2 Note: We *probably* don't support HP-UX any more, at least not in the
3 sense that you can run `configure; make` or `cmake ... ; make` and
4 expect everything to work out of the box. At the time of this writing
5 (August 2017) the most recent version of Wireshark available at the
6 HP-UX Porting and Archive Centre is 1.10.5 and the most recently
7 reported HP-UX bug (#6550) was from 2012. The Porting and Archive Centre
8 provides libraries required to build TShark, and while the GTK+ packages
9 are current (2.24.31) they are 32-bit only. Recent Qt packages are not
14 1 - Building wireshark
15 2 - Building GTK+/GLib with HP's C compiler
18 5 - HP-UX patches to fix packet capture problems
20 1 - Building wireshark
22 The HP-UX Porting and Archive Centre, at
24 http://hpux.connect.org.uk/
26 (with mirrors in various countries, listed on the Centre's home page;
27 you may want to choose a mirror closer to you) has ported versions, in
28 both source and binary form, for Wireshark, as well as for the libpcap,
29 GLib, GTK+, and zlib libraries that it uses.
31 The changes they've made appear largely to be compile option changes; if
32 you've downloaded the source to the latest version of Wireshark (the
33 version on the Centre's site may not necessarily be the latest version),
34 it should be able to compile, perhaps with those changes.
36 They appear to have used HP-UX's "cc" compiler, with the options "-Ae
37 -O"; there's a comment "Add -Dhpux_9 if building under 9.X". It may
40 They currently have libpcap 0.6.2; libpcap 0.6.2, and later versions,
41 include changes to properly open network devices when given the name
42 reported by the lanscan and ifconfig commands - earlier versions didn't
43 do this correctly. Therefore, we strongly suggest you use libpcap 0.6.2
44 or later, not libpcap 0.5.2.
46 2 - Building GTK+/GLib with HP's C compiler
48 By default, HP's C compiler doesn't support "long long int" to provide
49 64-bit integral data types on 32-bit platforms; the "-Ae" flag must be
50 supplied to enable extensions such as that.
52 Wireshark's "configure" script automatically includes that flag if it
53 detects that the native compiler is being used on HP-UX; however, the
54 configure scripts for GTK+ and GLib don't do so, which means that 64-bit
55 integer support won't be enabled.
57 This may prevent some parts of Wireshark from compiling; in order to get
58 64-bit integer support in GTK+/GLib, edit all the Makefiles for GTK+ and
59 GLib, as generated by the GTK+ and GLib "configure" scripts, to add
60 "-Ae" to all "CFLAGS = " definitions found in those Makefiles. (If a
61 Makefile lacks a "CFLAGS = " definition, there's no need to add a
62 definition that includes "-Ae".)
66 nettl is used on HP-UX to trace various streams based subsystems. Wireshark
67 can read nettl files containing raw IP frames (NS_LS_IP, NS_LS_TCP,
68 NS_LS_UDP, NS_LS_ICMP subsystems), all ethernet/tokenring/fddi driver
69 level frames (such as BTLAN, BASE100, GELAN, IGELAN subsystems) and LAPB
70 frames (SX25L2 subsystem). Use "ioscan -kfClan" to see the driver
71 names and compare that to /etc/nettlgen.conf to find the nettl subsystem
72 name for your particular release.
74 It has been tested with files generated on HP-UX 9.04, 10.20, and 11.x.
76 Use the following commands to generate a trace (cf. nettl(1M)):
79 nettl -tn pduin pduout -e NS_LS_IP -f tracefile
80 # Driver level capture. Replace btlan with the name of your interface:
81 nettl -tn pduin pduout -e btlan -f tracefile
82 # X25 capture. You must specify an interface :
83 nettl -tn pduin pduout -e SX25l2 -d /dev/x25_0 -f tracefile
84 # stop capture. subsystem is NS_LS_IP, btlan, SX25L2 :
85 nettl -tf -e subsystem
87 You may have to use "-tn 0x30000000" instead of "-tn pduin pduout"
88 on old versions of 10.20 and 9.04.
