1 For HP-UX 11i (11.11) and later, there are no known issues with 2 promiscuous mode under HP-UX. If you are using a earlier version of 3 HP-UX and cannot upgrade, please continue reading. 4 5 HP-UX patches to fix packet capture problems 6 7 Note that packet-capture programs such as tcpdump may, on HP-UX, not be 8 able to see packets sent from the machine on which they're running. 9 Some articles on groups.google.com discussing this are: 10 11 http://groups.google.com/groups?selm=82ld3v%2480i%241%40mamenchi.zrz.TU-Berlin.DE 12 13 which says: 14 15 Newsgroups: comp.sys.hp.hpux 16 Subject: Re: Did someone made tcpdump working on 10.20 ? 17 Date: 12/08/1999 18 From: Lutz Jaenicke <jaenicke (a] emserv1.ee.TU-Berlin.DE> 19 20 In article <82ks5i$5vc$1 (a] news1.dti.ne.jp>, mtsat <mtsat (a] iris.dti.ne.jp> 21 wrote: 22 >Hello, 23 > 24 >I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use 25 >it, but I can only see incoming data, never outgoing. 26 >Someone (raj) explained me that a patch was missing, and that this patch 27 >must me "patched" (poked) in order to see outbound data in promiscuous mode. 28 >Many things to do .... So the question is : did someone has already this 29 >"ready to use" PHNE_**** patch ? 30 31 Two things: 32 1. You do need a late "LAN products cumulative patch" (e.g. PHNE_18173 33 for s700/10.20). 34 2. You must use 35 echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem 36 You can insert this e.g. into /sbin/init.d/lan 37 38 Best regards, 39 Lutz 40 41 and 42 43 http://groups.google.com/groups?selm=88cf4t%24p03%241%40web1.cup.hp.com 44 45 which says: 46 47 Newsgroups: comp.sys.hp.hpux 48 Subject: Re: tcpdump only shows incoming packets 49 Date: 02/15/2000 50 From: Rick Jones <foo (a] bar.baz.invalid> 51 52 Harald Skotnes <harald (a] cc.uit.no> wrote: 53 > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have 54 > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a 55 > closer look I only get to see the incoming packets not the 56 > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the 57 > same thing happens. Could someone please give me a hint on how to 58 > get this right? 59 60 Search/Read the archives ?-) 61 62 What you are seeing is expected, un-patched, behaviour for an HP-UX 63 system. On 11.00, you need to install the latest lancommon/DLPI 64 patches, and then the latest driver patch for the interface(s) in use. 65 At that point, a miracle happens and you should start seeing outbound 66 traffic. 67 68 [That article also mentions the patch that appears below.] 69 70 and 71 72 http://groups.google.com/groups?selm=38AA973E.96BE7DF7%40cc.uit.no 73 74 which says: 75 76 Newsgroups: comp.sys.hp.hpux 77 Subject: Re: tcpdump only shows incoming packets 78 Date: 02/16/2000 79 From: Harald Skotnes <harald (a] cc.uit.no> 80 81 Rick Jones wrote: 82 83 ... 84 85 > What you are seeing is expected, un-patched, behaviour for an HP-UX 86 > system. On 11.00, you need to install the latest lancommon/DLPI 87 > patches, and then the latest driver patch for the interface(s) in 88 > use. At that point, a miracle happens and you should start seeing 89 > outbound traffic. 90 91 Thanks a lot. I have this problem on several machines running HPUX 92 10.20 and 11.00. The machines where patched up before y2k so did not 93 know what to think. Anyway I have now installed PHNE_19766, 94 PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the 95 outbound traffic too. Thanks again. 96 97 (although those patches may not be the ones to install - there may be 98 later patches). 99 100 And another message to tcpdump-workers (a] tcpdump.org, from Rick Jones: 101 102 Date: Mon, 29 Apr 2002 15:59:55 -0700 103 From: Rick Jones 104 To: tcpdump-workers (a] tcpdump.org 105 Subject: Re: [tcpdump-workers] I Can't Capture the Outbound Traffic 106 107 ... 108 109 http://itrc.hp.com/ would be one place to start in a search for the most 110 up-to-date patches for DLPI and the lan driver(s) used on your system (I 111 cannot guess because 9000/800 is too generic - one hs to use the "model" 112 command these days and/or an ioscan command (see manpage) to guess what 113 the drivers (btlan[3456], gelan, etc) might be involved in addition to 114 DLPI. 115 116 Another option is to upgrade to 11i as outbound promiscuous mode support 117 is there in the base OS, no patches required. 