Always put the packet type in the Info column.

[obnox/wireshark/wip.git] / README.hpux

$Id: README.hpux,v 1.13 2000/08/13 07:48:55 guy Exp $

Contents:

1 - Building ethereal
2 - Building GTK+/GLib with HP's C compiler
3 - nettl support
4 - libpcap on HP-UX

1 - Building ethereal

The Software Porting And Archive Centre for HP-UX, at

        http://hpux.connect.org.uk/

(and with mirrors in various countries, listed on the Centre's home
page) has ported versions, in both source and binary form, for Ethereal,
as well as for the libpcap, GLib, GTK+, zlib, and CMU SNMP libraries
that it uses.

The changes they've made appear largely to be compile option changes; if
you've downloaded the source to the latest version of Ethereal (the
version on the Centre's site may not necessarily be the latest version),
it should be able to compile, perhaps with those changes.

They appear to have used HP-UX's "cc" compiler, with the options "-Ae
-O"; there's a comment "Add -Dhpux_9 if building under 9.X".  It may
also build with GCC.

The libpcap library has not been changed to properly open network
devices when given the name reported by the lanscan and ifconfig
commands; this means you may have difficulty capturing packets with
Ethereal on HP-UX.  The "libpcap on HP-UX" item below discusses patches
to the libpcap source code that should fix this problem, and the process
you will have to go through to apply those patches and build and install
a new version of libpcap that includes those patches.

2 - Building GTK+/GLib with HP's C compiler

By default, HP's C compiler doesn't support "long long int" to provide
64-bit integral data types on 32-bit platforms; the "-Ae" flag must be
supplied to enable extensions such as that.

Ethereal's "configure" script automatically includes that flag if it
detects that the native compiler is being used on HP-UX; however, the
configure scripts for GTK+ and GLib don't do so, which means that 64-bit
integer support won't be enabled.

This may prevent some parts of Ethereal from compiling; in order to get
64-bit integer support in GTK+/GLib, edit all the Makefiles for GTK+ and
GLib, as generated by the GTK+ and GLib "configure" scripts, to add
"-Ae" to all "CFLAGS = " definitions found in those Makefiles.  (If a
Makefile lacks a "CFLAGS = " definition, there's no need to add a
definition that includes "-Ae".)

3 - nettl support

nettl is used on HP-UX to trace various streams based subsystems.  Ethereal
can read nettl files containing IP frames (NS_LS_IP subsystem) and LAPB
frames (SX25L2 subsystem).
It has been tested with files generated on HP-UX 9.04 and 10.20.

Use the following commands to generate a trace (cf. nettl(1M)):

# IP capture. 0x30000000 means PDU in and PDU out :
nettl -tn 0x30000000 -e NS_LS_IP -f tracefile
# X25 capture. You must specify an interface :
nettl -tn 0x30000000 -e SX25l2 -d /dev/x25_0 -f tracefile
# stop capture. subsystem is NS_LS_IP or SX25L2 :
nettl -tf -e subsystem

One may be able to specify "-tn pduin pduout" rather than
"-tn 0x30000000"; the nettl man page for HP-UX 10.30 implies that it
should work.

4 - "libpcap" on HP-UX

If you want to use Ethereal to capture packets, you will have to install
"libpcap"; the INSTALL file for "libpcap" has several comments about
HP-UX, which you should read if you're going to install and use
"libpcap" on HP-UX.

Note that packet-capture programs such as Ethereal/Tethereal or tcpdump
may, on HP-UX, not be able to see packets sent from the machine on which
they're running.  Some articles on Deja.com discussing this are:

        http://www.deja.com/[ST_rn=ps]/getdoc.xp?AN=558092266

which says:

  Newsgroups: comp.sys.hp.hpux 
  Subject:  Re: Did someone made tcpdump working on 10.20 ?
  Date: 12/08/1999
  From: Lutz Jaenicke <jaenicke@emserv1.ee.TU-Berlin.DE>

  In article <82ks5i$5vc$1@news1.dti.ne.jp>, mtsat <mtsat@iris.dti.ne.jp>
  wrote:
   >Hello,
   >
   >I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use
   >it, but I can only see incoming data, never outgoing.
   >Someone (raj) explained me that a patch was missing, and that this patch
   >must me "patched" (poked) in order to see outbound data in promiscuous mode.
   >Many things to do .... So the question is : did someone has already this
   >"ready to use" PHNE_**** patch ?
  
