HOW TO TAKE A NETWORK TRACE ON HP-UX:

Page Updated 7/6/2000

Comments or suggestions to Brian Hackley


Step 1: Begin Lan Tracing to a Raw Trace File
Step 2: Reproduce the Network "Event" or Error Condition
Step 3: Stop Tracing to the Raw Trace File As Soon As Possible
Step 4: Format the Raw LAN Trace So You Can Read It choose one of these methods:
........4.1: To create 1-liner trace analysis file of all packets
........4.2: To create a 1-liner trace analysis file using a packet filter
........4.3: To create detailed trace analysis of all packets
........4.4: To create a detailed trace analysis file using a packet filter
Step 5: How to create a filter file so you only see "Interesting" packets
........5.1: Filter based on IP Address
........5.1: Filter based on Ethernet Address
........5.1: Filter based on UDP Port (example: NFS)
........5.1: Filter based on TCP Port (example: telnet
More detail on Filters
How to Run nettl+netfmt to Observe Packets "On the Fly"
Uuencoding a raw Nettl Trace File to Email to HP Network Support:


Step 1: Begin LAN Tracing to a Raw Trace File:

# nettl -tn 0x30800000 -e ns_ls_ip -size 1024 -tracemax 99999 -f /tmp/raw0

This will trace packets in, packets out, and loopback packets at the IP Layer (ns_ls_ip).

If you need link-specific packet tracing you must specify the appropriate network driver or "-e all":

For tracing on a built-in 10Base* ETHERNET, use '-e ns_ls_driver'
For ATM, use '-e atm' or '-e all'
For Classic X.25 Level 2 use '-e x25l2 -c x25_0'
For Classic X.25 Level 3 use '-e x25l3 -c x25_0'
For Streams X.25 Level 2 use '-e sx25l2 -c x25_0'
For Streams X.25 Level 3 use '-e sx25l3 -c x25_0'
For 100BaseT, use the specific 100BT driver for your system or '-e all'
For S800 HP-PB 100BaseT use '-e lan100'.
For S800 HSC 100BaseT use '-e GSC100BT'.
For A,B,C,J Built-in 10/100BaseT use '-e base100'.
For PCI (non SPP) 100BT use '-e PCI100BT'.
For N,V Class SPP 100BT use '-e SPP100BT'.
For A,L,N Class Dual PCI + SCSI-2 card use '-e BASE100BT'.
For EISA 100BaseT use '=e EISA100BT'.
For GIGABIT use '-e GELAN'.
FOR APA use ' -e APAPORT'.
For HP-PB TOKEN RING, use '-e TOKEN' or '-e all'
For PCI TOKEN RING, use '-e PCITR' or '-e all'
For HP-PB FDDI ring, use '-e FDDI' or '-e all'
For PCI FDDI ring, use '-e PCI_FDDI' or '-e all'
For HSC FDDI ring, use '-e HSC_FDDI' or '-e all'
For EISA FDDI ring, use '-e EISA FDDI' or '-e all'
Check with the nettl -status command to find out which LAN driver you need to trace.
Note 1: -c specifies which X.25 card on the system
Note 2: specify '-e all' if you have no idea what network card the system has. You can specify multiple drivers e.g. '-e FDDI lan100'.
Note 3: specifying '-e all' will result in multiple layers tracing the packets (e.g. driver, IP, TCP etc.)
Note 4: ACC ACC only uses nettl LOGGING, the is no builtin trace utility for ACC. There is an ADD-ON ACC product called X.25 Protocol Analyzer that utilizes 2 of the ACC ports to "eavesdrop" on a port, and produces a "datascope" type output. You must purchase the X.25 Protocol Analyzer product in order to use it.

Step 2: Reproduce the Network "Event" or Error Condition


Step 3: Stop Tracing to the Raw Trace File As Soon As Possible

# nettl -tf -e all

Step 4: Format the Raw LAN Trace So You Can Read It

You can either do a "1-liner" trace for each packet, or you can do a detailed trace format.

If tracing 100BaseT, ATM, TokenRing, FDDI, etc. you must format the trace on a system with the link product installed!

