HPE Community
Operating System - HP-UX
1833589 Members
3915 Online
110061 Solutions
New Discussion

Re: Monitor Socket Connection Attempts?

 
SOLVED
Go to solution
Jim Turner
HPE Pro

‎04-22-2003 07:23 AM

‎04-22-2003 07:23 AM

Monitor Socket Connection Attempts?

Greetings!

Here's the situation: I'm working with an outside vendor that connects to us via MQ Series through a firewall to a server in our environment. The vendor says he's making a connection attempt. The LAN guys say they see the connection attempt at the firewall and that it must be a problem on "our end" not accepting the connection. However, I never see a socket connection from the vendor with netstat. Further, it is our contention that the connection request is never making it to our box.

Is there a good way to reliably monitor/log all TCP connection attempts (successful and unsuccessful) that my HP-UX box gets?

Thanks!
Jim

[Cross-posted to dutchworks]
0 Kudos
Reply
6 REPLIES 6
Jim Turner
HPE Pro

‎04-22-2003 07:36 AM

‎04-22-2003 07:36 AM

Re: Monitor Socket Connection Attempts?

I should add that we can connect to the queue in question from a local server with no problem at all.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎04-22-2003 07:44 AM

‎04-22-2003 07:44 AM

Solution

Re: Monitor Socket Connection Attempts?

Hi Jim!

Restart 'inetd' with logging enabled:

# /usr/sbin/inetd -l

From the man pages for 'inetd(1M)', "If no inetd is running, the -l option causes the inetd to start with connection logging enabled. Otherwise the -l option causes inetd to send the signal SIGQUIT to the inetd that is already running, which causes it to toggle the state of connection logging."

Regards!

...JRF...
Reply
Bill Douglass
Esteemed Contributor

‎04-22-2003 09:54 AM

‎04-22-2003 09:54 AM

Re: Monitor Socket Connection Attempts?

You can monitor connections using a packet-capture tool like tcpdump

http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcpdump-3.7.2/

Also requires that you install libpcap:

http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/libpcap-0.7.2/


You can also use nettl, which is likely on your system now. Check the nettl manpage.

Filter on the IP address or port of interest, and you should be able to tell if the SYN packets are ever reaching your host. YOu should also see if a response if being sent from your host.
Reply
Michael Steele_2
Honored Contributor

‎04-22-2003 10:14 AM

‎04-22-2003 10:14 AM

Re: Monitor Socket Connection Attempts?

Absolutely, tcpdump:

http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcpdump-3.7.2/

The best.

Also try lsof:

lsof -i tcp:23
lsof -i udp:23
Support Fatherhood - Stop Family Law
Reply
Jim Keeble
Trusted Contributor

‎04-23-2003 03:45 AM

‎04-23-2003 03:45 AM

Re: Monitor Socket Connection Attempts?


As root:

cat >filter
filter tcp_sport
filter tcp_dport
^D

nettl -tn pduin pduout -e ns_ls_ip -s 1024 | netfmt -N1nT -c filter -F

The -F will cause the netfmt to "follow" the input pipe until you interupt it with ^C. The filter will sort out only the traffic for the one application.

Try a connection from a client that works so you can see what it should look like. (If there's a lot of traffic, you might get 1000's of lines of output). Then try a connection from the client outside the firewall. If you don't see the packets from that host in the trace, it never got to you.

The inetd logging is only valid if your app uses inetd to accept connections. If it has it's own listener (like oracle, for example), inetd logging won't do any good, but nettl will capture ANY traffic.

Reply
Jim Turner
HPE Pro

‎05-06-2003 10:39 AM

‎05-06-2003 10:39 AM

Re: Monitor Socket Connection Attempts?

Thanks all for the excellent advice. It turned out to be simplest to use inetd's logging to prove what we already knew. Someone mucked-up a firewall ACL which jammed the traffic before it got to us.

Regards,
Jim
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.