How do I configure the Berkeley Packet Filter and capture tcpdump traces?


1) Installing packet filter support
tcpdump relies on a kernel option that ordinarily isn't enabled. You can fix
this either by adding "options PACKETFILTER" to the system's configuration
file and rebuilding (via doconfig -c ) or by:

# doconfig

*** KERNEL CONFIGURATION AND BUILD PROCEDURE ***

Enter a name for the kernel configuration file. [ALINGO]: FILTER

You want to name the configuration file 'FILTER'
Is that correct? (y/n) [y]: y

*** KERNEL OPTION SELECTION ***

Selection Kernel Option
---------------------------------------------------------------
1 System V Devices
2 Logical Volume Manager (LVM)
3 Kernel Breakpoint Debugger (KDEBUG)
4 Packetfilter driver (PACKETFILTER)
5 STREAMS pckt module (PCKT)
6 Data Link Bridge (DLPI V2.0 Service Class 1)
7 X/Open Transport Interface (XTISO, TIMOD, TIRDWR)
8 File on File File System (FFM)
9 ISO 9660 Compact Disc File System (CDFS)
10 Audit Subsystem
11 Local Area Transport Support
12 All of the above
13 None of the above
---------------------------------------------------------------

Enter the selection number for each kernel option you want.
For example, 1 3 : 4

You selected the following kernel options:

Packetfilter driver (PACKETFILTER)

Is that correct? (y/n) [y]:
...

Rebuild and boot the new kernel.

2) Create the packetfilter devices:
# cd /dev
# ./MAKEDEV pfilt
MAKEDEV: special file(s) for pfilt:
pfilt0 pfilt1 pfilt2 pfilt3 pfilt4 pfilt5 pfilt6 ... pfilt63

3) Get a better tcpdump (pre V4.0 systems only)
Email me for a compressed, uuencoded file of a tcpdump that decodes NFS V3
and several other Sun RPC protocols (MOUNT, NIS, NLM, PORTMAP, and STATMON).

4) Enable local copy promiscuous mode
# pfconfig +p +c ln0 (or tu0 or whatever)

5) Run tcpdump
Please read the man pages before doing serious monitoring! To look at some
NFS traffic, try:

# tcpdump -s300 -c100 -Nt udp port 2049 [to look at all NFS traffic]
# tcpdump -s300 -c100 -Nt host foo [to look at all to/from foo]

-s300 "snaps" up the first 300 bytes of each message, generally enough to
get lower level headers, RPC, and enough NFS protocol to make sense of
the requests. -c100 says to capture 100 messages and exit. -N says to
suppress the domain name (e.g. .zk3.dec.com) in hostnames. -t says to
suppress printing timestamps. The result is usually still too long for
a 80 column screen, I keep a wide xterm lying around for most of my tcpdump
monitoring. The -m option splits some messages over multiple lines.

If you send people traces, I generally recommend that you capture data to
a binary file and send that. If the recipient needs to, he can run
tcpdump with extra filtering or -x (hex dump) to really dig into problems.
Do something like:

# tcpdump -w /usr/tmp/foo.dmp -s300 udp port 2049
tcpdump: listening on ln0
Using kernel BPF filter
^C
1040 packets
# compress foo.dmp
# uuencode foo.dmp.Z foo.uu

Capturing to a file bypasses all the decoding code which can be very slow
and can generate its own IP traffic (e.g. resolving host names).



UNIXguide.net
English to Visayan Cebuano Dictionary
Suggest a Site
Visayan Cebuano to English Dictionary