Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

tcpdump only shows incoming packets

5 views
Skip to first unread message

Harald Skotnes

unread,
Feb 15, 2000, 3:00:00 AM2/15/00
to
Hi.

I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have
compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a
closer look I only get to see the incoming packets not the outgoing. I
have tried tcpflow-0.12 which also uses libpcap and the same thing
happens.
Could someone please give me a hint on how to get this right?

Best regards
Harald Skotnes
har...@cc.uit.no


Rick Jones

unread,
Feb 15, 2000, 3:00:00 AM2/15/00
to
Harald Skotnes <har...@cc.uit.no> wrote:
> I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have
> compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a
> closer look I only get to see the incoming packets not the
> outgoing. I have tried tcpflow-0.12 which also uses libpcap and the
> same thing happens. Could someone please give me a hint on how to
> get this right?

Search/Read the archives ?-)

What you are seeing is expected, un-patched, behaviour for an HP-UX
system. On 11.00, you need to install the latest lancommon/DLPI
patches, and then the latest driver patch for the interface(s) in
use. At that point, a miracle happens and you should start seeing
outbound traffic.

At ftp://ftp.cup.hp.com/dist/networking/tools/ you will find quick
ports of tcptrace and xplot, which if you are doing tcpdump stuff
might be useful. Also on there somewhere (perhaps under misc) is a bit
of code called bpfmod, which is a pushable streams module implementing
berkeley packet filtering - not /dev/bpf, but just the in-kernel
filtering and aggregation of filtered packets. A modified tcpdump
should be there as well, but those changes are not merged with the
stuff I mention below.

Attached to the end of this message is a patch from someone else who
has worked-out the requirements to go from an "ifconfig name" to a
DPLI PPA so you can say "lan0" instead of /dev/dpli0. It is only known
to work on HP-UX 11 as 10.20 is not known to return all the needed
information

rick jones

*** configure.in 1998/07/30 01:22:05 1.68
--- configure.in 2000/01/05 02:56:12
***************
*** 157,162 ****
--- 157,164 ----

AC_LBL_SOCKADDR_SA_LEN

+ AC_LBL_HP_PPA_INFO_T_DL_MODULE_ID_1
+
AC_LBL_UNALIGNED_ACCESS

if test "${srcdir}" = "." ; then
*** aclocal.m4 1998/07/30 01:24:26 1.64
--- aclocal.m4 2000/01/05 02:58:12
***************
*** 416,421 ****
--- 416,455 ----
fi])

dnl
+ dnl Checks to see if the dl_hp_ppa_info_t struct has the HP-UX 11.00
+ dnl dl_module_id_1 member
+ dnl
+ dnl usage:
+ dnl
+ dnl AC_LBL_HP_PPA_INFO_T_DL_MODULE_ID_1
+ dnl
+ dnl results:
+ dnl
+ dnl HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1 (defined)
+ dnl
+ dnl NOTE: any compile failure means we conclude that it doesn't have
+ dnl that member, so if we don't have DLPI, don't have a <sys/dlpi_ext.h>
+ dnl header, or have one that doesn't declare a dl_hp_ppa_info_t type,
+ dnl we conclude it doesn't have that member (which is OK, as either we
+ dnl won't be using code that would use that member, or we wouldn't
+ dnl compile in any case).
+ dnl
+ AC_DEFUN(AC_LBL_HP_PPA_INFO_T_DL_MODULE_ID_1,
+ [AC_MSG_CHECKING(if dl_hp_ppa_info_t struct has dl_module_id_1 member)
+ AC_CACHE_VAL(ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1,
+ AC_TRY_COMPILE([
+ # include <sys/types.h>
+ # include <sys/dlpi.h>
+ # include <sys/dlpi_ext.h>],
+ [u_int i = sizeof(((dl_hp_ppa_info_t *)0)->dl_module_id_1)],
+ ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1=yes,
+ ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1=no))
+ AC_MSG_RESULT($ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1)
+ if test $ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1 = yes ; then
+ AC_DEFINE(HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1)
+ fi])
+
+ dnl
dnl Checks to see if -R is used
dnl
dnl usage:
*** pcap-dlpi.c 1997/10/03 19:47:47 1.52
--- pcap-dlpi.c 2000/01/05 03:27:26
***************
*** 246,255 ****
}
memset(p, 0, sizeof(*p));

