- 论坛徽章:
- 0
|
关于攻击防范!
HOW TO TAKE A NETWORK TRACE ON HP-UX:
Step 1: Begin LAN Tracing to a Raw Trace File:
# nettl -tn 0x30800000 -e ns_ls_ip -size 1024 -tracemax 99999 -f /tmp/raw0
This will trace packets in, packets out, and loopback packets at the IP Layer (ns_ls_ip).
If you need link-specific packet tracing you must specify the appropriate network driver or "-e all":
For tracing on a built-in 10Base* ETHERNET, use '-e ns_ls_driver'
For ATM, use '-e atm' or '-e all'
For Classic X.25 Level 2 use '-e x25l2 -c x25_0'
For Classic X.25 Level 3 use '-e x25l3 -c x25_0'
For Streams X.25 Level 2 use '-e sx25l2 -c x25_0'
For Streams X.25 Level 3 use '-e sx25l3 -c x25_0'
For 100BaseT, use the specific 100BT driver for your system or '-e all'
For S800 HP-PB 100BaseT use '-e lan100'.
For S800 HSC 100BaseT use '-e GSC100BT'.
For A,B,C,J Built-in 10/100BaseT use '-e base100'.
For PCI (non SPP) 100BT use '-e PCI100BT'.
For N,V Class SPP 100BT use '-e SPP100BT'.
For A,L,N Class Dual PCI + SCSI-2 card use '-e BASE100BT'.
For EISA 100BaseT use '=e EISA100BT'.
For GIGABIT use '-e GELAN'.
FOR APA use ' -e APAPORT'.
For HP-PB TOKEN RING, use '-e TOKEN' or '-e all'
For PCI TOKEN RING, use '-e PCITR' or '-e all'
For HP-PB FDDI ring, use '-e FDDI' or '-e all'
For PCI FDDI ring, use '-e PCI_FDDI' or '-e all'
For HSC FDDI ring, use '-e HSC_FDDI' or '-e all'
For EISA FDDI ring, use '-e EISA FDDI' or '-e all'
Check with the nettl -status command to find out which LAN driver you need to trace.
Note 1: -c specifies which X.25 card on the system
Note 2: specify '-e all' if you have no idea what network card the system has. You can specify multiple drivers e.g. '-e FDDI lan100'.
Note 3: specifying '-e all' will result in multiple layers tracing the packets (e.g. driver, IP, TCP etc.)
Note 4: ACC ACC only uses nettl LOGGING, the is no builtin trace utility for ACC. There is an ADD-ON ACC product called X.25 Protocol Analyzer that utilizes 2 of the ACC ports to "eavesdrop" on a port, and produces a "datascope" type output. You must purchase the X.25 Protocol Analyzer product in order to use it.
Step 2: Reproduce the Network "Event" or Error Condition
Step 3: Stop Tracing to the Raw Trace File As Soon As Possible
# nettl -tf -e all
Step 4: Format the Raw LAN Trace So You Can Read It
You can either do a "1-liner" trace for each packet, or you can do a detailed trace format.
If tracing 100BaseT, ATM, TokenRing, FDDI, etc. you must format the trace on a system with the link product installed!
In either case, you can create a "filter file" to narrow down the packets being analyzed.
Step 5 discusses packet filter files.
Please note the most recent packets will be in the /tmp/raw0.TRC0 and older packets will be in /tmp/raw0.TRC1. The trace files "wrap around" and fill up VERY quickly. It may take you several attempts to trap the network event in the raw trace file.
Step 4.1: To create 1-liner trace analysis file of all packets in capture file:
# netfmt -N -n -l -1 -f /tmp/raw0.TRC0 > /tmp/fmt-10
Step 4.2: To create a 1-liner trace analysis file using a packet filter:
See information in Step #5 on creating a filter file.
# netfmt -N -n -l -1 -c /tmp/filterfile -f /tmp/raw0.TRC0 > /tmp/fmt-10
Step 4.3: To create detailed trace analysis of all packets in capture file:
# netfmt -N -n -l -f /tmp/raw0.TRC0 > /tmp/fmt0
Step 4.4: To create a detailed trace analysis file using a packet filter:
See information in Step #5 on creating a filter file.
# netfmt -N -n -l -c /tmp/filterfile -f /tmp/raw0.TRC0 > /tmp/fmt-10
Step 5: How to create a filter file so you only see "Interesting" packets:
Here are some example filter files. Be careful, nettl matches on the first filter element!
EXAMPLE 5.1: To view packets sent to and received from an IP address by the host running the nettl trace:
filter ip_saddr 192.6.2.1
filter ip_daddr 192.6.2.1
EXAMPLE 5.2: To view packets sent to and received from an Ethernet address by the host running the nettl trace:
filter source 08-00-09-00-12-3c
filter dest 08-00-09-00-12-3c
EXAMPLE 5.3: To see NFS packets sent to and from the host doing trace:
filter udp_sport 2049 /* UDP port 2049 = nfsd */
filter udp_dport 2049 /* UDP port 2049 = nfsd */
EXAMPLE 5.4: To see only telnet packets sent to and from the host doing the trace:
filter tcp_sport 23 /* TCP port 23 = telnet */
filter tcp_dport 23 /* TCP port 23 = telent */
The following (taken from the netfmt man page) may also help:
________________________________________________________________
Layer 1
dest hardware destination address
source hardware source address
interface software network interface
_________________________________________________________________
Layer 2
ssap IEEE802.2 source sap
dsap IEEE802.2 destination sap
type Ethernet type
_________________________________________________________________
Layer 3
ip_saddr IP source address
ip_daddr IP destination address
_________________________________________________________________
Layer 4
tcp_sport TCP source port
tcp_dport TCP destination port
udp_sport UDP source port
udp_dport UDP destination port
connection a level 4 (TCP, UDP, PXP) connection
_________________________________________________________________
Layer 5
rpcprogram RPC program
rpcprocedure RPC procedure
rpcdirection RPC call or reply
How to Run nettl+netfmt to Observe Packets "On the Fly":
This is an interactive trace that displays the trace file on the screen, and tee's the output to a file. Make sure you make a specific filterfile first, and specify the appropriate driver in the -e parameter:
# nettl -tn 0x30800000 -e ns_ls_driver | netfmt -F -N -n -l -c filterfile | tee /tmp/fmt0
Don't forget your filterfile. Here is an example:
filter ip_saddr 192.9.9.1
filter ip_daddr 192.9.9.1
To stop the trace:
CTRL/C the nettl command you started above, then
# nettl -tf -e all
The formatted trace file will be in the /tmp/fmt0 file. There will be not be any raw file produced. |
|
免费注册
发表于 2004-07-17 21:19