92 If you want to use Wireshark to capture packets, you will have to install
93 libpcap; binary distributions are, as noted above, available from the
94 Software Porting And Archive Centre for HP-UX, as well as source code.
96 Versions of libpcap prior to 0.6 didn't handle HP-UX as well as 0.6 and
97 later versions do. You should install the latest version.
99 The source code is also available from the official home of libpcap and
102 http://www.tcpdump.org/
104 if you want a version later than the version available from the Software
105 Porting And Archive Centre; however, the versions available from
106 tcpdump.org might not, for example, include support for building libpcap
109 5 - HP-UX patches to fix packet capture problems
111 Note that packet-capture programs such as Wireshark/TShark or tcpdump
112 may, on HP-UX, not be able to see packets sent from the machine on which
113 they're running. Make sure you have a recent "LAN Cummulative/DLPI" patch
116 Some articles on groups.google.com discussing this are:
118 http://groups.google.com/groups?selm=82ld3v%2480i%241%40mamenchi.zrz.TU-Berlin.DE
122 Newsgroups: comp.sys.hp.hpux
123 Subject: Re: Did someone made tcpdump working on 10.20 ?
125 From: Lutz Jaenicke <jaenicke@emserv1.ee.TU-Berlin.DE>
127 In article <82ks5i$5vc$1@news1.dti.ne.jp>, mtsat <mtsat@iris.dti.ne.jp>
131 >I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use
132 >it, but I can only see incoming data, never outgoing.
133 >Someone (raj) explained me that a patch was missing, and that this patch
134 >must me "patched" (poked) in order to see outbound data in promiscuous mode.
135 >Many things to do .... So the question is : did someone has already this
136 >"ready to use" PHNE_**** patch ?
139 1. You do need a late "LAN products cumulative patch" (e.g. PHNE_18173
142 echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem
143 You can insert this e.g. into /sbin/init.d/lan
150 http://groups.google.com/groups?selm=88cf4t%24p03%241%40web1.cup.hp.com
154 Newsgroups: comp.sys.hp.hpux
155 Subject: Re: tcpdump only shows incoming packets
157 From: Rick Jones <foo@bar.baz.invalid>
159 Harald Skotnes <harald@cc.uit.no> wrote:
160 > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have
161 > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a
162 > closer look I only get to see the incoming packets not the
163 > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the
164 > same thing happens. Could someone please give me a hint on how to
167 Search/Read the archives ?-)
169 What you are seeing is expected, un-patched, behaviour for an HP-UX
170 system. On 11.00, you need to install the latest lancommon/DLPI
171 patches, and then the latest driver patch for the interface(s) in use.
172 At that point, a miracle happens and you should start seeing outbound
175 [That article also mentions the patch that appears below.]
179 http://groups.google.com/groups?selm=38AA973E.96BE7DF7%40cc.uit.no
183 Newsgroups: comp.sys.hp.hpux
184 Subject: Re: tcpdump only shows incoming packets
186 From: Harald Skotnes <harald@cc.uit.no>
192 > What you are seeing is expected, un-patched, behaviour for an HP-UX
193 > system. On 11.00, you need to install the latest lancommon/DLPI
194 > patches, and then the latest driver patch for the interface(s) in
195 > use. At that point, a miracle happens and you should start seeing
198 Thanks a lot. I have this problem on several machines running HPUX
199 10.20 and 11.00. The machines where patched up before y2k so did not
200 know what to think. Anyway I have now installed PHNE_19766,
201 PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the
202 outbound traffic too. Thanks again.