   Two things:
   1. You do need a late "LAN products cumulative patch" (e.g.  PHNE_18173
  for   s700/10.20).
   2. You must use
echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem
     You can insert this e.g. into /sbin/init.d/lan
  
   Best regards,
   Lutz

and

        http://www.deja.com/[ST_rn=ps]/getdoc.xp?AN=586287166

which says:

  Newsgroups: comp.sys.hp.hpux 
  Subject: Re: tcpdump only shows incoming packets
  Date: 02/15/2000
  From: Rick Jones <foo@bar.baz.invalid>

  Harald Skotnes <harald@cc.uit.no> wrote:
  > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have
  > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a
  > closer look I only get to see the incoming packets not the
  > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the
  > same thing happens.  Could someone please give me a hint on how to
  > get this right?
  
  Search/Read the archives ?-)
  
  What you are seeing is expected, un-patched, behaviour for an HP-UX
  system.  On 11.00, you need to install the latest lancommon/DLPI
  patches, and then the latest driver patch for the interface(s) in use. 
  At that point, a miracle happens and you should start seeing outbound
  traffic.

[That article also mentions the patch that appears below.]

and

        http://www.deja.com/[ST_rn=ps]/getdoc.xp?AN=586494200

which says:

  Newsgroups: comp.sys.hp.hpux
  Subject: Re: tcpdump only shows incoming packets
  Date: 02/16/2000
  From: Harald Skotnes <harald@cc.uit.no>

  Rick Jones wrote:
  
        ...

  > What you are seeing is expected, un-patched, behaviour for an HP-UX
  > system. On 11.00, you need to install the latest lancommon/DLPI
  > patches, and then the latest driver patch for the interface(s) in
  > use. At that point, a miracle happens and you should start seeing
  > outbound traffic.
  
  Thanks a lot.  I have this problem on several machines running HPUX
  10.20 and 11.00.  The machines where patched up before y2k so did not
  know what to think.  Anyway I have now installed PHNE_19766,
  PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the
  outbound traffic too.  Thanks again.

Another posting:

        http://www.deja.com/[ST_rn=ps]/getdoc.xp?AN=457744130

indicates that you need to install the optional STREAMS product to do
captures on HP-UX 9.x:

  Newsgroups: comp.sys.hp.hpux
  Subject:  Re: tcpdump HP/UX 9.x
  Date: 03/22/1999
  From: Rick Jones <foo@bar.baz>

  Dave Barr (barr@cis.ohio-state.edu) wrote:
  : Has anyone ported tcpdump (or something similar) to HP/UX 9.x?
  
  I'm reasonably confident that any port of tcpdump to 9.X would require
  the (then optional) STREAMS product.  This would bring DLPI, which is
  what one uses to access interfaces in promiscuous mode.
  
  I'm not sure that HP even sells the 9.X STREAMS product any longer,
  since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K
  devices). 
  
  Your best bet is to be up on 10.20 or better if that is at all
  possible.  If your hardware is supported by it, I'd go with HP-UX 11. 
  If you want to see the system's own outbound traffic, you'll never get
  that functionality on 9.X, but it might happen at some point for 10.20
  and 11.X. 
  
  rick jones

(as per other messages cited here, the ability to see the system's own
outbound traffic did happen).

Another note, from a mail message to the "ethereal-users" list:

  Date: Wed, 22 Dec 1999 09:05:47 -0600 (EST)
  From: Gerald Combs <gerald@zing.org>
  To: Lothar Seitter <lothar.seitter@arcormail.de>
  cc: ethereal-users@zing.org
  Subject: Re: [ethereal-users] permission problem with capturing

  On Wed, 22 Dec 1999, Lothar Seitter wrote:

  > running 'ethereal' under HP-UX 11 with root permission and
  > /dev/lan0 set to 777, I always get the message:
  > "There are no network interfaces that can be opened.
  > Please to make sure you have sufficient permission to 
  > capture packets."
  > 
  > I start ethereal with 'etheral -i lan0' and lan0 is definitely
  > the lan interface.
  > 
  > What am I missing???

  You may need to reference the card's DLPI device directly.  We were having
  trouble getting Ethereal to capture on an HP-UX 10.20 machine here.  I
  found an article on Deja News that says:

  "To access a particular interface, you would say "tcpdump -i /dev/dlpiN"
  where N is the PPA of the interface you wish to use. You get the PPA by
  looking at the output of lanscan. On 10.20, it is the same value as the
  NMID. On 11.X, it is the Card Instance number."

  This didn't help in our case, but it might in yours.  The full article is
  at http://x34.deja.com/[ST_rn=ps]/getdoc.xp?AN=549366486 .

