• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1For HP-UX 11i (11.11) and later, there are no known issues with
2promiscuous mode under HP-UX.  If you are using a earlier version of
3HP-UX and cannot upgrade, please continue reading.
4
5HP-UX patches to fix packet capture problems
6
7Note that packet-capture programs such as tcpdump may, on HP-UX, not be
8able to see packets sent from the machine on which they're running.
9Some articles on groups.google.com discussing this are:
10
11	http://groups.google.com/groups?selm=82ld3v%2480i%241%40mamenchi.zrz.TU-Berlin.DE
12
13which says:
14
15  Newsgroups: comp.sys.hp.hpux
16  Subject:  Re: Did someone made tcpdump working on 10.20 ?
17  Date: 12/08/1999
18  From: Lutz Jaenicke <jaenicke@emserv1.ee.TU-Berlin.DE>
19
20  In article <82ks5i$5vc$1@news1.dti.ne.jp>, mtsat <mtsat@iris.dti.ne.jp>
21  wrote:
22   >Hello,
23   >
24   >I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use
25   >it, but I can only see incoming data, never outgoing.
26   >Someone (raj) explained me that a patch was missing, and that this patch
27   >must me "patched" (poked) in order to see outbound data in promiscuous mode.
28   >Many things to do .... So the question is : did someone has already this
29   >"ready to use" PHNE_**** patch ?
30
31   Two things:
32   1. You do need a late "LAN products cumulative patch" (e.g.  PHNE_18173
33  for   s700/10.20).
34   2. You must use
35echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem
36     You can insert this e.g. into /sbin/init.d/lan
37
38   Best regards,
39   Lutz
40
41and
42
43	http://groups.google.com/groups?selm=88cf4t%24p03%241%40web1.cup.hp.com
44
45which says:
46
47  Newsgroups: comp.sys.hp.hpux
48  Subject: Re: tcpdump only shows incoming packets
49  Date: 02/15/2000
50  From: Rick Jones <foo@bar.baz.invalid>
51
52  Harald Skotnes <harald@cc.uit.no> wrote:
53  > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have
54  > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a
55  > closer look I only get to see the incoming packets not the
56  > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the
57  > same thing happens.  Could someone please give me a hint on how to
58  > get this right?
59
60  Search/Read the archives ?-)
61
62  What you are seeing is expected, un-patched, behaviour for an HP-UX
63  system.  On 11.00, you need to install the latest lancommon/DLPI
64  patches, and then the latest driver patch for the interface(s) in use.
65  At that point, a miracle happens and you should start seeing outbound
66  traffic.
67
68[That article also mentions the patch that appears below.]
69
70and
71
72	http://groups.google.com/groups?selm=38AA973E.96BE7DF7%40cc.uit.no
73
74which says:
75
76  Newsgroups: comp.sys.hp.hpux
77  Subject: Re: tcpdump only shows incoming packets
78  Date: 02/16/2000
79  From: Harald Skotnes <harald@cc.uit.no>
80
81  Rick Jones wrote:
82
83	...
84
85  > What you are seeing is expected, un-patched, behaviour for an HP-UX
86  > system. On 11.00, you need to install the latest lancommon/DLPI
87  > patches, and then the latest driver patch for the interface(s) in
88  > use. At that point, a miracle happens and you should start seeing
89  > outbound traffic.
90
91  Thanks a lot.  I have this problem on several machines running HPUX
92  10.20 and 11.00.  The machines where patched up before y2k so did not
93  know what to think.  Anyway I have now installed PHNE_19766,
94  PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the
95  outbound traffic too.  Thanks again.
96
97(although those patches may not be the ones to install - there may be
98later patches).
99
100And another message to tcpdump-workers@tcpdump.org, from Rick Jones:
101
102  Date: Mon, 29 Apr 2002 15:59:55 -0700
103  From: Rick Jones
104  To: tcpdump-workers@tcpdump.org
105  Subject: Re: [tcpdump-workers] I Can't Capture the Outbound Traffic
106
107	...
108
109  http://itrc.hp.com/ would be one place to start in a search for the most
110  up-to-date patches for DLPI and the lan driver(s) used on your system (I
111  cannot guess because 9000/800 is too generic - one hs to use the "model"
112  command these days and/or an ioscan command (see manpage) to guess what
113  the drivers (btlan[3456], gelan, etc) might be involved in addition to
114  DLPI.
115
116  Another option is to upgrade to 11i as outbound promiscuous mode support
117  is there in the base OS, no patches required.
