JP Abgrall | 511eca3 | 2014-02-12 13:46:45 -0800 | [diff] [blame] | 1 | For HP-UX 11i (11.11) and later, there are no known issues with |
| 2 | promiscuous mode under HP-UX. If you are using a earlier version of |
| 3 | HP-UX and cannot upgrade, please continue reading. |
| 4 | |
| 5 | HP-UX patches to fix packet capture problems |
| 6 | |
| 7 | Note that packet-capture programs such as tcpdump may, on HP-UX, not be |
| 8 | able to see packets sent from the machine on which they're running. |
| 9 | Some articles on groups.google.com discussing this are: |
| 10 | |
| 11 | http://groups.google.com/groups?selm=82ld3v%2480i%241%40mamenchi.zrz.TU-Berlin.DE |
| 12 | |
| 13 | which says: |
| 14 | |
| 15 | Newsgroups: comp.sys.hp.hpux |
| 16 | Subject: Re: Did someone made tcpdump working on 10.20 ? |
| 17 | Date: 12/08/1999 |
| 18 | From: Lutz Jaenicke <jaenicke@emserv1.ee.TU-Berlin.DE> |
| 19 | |
| 20 | In article <82ks5i$5vc$1@news1.dti.ne.jp>, mtsat <mtsat@iris.dti.ne.jp> |
| 21 | wrote: |
| 22 | >Hello, |
| 23 | > |
| 24 | >I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use |
| 25 | >it, but I can only see incoming data, never outgoing. |
| 26 | >Someone (raj) explained me that a patch was missing, and that this patch |
| 27 | >must me "patched" (poked) in order to see outbound data in promiscuous mode. |
| 28 | >Many things to do .... So the question is : did someone has already this |
| 29 | >"ready to use" PHNE_**** patch ? |
| 30 | |
| 31 | Two things: |
| 32 | 1. You do need a late "LAN products cumulative patch" (e.g. PHNE_18173 |
| 33 | for s700/10.20). |
| 34 | 2. You must use |
| 35 | echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem |
| 36 | You can insert this e.g. into /sbin/init.d/lan |
| 37 | |
| 38 | Best regards, |
| 39 | Lutz |
| 40 | |
| 41 | and |
| 42 | |
| 43 | http://groups.google.com/groups?selm=88cf4t%24p03%241%40web1.cup.hp.com |
| 44 | |
| 45 | which says: |
| 46 | |
| 47 | Newsgroups: comp.sys.hp.hpux |
| 48 | Subject: Re: tcpdump only shows incoming packets |
| 49 | Date: 02/15/2000 |
| 50 | From: Rick Jones <foo@bar.baz.invalid> |
| 51 | |
| 52 | Harald Skotnes <harald@cc.uit.no> wrote: |
| 53 | > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have |
| 54 | > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a |
| 55 | > closer look I only get to see the incoming packets not the |
| 56 | > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the |
| 57 | > same thing happens. Could someone please give me a hint on how to |
| 58 | > get this right? |
| 59 | |
| 60 | Search/Read the archives ?-) |
| 61 | |
| 62 | What you are seeing is expected, un-patched, behaviour for an HP-UX |
| 63 | system. On 11.00, you need to install the latest lancommon/DLPI |
| 64 | patches, and then the latest driver patch for the interface(s) in use. |
| 65 | At that point, a miracle happens and you should start seeing outbound |
| 66 | traffic. |
| 67 | |
| 68 | [That article also mentions the patch that appears below.] |
| 69 | |
| 70 | and |
| 71 | |
| 72 | http://groups.google.com/groups?selm=38AA973E.96BE7DF7%40cc.uit.no |
| 73 | |
| 74 | which says: |
| 75 | |
| 76 | Newsgroups: comp.sys.hp.hpux |
| 77 | Subject: Re: tcpdump only shows incoming packets |
| 78 | Date: 02/16/2000 |
| 79 | From: Harald Skotnes <harald@cc.uit.no> |
| 80 | |
| 81 | Rick Jones wrote: |
| 82 | |
| 83 | ... |
| 84 | |