204 (although those patches may not be the ones to install - there may be
207 And another message to tcpdump-workers@tcpdump.org, from Rick Jones:
209 Date: Mon, 29 Apr 2002 15:59:55 -0700
211 To: tcpdump-workers@tcpdump.org
212 Subject: Re: [tcpdump-workers] I Can't Capture the Outbound Traffic
216 http://itrc.hp.com/ would be one place to start in a search for the most
217 up-to-date patches for DLPI and the lan driver(s) used on your system (I
218 cannot guess because 9000/800 is too generic - one hs to use the "model"
219 command these days and/or an ioscan command (see manpage) to guess what
220 the drivers (btlan[3456], gelan, etc) might be involved in addition to
223 Another option is to upgrade to 11i as outbound promiscuous mode support
224 is there in the base OS, no patches required.
228 http://groups.google.com/groups?selm=7d6gvn%24b3%241%40ocean.cup.hp.com
230 indicates that you need to install the optional STREAMS product to do
231 captures on HP-UX 9.x:
233 Newsgroups: comp.sys.hp.hpux
234 Subject: Re: tcpdump HP/UX 9.x
236 From: Rick Jones <foo@bar.baz>
238 Dave Barr (barr@cis.ohio-state.edu) wrote:
239 : Has anyone ported tcpdump (or something similar) to HP/UX 9.x?
241 I'm reasonably confident that any port of tcpdump to 9.X would require
242 the (then optional) STREAMS product. This would bring DLPI, which is
243 what one uses to access interfaces in promiscuous mode.
245 I'm not sure that HP even sells the 9.X STREAMS product any longer,
246 since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K
249 Your best bet is to be up on 10.20 or better if that is at all
250 possible. If your hardware is supported by it, I'd go with HP-UX 11.
251 If you want to see the system's own outbound traffic, you'll never get
252 that functionality on 9.X, but it might happen at some point for 10.20
257 (as per other messages cited here, the ability to see the system's own
258 outbound traffic did happen).
260 Rick Jones reports that HP-UX 11i needs no patches for outbound
261 promiscuous mode support.
263 An additional note, from Jost Martin, for HP-UX 10.20:
265 Q: How do I get wireshark on HPUX to capture the _outgoing_ packets
267 A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or
268 newer, this is as of 4.4.00) and its dependencies. Then you can
269 enable the feature as described below:
271 Patch Name: PHNE_20892
272 Patch Description: s700 10.20 PCI 100Base-T cumulative patch
273 To trace the outbound packets, please do the following
274 to turn on a global promiscuous switch before running
275 the promiscuous applications like snoop or tcpdump:
277 adb -w /stand/vmunix /dev/mem
278 lanc_outbound_promisc_flag/W 1
279 (adb will echo the result showing that the flag has
282 (Thanks for this part to HP-support, Ratingen)
284 The attached hack does this and some security-related stuff
285 (thanks to hildeb@www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who
286 posted the security-part some time ago)
290 (Don't switch IP-forwarding off, if you need it !)
291 Install the hack as /sbin/init.d/hacl_ip_stack (adjust
292 permissions !) and make a sequencing-symlink
293 /sbin/rc2.d/S350hack_ip_stack pointing to this script.
294 Now all this is done on every reboot.
296 According to Rick Jones, the global promiscuous switch also has to be
297 turned on for HP-UX 11.00, but not for 11i - and, in fact, the switch
298 doesn't even exist on 11i.
300 Here's the "hack_ip_stack" script:
302 -----------------------------------Cut Here-------------------------------------
305 # nettune: hack kernel parms for safety
310 # /usr/contrib/bin fuer nettune auf Pfad
311 PATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin
321 print "Tune IP-Stack for security"
326 print "This action is not applicable"
338 print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2
348 # tcp-Sequence-Numbers nicht mehr inkrementieren sondern random
349 # Syn-Flood-Protection an
352 # Ausgehende Packets an ethereal/tcpdump etc.
354 /usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR
355 /usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR
356 /usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR
357 echo 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR
358 echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem || exit $ERROR
361 -----------------------------------Cut Here-------------------------------------