nexmon – Blame information for rev 1
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | For HP-UX 11i (11.11) and later, there are no known issues with |
| 2 | promiscuous mode under HP-UX. If you are using a earlier version of |
||
| 3 | HP-UX and cannot upgrade, please continue reading. |
||
| 4 | |||
| 5 | HP-UX patches to fix packet capture problems |
||
| 6 | |||
| 7 | Note that packet-capture programs such as tcpdump may, on HP-UX, not be |
||
| 8 | able to see packets sent from the machine on which they're running. |
||
| 9 | Some articles on groups.google.com discussing this are: |
||
| 10 | |||
| 11 | http://groups.google.com/groups?selm=82ld3v%2480i%241%40mamenchi.zrz.TU-Berlin.DE |
||
| 12 | |||
| 13 | which says: |
||
| 14 | |||
| 15 | Newsgroups: comp.sys.hp.hpux |
||
| 16 | Subject: Re: Did someone made tcpdump working on 10.20 ? |
||
| 17 | Date: 12/08/1999 |
||
| 18 | From: Lutz Jaenicke <jaenicke@emserv1.ee.TU-Berlin.DE> |
||
| 19 | |||
| 20 | In article <82ks5i$5vc$1@news1.dti.ne.jp>, mtsat <mtsat@iris.dti.ne.jp> |
||
| 21 | wrote: |
||
| 22 | >Hello, |
||
| 23 | > |
||
| 24 | >I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use |
||
| 25 | >it, but I can only see incoming data, never outgoing. |
||
| 26 | >Someone (raj) explained me that a patch was missing, and that this patch |
||
| 27 | >must me "patched" (poked) in order to see outbound data in promiscuous mode. |
||
| 28 | >Many things to do .... So the question is : did someone has already this |
||
| 29 | >"ready to use" PHNE_**** patch ? |
||
| 30 | |||
| 31 | Two things: |
||
| 32 | 1. You do need a late "LAN products cumulative patch" (e.g. PHNE_18173 |
||
| 33 | for s700/10.20). |
||
| 34 | 2. You must use |
||
| 35 | echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem |
||
| 36 | You can insert this e.g. into /sbin/init.d/lan |
||
| 37 | |||
| 38 | Best regards, |
||
| 39 | Lutz |
||
| 40 | |||
| 41 | and |
||
| 42 | |||
| 43 | http://groups.google.com/groups?selm=88cf4t%24p03%241%40web1.cup.hp.com |
||
| 44 | |||
| 45 | which says: |
||
| 46 | |||
| 47 | Newsgroups: comp.sys.hp.hpux |
||
| 48 | Subject: Re: tcpdump only shows incoming packets |
||
| 49 | Date: 02/15/2000 |
||
| 50 | From: Rick Jones <foo@bar.baz.invalid> |
||
| 51 | |||
| 52 | Harald Skotnes <harald@cc.uit.no> wrote: |
||
| 53 | > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have |
||
| 54 | > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a |
||
| 55 | > closer look I only get to see the incoming packets not the |
||
| 56 | > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the |
||
| 57 | > same thing happens. Could someone please give me a hint on how to |
||
| 58 | > get this right? |
||
| 59 | |||
| 60 | Search/Read the archives ?-) |
||
| 61 | |||
| 62 | What you are seeing is expected, un-patched, behaviour for an HP-UX |
||
| 63 | system. On 11.00, you need to install the latest lancommon/DLPI |
||
| 64 | patches, and then the latest driver patch for the interface(s) in use. |
||
| 65 | At that point, a miracle happens and you should start seeing outbound |
||
| 66 | traffic. |
||
| 67 | |||
| 68 | [That article also mentions the patch that appears below.] |
||
| 69 | |||
| 70 | and |
||
| 71 | |||
| 72 | http://groups.google.com/groups?selm=38AA973E.96BE7DF7%40cc.uit.no |
||
| 73 | |||
| 74 | which says: |
||
| 75 | |||
| 76 | Newsgroups: comp.sys.hp.hpux |
||
| 77 | Subject: Re: tcpdump only shows incoming packets |
||
| 78 | Date: 02/16/2000 |
||
| 79 | From: Harald Skotnes <harald@cc.uit.no> |
||
| 80 | |||
| 81 | Rick Jones wrote: |
||
| 82 | |||
| 83 | ... |
||
| 84 | |||
