HPE Community
Operating System - HP-UX
1834710 Members
2677 Online
110069 Solutions
New Discussion

Question on ethereal

 
Stefan Schulz
Honored Contributor

‎09-05-2000 02:15 AM

‎09-05-2000 02:15 AM

Question on ethereal

I installed and used ethereal to track down a Problem with ARP packages. After some more experiments i found that ethereal captueres only broadcasts and traffic to and from my own Workstation. It doesn't get the whole network traffic.

I would like to use ethereal to get some more information about the traffic in the network. Also i would like to capture the traffic between some of our servers. But if i set teh captuer filter to "host server1 and host server2" i get nothing except for broadcasts.

Is this a problem with ethereal, the configuration of ethereal, of my hardware or some drivers?

I use a (old) C100 with internal 10MBit Ethernetcard and HP-UX10.20. The latest patches have been installed with the Y2K jumbopatch.

Any hints?
No Mouse found. System halted. Press Mousebutton to continue.
0 Kudos
Reply
5 REPLIES 5
John Palmer
Honored Contributor

‎09-05-2000 02:35 AM

‎09-05-2000 02:35 AM

Re: Question on ethereal

Stefan,

The only thing that I can think of is that you have to switch your network card into 'promiscuous mode'. This means that it will read rather than discard network packets that are not addressed to it.

Unfortunately, I don't remember how to do this but it's a hint anyway.

Regards,
John
0 Kudos
Reply
Steve Sauve
Frequent Advisor

‎09-05-2000 06:54 AM

‎09-05-2000 06:54 AM

Re: Question on ethereal

Just a thought, but if you guys use switches instead of flat hubs I believe they will keep you from seeing the traffic. Also a router between you and your server could keep you from seeing much. Check the network between yourself and the machines you're trying to check.

Hope this helps,
Steve
0 Kudos
Reply
Stefan Schulz
Honored Contributor

‎09-05-2000 10:22 PM

‎09-05-2000 10:22 PM

Re: Question on ethereal

John:

i found some parameters in the kernel pointing towards this promiscuous mode:

# nm /stand/vmunix | grep -i promisc
hp_dlpi_promisc_list| 4279208|extern|data |$BSS$
hp_promisc_list | 4315464|extern|data |$BSS$
lan_promisc_initialized| 4256160|extern|data |$SHORTDATA$

But unfortunately i have no experience what to do with this info. I heard somthing of using a programm 'adb' to modify those parameters. But how and what can i set those parameters to?

Steve:

We do use some switches, but i should be able to see at least the traffic in the same segment. AFAIK our network is not totally switched. Only the main part is done with switches, which go to hubs to the workstations. (Uhh sounds like bad english)

So can anybody help me to set me nic to this 'promiscuous mode'? I don't have the necessary knowledge and can't find any helpful documentation.

Thanks for your help.
No Mouse found. System halted. Press Mousebutton to continue.
0 Kudos
Reply
Anthony Goonetilleke
Esteemed Contributor

‎09-05-2000 11:46 PM

‎09-05-2000 11:46 PM

Re: Question on ethereal

Why dont you use nettl? I use it to capture all network traffic and it works quite well in debugging things

TRACING - trace all packets seen by the device driver on the HP nodes, except diskless packets.
These packets are those packets sent by the
node, or addressed to the node.

1. Start Trace - put data into 1MB trace file. The data will be stored in /tmp/raw.TRC0 and /tmp/raw.TRC1
The most recent data will always be in TRC0, when it fills up, TRC0 is renamed TRC1, and new logging continues in the TRC0 file. They fill up quickly!

/etc/nettl -tn pduin pduout -e all -f /tmp/raw

If neding to trace LOOPBACK interface as well, consider:

/etc/nettl -tn pduin pduout loopback -e all -f /tmp/trace

2. Stop trace as soon as an event occurs!

/etc/nettl -tf -e all

3. Format trace into a print file:
/etc/netfmt -N -n -l -f /tmp/raw.TRC0 [ -c /tmp/filter ] > /tmp/fmt0
/etc/netfmt -N -n -l -f /tmp/raw.TRC1 [ -c /tmp/filter ] > /tmp/fmt1

-N - print in "nice" format (e.g. interpret)
-n - print IP addresses, not hostnames
-l - do not highlight fields (for hpterm)
-f - optional, use a filter file (see "filtering", below)

NOTE - netfmt takes a while to run!
There will be plenty of info in the trace file -
Interpretation may be necessary!

3a. Filtering. Create a filter file to tell netfmt what packets you
are interested in seeing.

E.g. only display packets to/from IP address 192.10.10.1:
filter ip_saddr 192.10.10.1
filter ip_daddr 192.10.10.1

Filter out all put NFS packets (to/from UDP port 2049)
filter udp_sport 2049
filter udp_dport 2049

Filter out all but TCP packets to/from port 25 (sendmail)
filter tcp_sport 25
filter tcp_dport 25

Filter on ethernet addresses:
filter dest 08-00-09-49-91-4a
filter source 08-00-09-49-91-4a

You can put these together (e.g. filter all NFS packets to/from IP addr)
filter ip_saddr 192.10.10.1
filter ip_daddr 192.10.10.1
filter udp_sport 2049
filter udp_dport 2049


HP-UX 10.20 and 11.X can use tcpdump/libpcap as found at
ftp://ftp.ee.lbl.gov./ To select the interface to trace, one uses the -i
option and gives the interface name as "/dev/dlpiN" where N is the PPA
of the device. One uses lanscan to find PPAs. On 10.20, the PPA happens
to be the same as the Network Management ID (NMID) and is not the same
as the N in "lanN." On 11.X, the PPA happens to be the same as the Card
Instance number and happens to be the same as the N in "lanN." The /dev/dlpiN specified to tcpdump/libpcap is not the same as the device
file /dev/dlpiM. What actually happens is tcpdump/libcap opens /dev/dlpi
and bind to PPA N. The /dev/dlpiM device files are for other uses.

(this is from an ITRC doc but I forgot the ID of it)



Minimum effort maximum output!
0 Kudos
Reply
Stefan Schulz
Honored Contributor

‎09-06-2000 12:40 AM

‎09-06-2000 12:40 AM

Re: Question on ethereal

As ethereal nettl only captueres packets to and from my workstation and broadcasts. The same with tcpdump.

I think the problem has something to do with this 'promiscuous mode'. If this is not the problem then our networkhardware labeld 'hub' is really a switch and i won't see anything.

Still i would like to give it a try. Can somebody help me to set my nic this 'promiscuous mode'?
No Mouse found. System halted. Press Mousebutton to continue.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.