1353141SphilipFor HP-UX 11i (11.11) and later, there are no known issues with 2353141Sphilippromiscuous mode under HP-UX. If you are using a earlier version of 3353141SphilipHP-UX and cannot upgrade, please continue reading. 4353141Sphilip 5353141SphilipHP-UX patches to fix packet capture problems 6353141Sphilip 7353141SphilipNote that packet-capture programs such as tcpdump may, on HP-UX, not be 8353141Sphilipable to see packets sent from the machine on which they're running. 9353141SphilipSome articles on groups.google.com discussing this are: 10353141Sphilip 11353141Sphilip http://groups.google.com/groups?selm=82ld3v%2480i%241%40mamenchi.zrz.TU-Berlin.DE 12353141Sphilip 13353141Sphilipwhich says: 14353141Sphilip 15353141Sphilip Newsgroups: comp.sys.hp.hpux 16353141Sphilip Subject: Re: Did someone made tcpdump working on 10.20 ? 17353141Sphilip Date: 12/08/1999 18353141Sphilip From: Lutz Jaenicke <jaenicke@emserv1.ee.TU-Berlin.DE> 19353141Sphilip 20353141Sphilip In article <82ks5i$5vc$1@news1.dti.ne.jp>, mtsat <mtsat@iris.dti.ne.jp> 21353141Sphilip wrote: 22353141Sphilip >Hello, 23353141Sphilip > 24353141Sphilip >I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use 25353141Sphilip >it, but I can only see incoming data, never outgoing. 26353141Sphilip >Someone (raj) explained me that a patch was missing, and that this patch 27353141Sphilip >must me "patched" (poked) in order to see outbound data in promiscuous mode. 28353141Sphilip >Many things to do .... So the question is : did someone has already this 29353141Sphilip >"ready to use" PHNE_**** patch ? 30353141Sphilip 31353141Sphilip Two things: 32353141Sphilip 1. You do need a late "LAN products cumulative patch" (e.g. PHNE_18173 33353141Sphilip for s700/10.20). 34353141Sphilip 2. You must use 35353141Sphilipecho 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem 36353141Sphilip You can insert this e.g. into /sbin/init.d/lan 37353141Sphilip 38353141Sphilip Best regards, 39353141Sphilip Lutz 40353141Sphilip 41353141Sphilipand 42353141Sphilip 43353141Sphilip http://groups.google.com/groups?selm=88cf4t%24p03%241%40web1.cup.hp.com 44353141Sphilip 45353141Sphilipwhich says: 46353141Sphilip 47353141Sphilip Newsgroups: comp.sys.hp.hpux 48353141Sphilip Subject: Re: tcpdump only shows incoming packets 49353141Sphilip Date: 02/15/2000 50353141Sphilip From: Rick Jones <foo@bar.baz.invalid> 51353141Sphilip 52353141Sphilip Harald Skotnes <harald@cc.uit.no> wrote: 53353141Sphilip > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have 54353141Sphilip > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a 55353141Sphilip > closer look I only get to see the incoming packets not the 56353141Sphilip > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the 57353141Sphilip > same thing happens. Could someone please give me a hint on how to 58353141Sphilip > get this right? 59353141Sphilip 60353141Sphilip Search/Read the archives ?-) 61353141Sphilip 62353141Sphilip What you are seeing is expected, un-patched, behaviour for an HP-UX 63353141Sphilip system. On 11.00, you need to install the latest lancommon/DLPI 64353141Sphilip patches, and then the latest driver patch for the interface(s) in use. 65353141Sphilip At that point, a miracle happens and you should start seeing outbound 66353141Sphilip traffic. 67353141Sphilip 68353141Sphilip[That article also mentions the patch that appears below.] 69353141Sphilip 70353141Sphilipand 71353141Sphilip 72353141Sphilip http://groups.google.com/groups?selm=38AA973E.96BE7DF7%40cc.uit.no 73353141Sphilip 74353141Sphilipwhich says: 75353141Sphilip 76353141Sphilip Newsgroups: comp.sys.hp.hpux 77353141Sphilip Subject: Re: tcpdump only shows incoming packets 78353141Sphilip Date: 02/16/2000 79353141Sphilip From: Harald Skotnes <harald@cc.uit.no> 80353141Sphilip 81353141Sphilip Rick Jones wrote: 82353141Sphilip 83353141Sphilip ... 