know only the server that is doing snmp queries, you can invoke the snmpd server with -m option. Check up the man page for snmpdm server. However, this will not demonize the server. So, you need to manually kill snmpdm and start it later after the tracing is done. To do it..

1. Kill the snmpdm process (use /sbin script)
2. Run manually with tracing

snmpdm -m 8388608 (check the man page)

3. Once the attack is over, look at /var/adm/snmpd.log file to find out the source address. Kill this process and start it through sbin scripts as usual.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎01-03-2002 12:16 AM

‎01-03-2002 12:16 AM

Re: How to Snoop or Trace on HPUX system

Hi,

One way is to make use of netstat to trace the connecting source. This requires constant polling.

$ netstat -a | grep udp | grep snmp
udp 0 0 *.snmp *.*

To avoid constant polling and monitoring, another way is to run your legitimate snmpd at udp port 163 while at the original udp port 161, run a udp daemon program to trap the originating source.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
0 Kudos
Reply
Steven Gillard_2
Honored Contributor

‎01-03-2002 01:21 AM

‎01-03-2002 01:21 AM

Re: How to Snoop or Trace on HPUX system

Here's how to do it with nettl:

1. Create a file called filter with the following line:

filter udp_dport 161

2. Then run the following command:

# nettl -tn pduin -e ns_ls_ip -s 1024 | netfmt -lnN -c filter > /tmp/nettl.out

You can stop the trace with:

# nettl -tf -e all

The file /tmp/nettl.out will contain the formatted trace output.

Regards,
Steve
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.