Parent document is top of "comp.sys.hp.hpux FAQ"
Previous document is "7.31 How come my /dev/null keeps getting blown away?"
Next document is "7.33 How come my processes keep dying at 67M memory usage?"

7.32 How can I track network packets?

*******************************************************
*
* Network Tracing with nettl -  for HPUX 8.x and up
*
*******************************************************
TRACING - trace all packets seen by the device driver
          on the HP nodes, except diskless packets.
          These packets are those packets sent by the
          node, or addressed to the node.

1.  Start Trace - put data into 1MB  trace file. The data
    will be stored in /tmp/raw.TRC0 and /tmp/raw.TRC1
    The most recent data will always be in TRC0, when
    it fills up, TRC0 is renamed TRC1, and new logging
    continues in the TRC0 file.  They fill up quickly!

     /etc/nettl -tn pduin pduout -e all -f /tmp/raw

     If neding to trace LOOPBACK interface as well,
     consider:

     /etc/nettl -tn pduin pduout loopback -e all -f /tmp/trace

2.  Stop trace as soon as an event occurs!

    /etc/nettl -tf -e all

3.  Format trace into a print file:

    /etc/netfmt -N -n -l -f /tmp/raw.TRC0 [ -c /tmp/filter ] > /tmp/fmt0
    /etc/netfmt -N -n -l -f /tmp/raw.TRC1 [ -c /tmp/filter ] > /tmp/fmt1

    -N - print in "nice" format (e.g. interpret)
    -n - print IP addresses, not hostnames
    -l - do not highlight fields (for hpterm)
    -f - optional, use a filter file (see "filtering", below)

    NOTE - netfmt takes a while to run!
    There will be plenty of info in the trace file -
    Interpretation may be necessary!

3a. Filtering.  Create a filter file to tell netfmt what packets you
    are interested in seeing.

    E.g. only display packets to/from IP address 192.10.10.1:
    filter ip_saddr 192.10.10.1
    filter ip_daddr 192.10.10.1

    Filter out all put NFS packets (to/from UDP port 2049)
    filter udp_sport 2049
    filter udp_dport 2049

    Filter out all but TCP packets to/from port 25 (sendmail)
    filter tcp_sport 25
    filter tcp_dport 25

    Filter on ethernet addresses:
    filter dest 08-00-09-49-91-4a
    filter source 08-00-09-49-91-4a

    You can put these together (e.g. filter all NFS packets to/from IP addr)
    filter ip_saddr 192.10.10.1
    filter ip_daddr 192.10.10.1
    filter udp_sport 2049
    filter udp_dport 2049

(thanks to Brian Hackley, <hackley@apollo.hp.com>)
Parent document is top of "comp.sys.hp.hpux FAQ"
Previous document is "7.31 How come my /dev/null keeps getting blown away?"
Next document is "7.33 How come my processes keep dying at 67M memory usage?"