118
119Another posting:
120
121	http://groups.google.com/groups?selm=7d6gvn%24b3%241%40ocean.cup.hp.com
122
123indicates that you need to install the optional STREAMS product to do
124captures on HP-UX 9.x:
125
126  Newsgroups: comp.sys.hp.hpux
127  Subject:  Re: tcpdump HP/UX 9.x
128  Date: 03/22/1999
129  From: Rick Jones <foo@bar.baz>
130
131  Dave Barr (barr@cis.ohio-state.edu) wrote:
132  : Has anyone ported tcpdump (or something similar) to HP/UX 9.x?
133
134  I'm reasonably confident that any port of tcpdump to 9.X would require
135  the (then optional) STREAMS product.  This would bring DLPI, which is
136  what one uses to access interfaces in promiscuous mode.
137
138  I'm not sure that HP even sells the 9.X STREAMS product any longer,
139  since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K
140  devices).
141
142  Your best bet is to be up on 10.20 or better if that is at all
143  possible.  If your hardware is supported by it, I'd go with HP-UX 11.
144  If you want to see the system's own outbound traffic, you'll never get
145  that functionality on 9.X, but it might happen at some point for 10.20
146  and 11.X.
147
148  rick jones
149
150(as per other messages cited here, the ability to see the system's own
151outbound traffic did happen).
152
153Rick Jones reports that HP-UX 11i needs no patches for outbound
154promiscuous mode support.
155
156An additional note, from Jost Martin, for HP-UX 10.20:
157
158	Q: How do I get ethereral on HPUX to capture the _outgoing_ packets
159	   of an interface
160	A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or
161	   newer, this is as of 4.4.00) and its dependencies.  Then you can
162	   enable the feature as descibed below:
163
164	Patch Name: PHNE_20892
165	Patch Description: s700 10.20 PCI 100Base-T cumulative patch
166		To trace the outbound packets, please do the following
167		to turn on a global promiscuous switch before running
168		the promiscuous applications like snoop or tcpdump:
169
170		adb -w /stand/vmunix /dev/mem
171		lanc_outbound_promisc_flag/W 1
172		(adb will echo the result showing that the flag has
173		been changed)
174		$quit
175	(Thanks for this part to HP-support, Ratingen)
176
177		The attached hack does this and some security-related stuff
178	(thanks to hildeb@www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who
179	posted the security-part some time ago)
180
181		 <<hack_ip_stack>>
182
183		(Don't switch IP-forwarding off, if you need it !)
184		Install the hack as /sbin/init.d/hacl_ip_stack (adjust
185	permissions !) and make a sequencing-symlink
186	/sbin/rc2.d/S350hack_ip_stack pointing to this script.
187		Now all this is done on every reboot.
188
189According to Rick Jones, the global promiscuous switch also has to be
190turned on for HP-UX 11.00, but not for 11i - and, in fact, the switch
191doesn't even exist on 11i.
192
193Here's the "hack_ip_stack" script:
194
195-----------------------------------Cut Here-------------------------------------
196#!/sbin/sh
197#
198# nettune:  hack kernel parms for safety
199
200OKAY=0
201ERROR=-1
202
203# /usr/contrib/bin fuer nettune auf Pfad
204PATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin
205export PATH
206
207
208##########
209#  main  #
210##########
211
212case $1 in
213   start_msg)
214      print "Tune IP-Stack for security"
215      exit $OKAY
216      ;;
217
218   stop_msg)
219      print "This action is not applicable"
220      exit $OKAY
221      ;;
222
223   stop)
224      exit $OKAY
225      ;;
226
227   start)
228      ;;  # fall through
229
230   *)
231      print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2
232      exit $ERROR
233      ;;
234   esac
235
236###########
237#  start  #
238###########
239
240#
241# tcp-Sequence-Numbers nicht mehr inkrementieren sondern random
242# Syn-Flood-Protection an
243# ip_forwarding aus
244# Source-Routing aus
245# Ausgehende Packets an ethereal/tcpdump etc.
246
247/usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR
248/usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR
249/usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR
250echo 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR
251echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem  || exit $ERROR
252
253exit $OKAY
254-----------------------------------Cut Here-------------------------------------
255