/*
! ** Determine device and ppa
*/
! cp = strpbrk(device, "0123456789");
if (cp == NULL) {
sprintf(ebuf, "%s missing unit number", device);
goto bad;
--- 246,266 ----
}
memset(p, 0, sizeof(*p));

+ #ifdef HAVE_DEV_DLPI
/*
! ** Remove any "/dev/" on the front of the device.
*/
! cp = strrchr(device, '/');
! if (cp == NULL)
! cp = device;
! else
! cp++;
! strcpy(dname, cp);
!
! /*
! * Split the name into a device type and a unit number.
! */
! cp = strpbrk(dname, "0123456789");
if (cp == NULL) {
sprintf(ebuf, "%s missing unit number", device);
goto bad;
***************
*** 259,281 ****
sprintf(ebuf, "%s bad unit number", device);
goto bad;
}

! if (*device == '/')
! strcpy(dname, device);
! else
! sprintf(dname, "%s/%s", PCAP_DEV_PREFIX, device);
! #ifdef HAVE_DEV_DLPI
! /* Map network device to /dev/dlpi unit */
cp = "/dev/dlpi";
if ((p->fd = open(cp, O_RDWR)) < 0) {
sprintf(ebuf, "%s: %s", cp, pcap_strerror(errno));
goto bad;
}
! /* Map network interface to /dev/dlpi unit */
ppa = get_dlpi_ppa(p->fd, dname, ppa, ebuf);
if (ppa < 0)
goto bad;
#else
/* Try device without unit number */
strcpy(dname2, dname);
cp = strchr(dname, *cp);
--- 270,331 ----
sprintf(ebuf, "%s bad unit number", device);
goto bad;
}
+ *cp = '\0';

! /*
! * Use "/dev/dlpi" as the device.
! *
! * XXX - HP's DLPI Programmer's Guide for HP-UX 11.00 says that
! * the "dl_mjr_num" field is for the "major number of interface
! * driver"; that's the major of "/dev/dlpi" on the system on
! * which I tried this, but there may be DLPI devices that
! * use a different driver, in which case we may need to
! * search "/dev" for the appropriate device with that major
! * device number, rather than hardwiring "/dev/dlpi".
! *
! * I'm assuming that the code that was used for HP-UX 10.x
! * is valid, and therefore that, in 10.x, DLPIable devices have
! * "/dev" entries corresponding to them and that their
! * major device number is what appears in the "dl_hp_ppa_info_t"
! * structure for that device. We can search by name in 11.x
! * (and we may have to, as it's not clear that DLPIable devices
! * will have those sorts of "/dev" entries), but we can't in
! * 10.x, as 10.x doesn't have the "dl_module_id_1" and
! * "dl_module_id_2" members in the "dl_hp_ppa_info_t" structure.
! */
cp = "/dev/dlpi";
if ((p->fd = open(cp, O_RDWR)) < 0) {
sprintf(ebuf, "%s: %s", cp, pcap_strerror(errno));
goto bad;
}
!
! /*
! * Get a table of all PPAs for that device, and search that
! * table for the specified device type name and unit number.
! */
ppa = get_dlpi_ppa(p->fd, dname, ppa, ebuf);
if (ppa < 0)
goto bad;
#else
+ /*
+ ** Determine device and ppa
+ */
+ cp = strpbrk(device, "0123456789");
+ if (cp == NULL) {
+ sprintf(ebuf, "%s missing unit number", device);
+ goto bad;
+ }
+ ppa = strtol(cp, &eos, 10);
+ if (*eos != '\0') {
+ sprintf(ebuf, "%s bad unit number", device);
+ goto bad;
+ }
+
+ if (*device == '/')
+ strcpy(dname, device);
+ else
+ sprintf(dname, "%s/%s", PCAP_DEV_PREFIX, device);
+
/* Try device without unit number */
strcpy(dname2, dname);
cp = strchr(dname, *cp);
***************
*** 391,397 ****
break;

default:
! sprintf(ebuf, "unknown mac type 0x%lu", infop->dl_mac_type);
goto bad;
}