| 85 | > What you are seeing is expected, un-patched, behaviour for an HP-UX |
| 86 | > system. On 11.00, you need to install the latest lancommon/DLPI |
| 87 | > patches, and then the latest driver patch for the interface(s) in |
| 88 | > use. At that point, a miracle happens and you should start seeing |
| 89 | > outbound traffic. |
| 90 | |
| 91 | Thanks a lot. I have this problem on several machines running HPUX |
| 92 | 10.20 and 11.00. The machines where patched up before y2k so did not |
| 93 | know what to think. Anyway I have now installed PHNE_19766, |
| 94 | PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the |
| 95 | outbound traffic too. Thanks again. |
| 96 | |
| 97 | (although those patches may not be the ones to install - there may be |
| 98 | later patches). |
| 99 | |
| 100 | And another message to tcpdump-workers@tcpdump.org, from Rick Jones: |
| 101 | |
| 102 | Date: Mon, 29 Apr 2002 15:59:55 -0700 |
| 103 | From: Rick Jones |
| 104 | To: tcpdump-workers@tcpdump.org |
| 105 | Subject: Re: [tcpdump-workers] I Can't Capture the Outbound Traffic |
| 106 | |
| 107 | ... |
| 108 | |
| 109 | http://itrc.hp.com/ would be one place to start in a search for the most |
| 110 | up-to-date patches for DLPI and the lan driver(s) used on your system (I |
| 111 | cannot guess because 9000/800 is too generic - one hs to use the "model" |
| 112 | command these days and/or an ioscan command (see manpage) to guess what |
| 113 | the drivers (btlan[3456], gelan, etc) might be involved in addition to |
| 114 | DLPI. |
| 115 | |
| 116 | Another option is to upgrade to 11i as outbound promiscuous mode support |
| 117 | is there in the base OS, no patches required. |
| 118 | |
| 119 | Another posting: |
| 120 | |
| 121 | http://groups.google.com/groups?selm=7d6gvn%24b3%241%40ocean.cup.hp.com |
| 122 | |
| 123 | indicates that you need to install the optional STREAMS product to do |
| 124 | captures on HP-UX 9.x: |
| 125 | |
| 126 | Newsgroups: comp.sys.hp.hpux |
| 127 | Subject: Re: tcpdump HP/UX 9.x |
| 128 | Date: 03/22/1999 |
| 129 | From: Rick Jones <foo@bar.baz> |
| 130 | |
| 131 | Dave Barr (barr@cis.ohio-state.edu) wrote: |
| 132 | : Has anyone ported tcpdump (or something similar) to HP/UX 9.x? |
| 133 | |
| 134 | I'm reasonably confident that any port of tcpdump to 9.X would require |
| 135 | the (then optional) STREAMS product. This would bring DLPI, which is |
| 136 | what one uses to access interfaces in promiscuous mode. |
| 137 | |
| 138 | I'm not sure that HP even sells the 9.X STREAMS product any longer, |
| 139 | since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K |
| 140 | devices). |
| 141 | |
| 142 | Your best bet is to be up on 10.20 or better if that is at all |
| 143 | possible. If your hardware is supported by it, I'd go with HP-UX 11. |
| 144 | If you want to see the system's own outbound traffic, you'll never get |
| 145 | that functionality on 9.X, but it might happen at some point for 10.20 |
| 146 | and 11.X. |
| 147 | |
| 148 | rick jones |
| 149 | |
| 150 | (as per other messages cited here, the ability to see the system's own |
| 151 | outbound traffic did happen). |
| 152 | |
| 153 | Rick Jones reports that HP-UX 11i needs no patches for outbound |
| 154 | promiscuous mode support. |
| 155 | |
| 156 | An additional note, from Jost Martin, for HP-UX 10.20: |
| 157 | |
| 158 | Q: How do I get ethereral on HPUX to capture the _outgoing_ packets |