84353141Sphilip 85353141Sphilip > What you are seeing is expected, un-patched, behaviour for an HP-UX 86353141Sphilip > system. On 11.00, you need to install the latest lancommon/DLPI 87353141Sphilip > patches, and then the latest driver patch for the interface(s) in 88353141Sphilip > use. At that point, a miracle happens and you should start seeing 89353141Sphilip > outbound traffic. 90353141Sphilip 91353141Sphilip Thanks a lot. I have this problem on several machines running HPUX 92353141Sphilip 10.20 and 11.00. The machines where patched up before y2k so did not 93353141Sphilip know what to think. Anyway I have now installed PHNE_19766, 94353141Sphilip PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the 95353141Sphilip outbound traffic too. Thanks again. 96353141Sphilip 97353141Sphilip(although those patches may not be the ones to install - there may be 98353141Sphiliplater patches). 99353141Sphilip 100353141SphilipAnd another message to tcpdump-workers@tcpdump.org, from Rick Jones: 101353141Sphilip 102353141Sphilip Date: Mon, 29 Apr 2002 15:59:55 -0700 103353141Sphilip From: Rick Jones 104353141Sphilip To: tcpdump-workers@tcpdump.org 105353141Sphilip Subject: Re: [tcpdump-workers] I Can't Capture the Outbound Traffic 106353141Sphilip 107353141Sphilip ... 108353141Sphilip 109353141Sphilip http://itrc.hp.com/ would be one place to start in a search for the most 110353141Sphilip up-to-date patches for DLPI and the lan driver(s) used on your system (I 111353141Sphilip cannot guess because 9000/800 is too generic - one hs to use the "model" 112353141Sphilip command these days and/or an ioscan command (see manpage) to guess what 113353141Sphilip the drivers (btlan[3456], gelan, etc) might be involved in addition to 114353141Sphilip DLPI. 115353141Sphilip 116353141Sphilip Another option is to upgrade to 11i as outbound promiscuous mode support 117353141Sphilip is there in the base OS, no patches required. 118353141Sphilip 119353141SphilipAnother posting: 120353141Sphilip 121353141Sphilip http://groups.google.com/groups?selm=7d6gvn%24b3%241%40ocean.cup.hp.com 122353141Sphilip 123353141Sphilipindicates that you need to install the optional STREAMS product to do 124353141Sphilipcaptures on HP-UX 9.x: 125353141Sphilip 126353141Sphilip Newsgroups: comp.sys.hp.hpux 127353141Sphilip Subject: Re: tcpdump HP/UX 9.x 128353141Sphilip Date: 03/22/1999 129353141Sphilip From: Rick Jones <foo@bar.baz> 130353141Sphilip 131353141Sphilip Dave Barr (barr@cis.ohio-state.edu) wrote: 132353141Sphilip : Has anyone ported tcpdump (or something similar) to HP/UX 9.x? 133353141Sphilip 134353141Sphilip I'm reasonably confident that any port of tcpdump to 9.X would require 135353141Sphilip the (then optional) STREAMS product. This would bring DLPI, which is 136353141Sphilip what one uses to access interfaces in promiscuous mode. 137353141Sphilip 138353141Sphilip I'm not sure that HP even sells the 9.X STREAMS product any longer, 139353141Sphilip since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K 140353141Sphilip devices). 141353141Sphilip 142353141Sphilip Your best bet is to be up on 10.20 or better if that is at all 143353141Sphilip possible. If your hardware is supported by it, I'd go with HP-UX 11. 144353141Sphilip If you want to see the system's own outbound traffic, you'll never get 145353141Sphilip that functionality on 9.X, but it might happen at some point for 10.20 146353141Sphilip and 11.X. 147353141Sphilip 148353141Sphilip rick jones 149353141Sphilip 150353141Sphilip(as per other messages cited here, the ability to see the system's own 151353141Sphilipoutbound traffic did happen). 152353141Sphilip 153353141SphilipRick Jones reports that HP-UX 11i needs no patches for outbound 154353141Sphilippromiscuous mode support. 