--- 441,448 ----
break;

default:
! sprintf(ebuf, "unknown mac type 0x%lu",
! (unsigned long)infop->dl_mac_type);
goto bad;
}

***************
*** 709,715 ****

#ifdef DL_HP_PPA_ACK_OBS
/*
! * Under HP-UX 10, we can ask for the ppa
*/


--- 760,766 ----

#ifdef DL_HP_PPA_ACK_OBS
/*
! * Under HP-UX 10 and HP-UX 11, we can ask for the ppa
*/


***************
*** 719,736 ****
register char *ebuf)
{
register dl_hp_ppa_ack_t *ap;
! register dl_hp_ppa_info_t *ip;
register int i;
register u_long majdev;
- dl_hp_ppa_req_t req;
struct stat statbuf;
bpf_u_int32 buf[MAXDLBUF];

! if (stat(device, &statbuf) < 0) {
! sprintf(ebuf, "stat: %s: %s", device, pcap_strerror(errno));
return (-1);
}
majdev = major(statbuf.st_rdev);

memset((char *)&req, 0, sizeof(req));
req.dl_primitive = DL_HP_PPA_REQ;
--- 770,800 ----
register char *ebuf)
{
register dl_hp_ppa_ack_t *ap;
! register dl_hp_ppa_info_t *ipstart, *ip;
register int i;
+ #ifndef HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1
+ char dname[100];
register u_long majdev;
struct stat statbuf;
+ #endif
+ dl_hp_ppa_req_t req;
bpf_u_int32 buf[MAXDLBUF];

! #ifndef HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1
! /*
! * HP-UX 10 doesn't put the interface name in the
! * "dl_hp_ppa_info_t" structure, so we have to
! * try to get the major device number for the device
! * corresponding to the device and unit name provided to
! * us, and search for the entry with that major device number.
! */
! sprintf(dname, "/dev/%s%d", device, unit);
! if (stat(dname, &statbuf) < 0) {
! sprintf(ebuf, "stat: %s: %s", dname, pcap_strerror(errno));
return (-1);
}
majdev = major(statbuf.st_rdev);
+ #endif

memset((char *)&req, 0, sizeof(req));
req.dl_primitive = DL_HP_PPA_REQ;
***************
*** 741,760 ****
return (-1);

ap = (dl_hp_ppa_ack_t *)buf;
! ip = (dl_hp_ppa_info_t *)((u_char *)ap + ap->dl_offset);

for(i = 0; i < ap->dl_count; i++) {
! if (ip->dl_mjr_num == majdev && ip->dl_instance_num == unit)
break;

! ip = (dl_hp_ppa_info_t *)((u_char *)ip + ip->dl_next_offset);
}
if (i == ap->dl_count) {
! sprintf(ebuf, "can't find PPA for %s", device);
return (-1);
}
if (ip->dl_hdw_state == HDW_DEAD) {
! sprintf(ebuf, "%s: hardware state: DOWN\n", device);
return (-1);
}
return ((int)ip->dl_ppa);
--- 805,831 ----
return (-1);

ap = (dl_hp_ppa_ack_t *)buf;
! ipstart = (dl_hp_ppa_info_t *)((u_char *)ap + ap->dl_offset);
! ip = ipstart;

for(i = 0; i < ap->dl_count; i++) {
! #ifdef HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1
! if ((strcmp(ip->dl_module_id_1, device) == 0 ||
! strcmp(ip->dl_module_id_2, device) == 0) &&
! #else
! if (ip->dl_mjr_num == majdev &&
! #endif
! ip->dl_instance_num == unit)
break;