| 159 | of an interface |
| 160 | A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or |
| 161 | newer, this is as of 4.4.00) and its dependencies. Then you can |
| 162 | enable the feature as descibed below: |
| 163 | |
| 164 | Patch Name: PHNE_20892 |
| 165 | Patch Description: s700 10.20 PCI 100Base-T cumulative patch |
| 166 | To trace the outbound packets, please do the following |
| 167 | to turn on a global promiscuous switch before running |
| 168 | the promiscuous applications like snoop or tcpdump: |
| 169 | |
| 170 | adb -w /stand/vmunix /dev/mem |
| 171 | lanc_outbound_promisc_flag/W 1 |
| 172 | (adb will echo the result showing that the flag has |
| 173 | been changed) |
| 174 | $quit |
| 175 | (Thanks for this part to HP-support, Ratingen) |
| 176 | |
| 177 | The attached hack does this and some security-related stuff |
| 178 | (thanks to hildeb@www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who |
| 179 | posted the security-part some time ago) |
| 180 | |
| 181 | <<hack_ip_stack>> |
| 182 | |
| 183 | (Don't switch IP-forwarding off, if you need it !) |
| 184 | Install the hack as /sbin/init.d/hacl_ip_stack (adjust |
| 185 | permissions !) and make a sequencing-symlink |
| 186 | /sbin/rc2.d/S350hack_ip_stack pointing to this script. |
| 187 | Now all this is done on every reboot. |
| 188 | |
| 189 | According to Rick Jones, the global promiscuous switch also has to be |
| 190 | turned on for HP-UX 11.00, but not for 11i - and, in fact, the switch |
| 191 | doesn't even exist on 11i. |
| 192 | |
| 193 | Here's the "hack_ip_stack" script: |
| 194 | |
| 195 | -----------------------------------Cut Here------------------------------------- |
| 196 | #!/sbin/sh |
| 197 | # |
| 198 | # nettune: hack kernel parms for safety |
| 199 | |
| 200 | OKAY=0 |
| 201 | ERROR=-1 |
| 202 | |
| 203 | # /usr/contrib/bin fuer nettune auf Pfad |
| 204 | PATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin |
| 205 | export PATH |
| 206 | |
| 207 | |
| 208 | ########## |
| 209 | # main # |
| 210 | ########## |
| 211 | |
| 212 | case $1 in |
| 213 | start_msg) |
| 214 | print "Tune IP-Stack for security" |
| 215 | exit $OKAY |
| 216 | ;; |
| 217 | |
| 218 | stop_msg) |
| 219 | print "This action is not applicable" |
| 220 | exit $OKAY |
| 221 | ;; |
| 222 | |
| 223 | stop) |
| 224 | exit $OKAY |
| 225 | ;; |
| 226 | |
| 227 | start) |
| 228 | ;; # fall through |
| 229 | |
| 230 | *) |
| 231 | print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2 |
| 232 | exit $ERROR |
| 233 | ;; |
| 234 | esac |
| 235 | |
| 236 | ########### |
| 237 | # start # |
| 238 | ########### |
| 239 | |
| 240 | # |
| 241 | # tcp-Sequence-Numbers nicht mehr inkrementieren sondern random |
| 242 | # Syn-Flood-Protection an |
| 243 | # ip_forwarding aus |
| 244 | # Source-Routing aus |
| 245 | # Ausgehende Packets an ethereal/tcpdump etc. |
| 246 | |
| 247 | /usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR |
| 248 | /usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR |
| 249 | /usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR |
| 250 | echo 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR |
| 251 | echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem || exit $ERROR |
| 252 | |
| 253 | exit $OKAY |
| 254 | -----------------------------------Cut Here------------------------------------- |