| 85 | > What you are seeing is expected, un-patched, behaviour for an HP-UX |
||
| 86 | > system. On 11.00, you need to install the latest lancommon/DLPI |
||
| 87 | > patches, and then the latest driver patch for the interface(s) in |
||
| 88 | > use. At that point, a miracle happens and you should start seeing |
||
| 89 | > outbound traffic. |
||
| 90 | |||
| 91 | Thanks a lot. I have this problem on several machines running HPUX |
||
| 92 | 10.20 and 11.00. The machines where patched up before y2k so did not |
||
| 93 | know what to think. Anyway I have now installed PHNE_19766, |
||
| 94 | PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the |
||
| 95 | outbound traffic too. Thanks again. |
||
| 96 | |||
| 97 | (although those patches may not be the ones to install - there may be |
||
| 98 | later patches). |
||
| 99 | |||
| 100 | And another message to tcpdump-workers@tcpdump.org, from Rick Jones: |
||
| 101 | |||
| 102 | Date: Mon, 29 Apr 2002 15:59:55 -0700 |
||
| 103 | From: Rick Jones |
||
| 104 | To: tcpdump-workers@tcpdump.org |
||
| 105 | Subject: Re: [tcpdump-workers] I Can't Capture the Outbound Traffic |
||
| 106 | |||
| 107 | ... |
||
| 108 | |||
| 109 | http://itrc.hp.com/ would be one place to start in a search for the most |
||
| 110 | up-to-date patches for DLPI and the lan driver(s) used on your system (I |
||
| 111 | cannot guess because 9000/800 is too generic - one hs to use the "model" |
||
| 112 | command these days and/or an ioscan command (see manpage) to guess what |
||
| 113 | the drivers (btlan[3456], gelan, etc) might be involved in addition to |
||
| 114 | DLPI. |
||
| 115 | |||
| 116 | Another option is to upgrade to 11i as outbound promiscuous mode support |
||
| 117 | is there in the base OS, no patches required. |
||
| 118 | |||
| 119 | Another posting: |
||
| 120 | |||
| 121 | http://groups.google.com/groups?selm=7d6gvn%24b3%241%40ocean.cup.hp.com |
||
| 122 | |||
| 123 | indicates that you need to install the optional STREAMS product to do |
||
| 124 | captures on HP-UX 9.x: |
||
| 125 | |||
| 126 | Newsgroups: comp.sys.hp.hpux |
||
| 127 | Subject: Re: tcpdump HP/UX 9.x |
||
| 128 | Date: 03/22/1999 |
||
| 129 | From: Rick Jones <foo@bar.baz> |
||
| 130 | |||
| 131 | Dave Barr (barr@cis.ohio-state.edu) wrote: |
||
| 132 | : Has anyone ported tcpdump (or something similar) to HP/UX 9.x? |
||
| 133 | |||
| 134 | I'm reasonably confident that any port of tcpdump to 9.X would require |
||
| 135 | the (then optional) STREAMS product. This would bring DLPI, which is |
||
| 136 | what one uses to access interfaces in promiscuous mode. |
||
| 137 | |||
| 138 | I'm not sure that HP even sells the 9.X STREAMS product any longer, |
||
| 139 | since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K |
||
| 140 | devices). |
||
| 141 | |||
| 142 | Your best bet is to be up on 10.20 or better if that is at all |
||
| 143 | possible. If your hardware is supported by it, I'd go with HP-UX 11. |
||
| 144 | If you want to see the system's own outbound traffic, you'll never get |
||
| 145 | that functionality on 9.X, but it might happen at some point for 10.20 |
||
| 146 | and 11.X. |
||
| 147 | |||
| 148 | rick jones |
||
| 149 | |||
| 150 | (as per other messages cited here, the ability to see the system's own |
||
| 151 | outbound traffic did happen). |
||
| 152 | |||
| 153 | Rick Jones reports that HP-UX 11i needs no patches for outbound |
||
| 154 | promiscuous mode support. |
||
| 155 | |||
| 156 | An additional note, from Jost Martin, for HP-UX 10.20: |
||
| 157 | |||
| 158 | Q: How do I get ethereral on HPUX to capture the _outgoing_ packets |
