HPE Community
Operating System - HP-UX
1845702 Members
3043 Online
110247 Solutions
New Discussion

Port monitoring software for hpux 11.11

 
SOLVED
Go to solution
wvsa
Regular Advisor

‎12-31-2007 12:28 PM

‎12-31-2007 12:28 PM

Port monitoring software for hpux 11.11

Fellow Admins;

Need a tool to monitor traffic coming through our ftp port(s). Does anyone know of a port monitoring software that will allow us to identify the source (ip address would be great) of network traffic coming through a specific port.

Thank you for your responses.

Norm
0 Kudos
Reply
7 REPLIES 7
James R. Ferguson
Acclaimed Contributor

‎12-31-2007 01:07 PM

‎12-31-2007 01:07 PM

Re: Port monitoring software for hpux 11.11

Hi Norm:

You might be able to use a repetitive 'lsof' to collect your information into a file that could be analyzed.

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/lsof-4.78/

Regards!

...JRF...
Reply
wvsa
Regular Advisor

‎12-31-2007 02:33 PM

‎12-31-2007 02:33 PM

Re: Port monitoring software for hpux 11.11

Hello James

Like your idea, regarding a repitive lsof what did you have in mind, cron or ? If I run lsof with no options we should be able to find the process trying to login to via ftp (port12).

Thanks again.

Norm
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎12-31-2007 03:52 PM

‎12-31-2007 03:52 PM

Solution

Re: Port monitoring software for hpux 11.11

Hi (again) Norm:

> Like your idea, regarding a repitive lsof what did you have in mind, cron or ?

Frankly, I was thinking of launching a 'lsof' using its repeat mode ('-r ') and requesting formatted output suitable for later parsing ('-F'). The manpages for 'lsof' detail this, or see:

http://www.netadmintools.com/html/lsof.man.html

You might find this useful, too:

http://www.opensource.apple.com/darwinsource/10.3/lsof-12/lsof/00QUICKSTART

Regards!

...JRF...
Reply
Bill Hassell
Honored Contributor

‎01-01-2008 08:18 AM

‎01-01-2008 08:18 AM

Re: Port monitoring software for hpux 11.11

Are you looking for just a list of connections, or a list of the ftp commands, a list of all input and/or output files, or every packet that used the ftp ports (more than one)?

1. connections: ftpd -l
2. ftp commands: ftpd -l -L
3. input/output files: ftpd -l -L -i -o
4. every packet: use nettl (built-in) or wireshark (download)

The ftpd options are listed in the ftpd man page and must be changed in /etc/inetd.conf. The default location for these log entries is syslog.log and the facility used for ftpd is local5. Alternatively, you can use the /etc/ftpd/ftpaccess file to control logging options. Note that for option 4, the logs will be massive in size for a lot of ftp traffic.


Bill Hassell, sysadmin
Reply
wvsa
Regular Advisor

‎01-02-2008 11:07 AM

‎01-02-2008 11:07 AM

Re: Port monitoring software for hpux 11.11

James;

The lsof -i option did the job. Put lsof into cron and was able to find the ip address of the server submitting the ftp requests.

Norm
0 Kudos
Reply
wvsa
Regular Advisor

‎01-02-2008 11:15 AM

‎01-02-2008 11:15 AM

Re: Port monitoring software for hpux 11.11

Bill;

Thanks for the ftpd options. Looks like wireshark has numerous pre-reqs. Will look into downloading and installing wireshark, it maybe useful in the future.


Norm
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎01-02-2008 03:34 PM

‎01-02-2008 03:34 PM

Re: Port monitoring software for hpux 11.11

Just a few comments:

- Wireshark is available for Windows too, and it can read dumps created by tcpdump or HP-UX's native nettl tools.

Both tcpdump and wireshark are available in the free Internet Express software package from software.hp.com.

It might be more convenient to install Wireshark on your local workstation instead of the HP-UX server.

- There is no need to waste CPU power to a separate monitoring program: ftpd is invoked through inetd, and inetd can log the source hostname and IP address of all incoming connection attempts. The connection attempt is logged before the FTP login prompt is sent, so it will get failed FTP logins too.

Just start inetd with option "-l" (NOTE: lowercase L, not number 1)... or send a "kill -QUIT" to a running inetd to toggle the connection logging on. The log messages will be stored to syslog, and they should be of the form

ftp/tcp: Connection from remote_host (IP_address)

How to get network traffic dump using HP-UX native tools:
http://www.compute-aid.com/nettl.html
(just use wireshark to view the dump instead of netfmt)

Wireshark:
http://www.wireshark.org

MK
MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.