155353141Sphilip 156353141SphilipAn additional note, from Jost Martin, for HP-UX 10.20: 157353141Sphilip 158353141Sphilip Q: How do I get ethereral on HPUX to capture the _outgoing_ packets 159353141Sphilip of an interface 160353141Sphilip A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or 161353141Sphilip newer, this is as of 4.4.00) and its dependencies. Then you can 162353141Sphilip enable the feature as descibed below: 163353141Sphilip 164353141Sphilip Patch Name: PHNE_20892 165353141Sphilip Patch Description: s700 10.20 PCI 100Base-T cumulative patch 166353141Sphilip To trace the outbound packets, please do the following 167353141Sphilip to turn on a global promiscuous switch before running 168353141Sphilip the promiscuous applications like snoop or tcpdump: 169353141Sphilip 170353141Sphilip adb -w /stand/vmunix /dev/mem 171353141Sphilip lanc_outbound_promisc_flag/W 1 172353141Sphilip (adb will echo the result showing that the flag has 173353141Sphilip been changed) 174353141Sphilip $quit 175353141Sphilip (Thanks for this part to HP-support, Ratingen) 176353141Sphilip 177353141Sphilip The attached hack does this and some security-related stuff 178353141Sphilip (thanks to hildeb@www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who 179353141Sphilip posted the security-part some time ago) 180353141Sphilip 181353141Sphilip <<hack_ip_stack>> 182353141Sphilip 183353141Sphilip (Don't switch IP-forwarding off, if you need it !) 184353141Sphilip Install the hack as /sbin/init.d/hacl_ip_stack (adjust 185353141Sphilip permissions !) and make a sequencing-symlink 186353141Sphilip /sbin/rc2.d/S350hack_ip_stack pointing to this script. 187353141Sphilip Now all this is done on every reboot. 188353141Sphilip 189353141SphilipAccording to Rick Jones, the global promiscuous switch also has to be 190353141Sphilipturned on for HP-UX 11.00, but not for 11i - and, in fact, the switch 191353141Sphilipdoesn't even exist on 11i. 192353141Sphilip 193353141SphilipHere's the "hack_ip_stack" script: 194353141Sphilip 195353141Sphilip-----------------------------------Cut Here------------------------------------- 196353141Sphilip#!/sbin/sh 197353141Sphilip# 198353141Sphilip# nettune: hack kernel parms for safety 199353141Sphilip 200353141SphilipOKAY=0 201353141SphilipERROR=-1 202353141Sphilip 203353141Sphilip# /usr/contrib/bin fuer nettune auf Pfad 204353141SphilipPATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin 205353141Sphilipexport PATH 206353141Sphilip 207353141Sphilip 208353141Sphilip########## 209353141Sphilip# main # 210353141Sphilip########## 211353141Sphilip 212353141Sphilipcase $1 in 213353141Sphilip start_msg) 214353141Sphilip print "Tune IP-Stack for security" 215353141Sphilip exit $OKAY 216353141Sphilip ;; 217353141Sphilip 218353141Sphilip stop_msg) 219353141Sphilip print "This action is not applicable" 220353141Sphilip exit $OKAY 221353141Sphilip ;; 222353141Sphilip 223353141Sphilip stop) 224353141Sphilip exit $OKAY 225353141Sphilip ;; 226353141Sphilip 227353141Sphilip start) 228353141Sphilip ;; # fall through 229353141Sphilip 230353141Sphilip *) 231353141Sphilip print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2 232353141Sphilip exit $ERROR 233353141Sphilip ;; 234353141Sphilip esac 235353141Sphilip 236353141Sphilip########### 237353141Sphilip# start # 238353141Sphilip########### 239353141Sphilip 240353141Sphilip# 241353141Sphilip# tcp-Sequence-Numbers nicht mehr inkrementieren sondern random 242353141Sphilip# Syn-Flood-Protection an 243353141Sphilip# ip_forwarding aus 244353141Sphilip# Source-Routing aus 245353141Sphilip# Ausgehende Packets an ethereal/tcpdump etc. 246353141Sphilip 247353141Sphilip/usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR 248353141Sphilip/usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR 249353141Sphilip/usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR 250353141Sphilipecho 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR 251353141Sphilipecho 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem || exit $ERROR 252353141Sphilip 253353141Sphilipexit $OKAY 254353141Sphilip-----------------------------------Cut Here------------------------------------- 255