||
| 159 | of an interface |
||
| 160 | A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or |
||
| 161 | newer, this is as of 4.4.00) and its dependencies. Then you can |
||
| 162 | enable the feature as descibed below: |
||
| 163 | |||
| 164 | Patch Name: PHNE_20892 |
||
| 165 | Patch Description: s700 10.20 PCI 100Base-T cumulative patch |
||
| 166 | To trace the outbound packets, please do the following |
||
| 167 | to turn on a global promiscuous switch before running |
||
| 168 | the promiscuous applications like snoop or tcpdump: |
||
| 169 | |||
| 170 | adb -w /stand/vmunix /dev/mem |
||
| 171 | lanc_outbound_promisc_flag/W 1 |
||
| 172 | (adb will echo the result showing that the flag has |
||
| 173 | been changed) |
||
| 174 | $quit |
||
| 175 | (Thanks for this part to HP-support, Ratingen) |
||
| 176 | |||
| 177 | The attached hack does this and some security-related stuff |
||
| 178 | (thanks to hildeb@www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who |
||
| 179 | posted the security-part some time ago) |
||
| 180 | |||
| 181 | <<hack_ip_stack>> |
||
| 182 | |||
| 183 | (Don't switch IP-forwarding off, if you need it !) |
||
| 184 | Install the hack as /sbin/init.d/hacl_ip_stack (adjust |
||
| 185 | permissions !) and make a sequencing-symlink |
||
| 186 | /sbin/rc2.d/S350hack_ip_stack pointing to this script. |
||
| 187 | Now all this is done on every reboot. |
||
| 188 | |||
| 189 | According to Rick Jones, the global promiscuous switch also has to be |
||
| 190 | turned on for HP-UX 11.00, but not for 11i - and, in fact, the switch |
||
| 191 | doesn't even exist on 11i. |
||
| 192 | |||
| 193 | Here's the "hack_ip_stack" script: |
||
| 194 | |||
| 195 | -----------------------------------Cut Here------------------------------------- |
||
| 196 | #!/sbin/sh |
||
| 197 | # |
||
| 198 | # nettune: hack kernel parms for safety |
||
| 199 | |||
| 200 | OKAY=0 |
||
| 201 | ERROR=-1 |
||
| 202 | |||
| 203 | # /usr/contrib/bin fuer nettune auf Pfad |
||
| 204 | PATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin |
||
| 205 | export PATH |
||
| 206 | |||
| 207 | |||
| 208 | ########## |
||
| 209 | # main # |
||
| 210 | ########## |
||
| 211 | |||
| 212 | case $1 in |
||
| 213 | start_msg) |
||
| 214 | print "Tune IP-Stack for security" |
||
| 215 | exit $OKAY |
||
| 216 | ;; |
||
| 217 | |||
| 218 | stop_msg) |
||
| 219 | print "This action is not applicable" |
||
| 220 | exit $OKAY |
||
| 221 | ;; |
||
| 222 | |||
| 223 | stop) |
||
| 224 | exit $OKAY |
||
| 225 | ;; |
||
| 226 | |||
| 227 | start) |
||
| 228 | ;; # fall through |
||
| 229 | |||
| 230 | *) |
||
| 231 | print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2 |
||
| 232 | exit $ERROR |
||
| 233 | ;; |
||
| 234 | esac |
||
| 235 | |||
| 236 | ########### |
||
| 237 | # start # |
||
| 238 | ########### |
||
| 239 | |||
| 240 | # |
||
| 241 | # tcp-Sequence-Numbers nicht mehr inkrementieren sondern random |
||
| 242 | # Syn-Flood-Protection an |
||
| 243 | # ip_forwarding aus |
||
| 244 | # Source-Routing aus |
||
| 245 | # Ausgehende Packets an ethereal/tcpdump etc. |
||
| 246 | |||
| 247 | /usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR |
||
| 248 | /usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR |
||
| 249 | /usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR |
||
| 250 | echo 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR |
||
| 251 | echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem || exit $ERROR |
||
| 252 | |||
| 253 | exit $OKAY |
||
| 254 | -----------------------------------Cut Here------------------------------------- |