! ip = (dl_hp_ppa_info_t *)((u_char *)ipstart + ip->dl_next_offset);
}
if (i == ap->dl_count) {
! sprintf(ebuf, "can't find PPA for %s%d", device, unit);
return (-1);
}
if (ip->dl_hdw_state == HDW_DEAD) {
! sprintf(ebuf, "%s%d: hardware state: DOWN\n", device, unit);
return (-1);
}
return ((int)ip->dl_ppa);
***************
*** 783,789 ****
register int kd;
void *addr;
struct ifnet ifnet;
! char if_name[sizeof(ifnet.if_name)], tifname[32];

cp = strrchr(ifname, '/');
if (cp != NULL)
--- 854,860 ----
register int kd;
void *addr;
struct ifnet ifnet;
! char if_name[sizeof(ifnet.if_name) + 1];

cp = strrchr(ifname, '/');
if (cp != NULL)
***************
*** 811,823 ****
if (dlpi_kread(kd, (off_t)addr,
&ifnet, sizeof(ifnet), ebuf) < 0 ||
dlpi_kread(kd, (off_t)ifnet.if_name,
! if_name, sizeof(if_name), ebuf) < 0) {
(void)close(kd);
return (-1);
}
! sprintf(tifname, "%.*s%d",
! (int)sizeof(if_name), if_name, ifnet.if_unit);
! if (strcmp(tifname, ifname) == 0)
return (ifnet.if_index);
}

--- 882,893 ----
if (dlpi_kread(kd, (off_t)addr,
&ifnet, sizeof(ifnet), ebuf) < 0 ||
dlpi_kread(kd, (off_t)ifnet.if_name,
! if_name, sizeof(ifnet.if_name), ebuf) < 0) {
(void)close(kd);
return (-1);
}
! if_name[sizeof(ifnet.if_name)] = '\0';
! if (strcmp(if_name, ifname) == 0 && ifnet.if_unit == unit)
return (ifnet.if_index);
}

--
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to email, OR post, but please do NOT do BOTH...
my email address is raj in the cup.hp.com domain...

Harald Skotnes

unread,
Feb 16, 2000, 3:00:00 AM2/16/00
to
Rick Jones wrote:

> Harald Skotnes <har...@cc.uit.no> wrote:
> > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have
> > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a
> > closer look I only get to see the incoming packets not the
> > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the
> > same thing happens. Could someone please give me a hint on how to
> > get this right?
>
> Search/Read the archives ?-)
>

Well, I searched the comp.sys.hp.hpux FAQ with no luck. If I had searched the HP patch
list for "promiscuous" I would probably have found the solution there.

>
> What you are seeing is expected, un-patched, behaviour for an HP-UX
> system. On 11.00, you need to install the latest lancommon/DLPI
> patches, and then the latest driver patch for the interface(s) in
> use. At that point, a miracle happens and you should start seeing
> outbound traffic.
>

Thanks a lot. I have this problem on several machines running HPUX 10.20 and 11.00. The
machines
where patched up before y2k so did not know what to think. Anyway I have now installed
PHNE_19766, PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the
outbound traffic too. Thanks again.

>
> At ftp://ftp.cup.hp.com/dist/networking/tools/ you will find quick
> ports of tcptrace and xplot, which if you are doing tcpdump stuff
> might be useful. Also on there somewhere (perhaps under misc) is a bit
> of code called bpfmod, which is a pushable streams module implementing
> berkeley packet filtering - not /dev/bpf, but just the in-kernel
> filtering and aggregation of filtered packets. A modified tcpdump
> should be there as well, but those changes are not merged with the
> stuff I mention below.
>
> Attached to the end of this message is a patch from someone else who
> has worked-out the requirements to go from an "ifconfig name" to a
> DPLI PPA so you can say "lan0" instead of /dev/dpli0. It is only known
> to work on HP-UX 11 as 10.20 is not known to return all the needed
> information
>
> rick jones
>

--Harald Skotnes


0 new messages