118 119 Another posting: 120 121 http://groups.google.com/groups?selm=7d6gvn%24b3%241%40ocean.cup.hp.com 122 123 indicates that you need to install the optional STREAMS product to do 124 captures on HP-UX 9.x: 125 126 Newsgroups: comp.sys.hp.hpux 127 Subject: Re: tcpdump HP/UX 9.x 128 Date: 03/22/1999 129 From: Rick Jones <foo (a] bar.baz> 130 131 Dave Barr (barr (a] cis.ohio-state.edu) wrote: 132 : Has anyone ported tcpdump (or something similar) to HP/UX 9.x? 133 134 I'm reasonably confident that any port of tcpdump to 9.X would require 135 the (then optional) STREAMS product. This would bring DLPI, which is 136 what one uses to access interfaces in promiscuous mode. 137 138 I'm not sure that HP even sells the 9.X STREAMS product any longer, 139 since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K 140 devices). 141 142 Your best bet is to be up on 10.20 or better if that is at all 143 possible. If your hardware is supported by it, I'd go with HP-UX 11. 144 If you want to see the system's own outbound traffic, you'll never get 145 that functionality on 9.X, but it might happen at some point for 10.20 146 and 11.X. 147 148 rick jones 149 150 (as per other messages cited here, the ability to see the system's own 151 outbound traffic did happen). 152 153 Rick Jones reports that HP-UX 11i needs no patches for outbound 154 promiscuous mode support. 155 156 An additional note, from Jost Martin, for HP-UX 10.20: 157 158 Q: How do I get ethereral on HPUX to capture the _outgoing_ packets 159 of an interface 160 A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or 161 newer, this is as of 4.4.00) and its dependencies. Then you can 162 enable the feature as descibed below: 163 164 Patch Name: PHNE_20892 165 Patch Description: s700 10.20 PCI 100Base-T cumulative patch 166 To trace the outbound packets, please do the following 167 to turn on a global promiscuous switch before running 168 the promiscuous applications like snoop or tcpdump: 169 170 adb -w /stand/vmunix /dev/mem 171 lanc_outbound_promisc_flag/W 1 172 (adb will echo the result showing that the flag has 173 been changed) 174 $quit 175 (Thanks for this part to HP-support, Ratingen) 176 177 The attached hack does this and some security-related stuff 178 (thanks to hildeb (a] www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who 179 posted the security-part some time ago) 180 181 <<hack_ip_stack>> 182 183 (Don't switch IP-forwarding off, if you need it !) 184 Install the hack as /sbin/init.d/hacl_ip_stack (adjust 185 permissions !) and make a sequencing-symlink 186 /sbin/rc2.d/S350hack_ip_stack pointing to this script. 187 Now all this is done on every reboot. 188 189 According to Rick Jones, the global promiscuous switch also has to be 190 turned on for HP-UX 11.00, but not for 11i - and, in fact, the switch 191 doesn't even exist on 11i. 192 193 Here's the "hack_ip_stack" script: 194 195 -----------------------------------Cut Here------------------------------------- 196 #!/sbin/sh 197 # 198 # nettune: hack kernel parms for safety 199 200 OKAY=0 201 ERROR=-1 202 203 # /usr/contrib/bin fuer nettune auf Pfad 204 PATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin 205 export PATH 206 207 208 ########## 209 # main # 210 ########## 211 212 case $1 in 213 start_msg) 214 print "Tune IP-Stack for security" 215 exit $OKAY 216 ;; 217 218 stop_msg) 219 print "This action is not applicable" 220 exit $OKAY 221 ;; 222 223 stop) 224 exit $OKAY 225 ;; 226 227 start) 228 ;; # fall through 229 230 *) 231 print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2 232 exit $ERROR 233 ;; 234 esac 235 236 ########### 237 # start # 238 ########### 239 240 # 241 # tcp-Sequence-Numbers nicht mehr inkrementieren sondern random 242 # Syn-Flood-Protection an 243 # ip_forwarding aus 244 # Source-Routing aus 245 # Ausgehende Packets an ethereal/tcpdump etc. 246 247 /usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR 248 /usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR 249 /usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR 250 echo 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR 251 echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem || exit $ERROR 252 253 exit $OKAY 254 -----------------------------------Cut Here------------------------------------- 255