In either case, you can create a "filter file" to narrow down the packets being analyzed.

Step 5 discusses packet filter files.

Please note the most recent packets will be in the /tmp/raw0.TRC0 and older packets will be in /tmp/raw0.TRC1. The trace files "wrap around" and fill up VERY quickly. It may take you several attempts to trap the network event in the raw trace file.

Step 4.1: To create 1-liner trace analysis file of all packets in capture file:

# netfmt -N -n -l -1 -f /tmp/raw0.TRC0 > /tmp/fmt-10

Step 4.2: To create a 1-liner trace analysis file using a packet filter:

See information in Step #5 on creating a filter file.

# netfmt -N -n -l -1 -c /tmp/filterfile -f /tmp/raw0.TRC0 > /tmp/fmt-10

Step 4.3: To create detailed trace analysis of all packets in capture file:

# netfmt -N -n -l -f /tmp/raw0.TRC0 > /tmp/fmt0

Step 4.4: To create a detailed trace analysis file using a packet filter:

See information in Step #5 on creating a filter file.

# netfmt -N -n -l -c /tmp/filterfile -f /tmp/raw0.TRC0 > /tmp/fmt-10

Step 5: How to create a filter file so you only see "Interesting" packets:

Here are some example filter files. Be careful, nettl matches on the first filter element!

EXAMPLE 5.1: To view packets sent to and received from an IP address by the host running the nettl trace:

filter ip_saddr 192.6.2.1
filter ip_daddr 192.6.2.1

EXAMPLE 5.2: To view packets sent to and received from an Ethernet address by the host running the nettl trace:

filter source 08-00-09-00-12-3c
filter dest 08-00-09-00-12-3c

EXAMPLE 5.3: To see NFS packets sent to and from the host doing trace:

filter udp_sport 2049 /* UDP port 2049 = nfsd */
filter udp_dport 2049 /* UDP port 2049 = nfsd */

EXAMPLE 5.4: To see only telnet packets sent to and from the host doing the trace:

filter tcp_sport 23 /* TCP port 23 = telnet */
filter tcp_dport 23 /* TCP port 23 = telent */

The following (taken from the netfmt man page) may also help:

________________________________________________________________
Layer 1
dest hardware destination address
source hardware source address
interface software network interface
_________________________________________________________________
Layer 2
ssap IEEE802.2 source sap
dsap IEEE802.2 destination sap
type Ethernet type
_________________________________________________________________
Layer 3
ip_saddr IP source address
ip_daddr IP destination address
_________________________________________________________________
Layer 4
tcp_sport TCP source port
tcp_dport TCP destination port
udp_sport UDP source port
udp_dport UDP destination port
connection a level 4 (TCP, UDP, PXP) connection
_________________________________________________________________
Layer 5
rpcprogram RPC program
rpcprocedure RPC procedure
rpcdirection RPC call or reply

How to Run nettl+netfmt to Observe Packets "On the Fly":

This is an interactive trace that displays the trace file on the screen, and tee's the output to a file. Make sure you make a specific filterfile first, and specify the appropriate driver in the -e parameter:

# nettl -tn 0x30800000 -e ns_ls_driver | netfmt -F -N -n -l -c filterfile | tee /tmp/fmt0
Don't forget your filterfile. Here is an example:

filter ip_saddr 192.9.9.1
filter ip_daddr 192.9.9.1

To stop the trace:

CTRL/C the nettl command you started above, then
# nettl -tf -e all

The formatted trace file will be in the /tmp/fmt0 file. There will be not be any raw file produced.

Uuencoding a raw Nettl Trace File to Email to HP Network Support:

uuencoding a raw nettl trace file is needed before sending the file via email. Here is an example command to do this:

uuencode /tmp/raw0.TRC0 raw0.TRC0 > /tmp/raw0.TRC0.uu

Email the /tmp/raw0.TRC0.uu file to the address given to you by the HP Network Support Engineer.

Note that you do not need to uuencode the raw file if you FTP it using binary mode to an FTP site specified by your HP Support Engineer!