  Another article by the same author mentions that experimental versions of
  libpcap and tcpdump are available at
  ftp://ftp.cup.hp.com/dist/networking/tools/ .  The article itself is at
  http://x34.deja.com/[ST_rn=ps]/getdoc.xp?AN=558665378 .

The first of those articles also says:

  BTW, before you have to make a follow-up post, you will find that
  unless you have the latest lan common/DLPI/driver patches installed,
  you will _not_ see the system's own outbound traffic.

An additional note, from Jost Martin, for HP-UX 10.20:

        Q: How do I get ethereral on HPUX to capture the _outgoing_ packets
           of an interface
        A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or
           newer, this is as of 4.4.00) and its dependencies.  Then you can
           enable the feature as descibed below:

        Patch Name: PHNE_20892
        Patch Description: s700 10.20 PCI 100Base-T cumulative patch
                To trace the outbound packets, please do the following
                to turn on a global promiscuous switch before running
                the promiscuous applications like snoop or tcpdump:

                adb -w /stand/vmunix /dev/mem
                lanc_outbound_promisc_flag/W 1
                (adb will echo the result showing that the flag has
                been changed)
                $quit
        (Thanks for this part to HP-support, Ratingen)

                The attached hack does this and some security-related stuff
        (thanks to hildeb@www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who
        posted the security-part some time ago)

                 <<hack_ip_stack>> 

                (Don't switch IP-forwarding off, if you need it !)
                Install the hack as /sbin/init.d/hacl_ip_stack (adjust
        permissions !) and make a sequencing-symlink
        /sbin/rc2.d/S350hack_ip_stack pointing to this script. 
                Now all this is done on every reboot.

Here's the "hack_ip_stack" script:

-----------------------------------Cut Here-------------------------------------
#!/sbin/sh
#
# nettune:  hack kernel parms for safety

OKAY=0
ERROR=-1

# /usr/contrib/bin fuer nettune auf Pfad
PATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin
export PATH


##########
#  main  #
##########

case $1 in
   start_msg)
      print "Tune IP-Stack for security"
      exit $OKAY
      ;;

   stop_msg)
      print "This action is not applicable"
      exit $OKAY
      ;;

   stop)
      exit $OKAY
      ;;

   start)
      ;;  # fall through

   *)
      print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2
      exit $ERROR
      ;;
   esac

###########
#  start  #
###########

#
# tcp-Sequence-Numbers nicht mehr inkrementieren sondern random
# Syn-Flood-Protection an
# ip_forwarding aus
# Source-Routing aus
# Ausgehende Packets an ethereal/tcpdump etc.

/usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR
/usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR
/usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR
echo 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR
echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem  || exit $ERROR

exit $OKAY
-----------------------------------Cut Here-------------------------------------

It appears that a consequence of the fact that HP-UX's DLPI doesn't work
like Solaris's, in that, on Solaris, to get at the device "hme0", say,
"libpcap" has to open "/dev/hme" and then tell it to use the 0th
interface, whilst on HP-UX you have to go through "/dev/dlpi", you won't
get a list of interfaces in the dialog box for "Capture:Start" - you'll
have to do through the aforementioned song and dance to find the PPA of
the interface you want to use, and supply the "dlpiN" name by hand (I
think you can omit the "/dev/" in both tcpdump and Ethereal).

Here is a patch to "pcap-dlpi.c" in libpcap that, at least on HP-UX
11.X, allows the name of the network interface, rather than the "dlpiN"
name, to be specified to tcpdump and Ethereal.

On HP-UX 11.00, the patch allows a network interface to be specified by
name as an argument to tcpdump, rather than requiring that you specify a
"dlpiN" name (and it should work equally well with Ethereal).

If you try this code on HP-UX 10.20, and it doesn't let you specify the
interface by name, please send mail to ethereal-dev@zing.org, so that we
know that it didn't work - we'll probably send you debugging patches in
the hopes of being able to make it work on 10.20 as well.  (It appeared
to work in some tests done on HP-UX 10.20 systems.)

To use this patch, you will need the source to libpcap; if you don't
already have it, it is available from the Software Porting And Archive
Centre for HP-UX (see above for its URL).  Search for "libpcap" in the
"Package Search" box.

The patch would be applied with the "patch" program; if you don't
already have it, it is also available from the Software Porting And
Archive Centre for HP-UX.  Search for "patch" in the "Package Search" -
it will find many packages; look for the one in the "Sysadmin" category
with the description "Applies diffs to files to reproduce new versions".

If you have downloaded the source to libpcap 0.4 from the Porting and
Archive Centre, the patch to use is in the file

        libpcap-0.4.HPUX.HPUXPAC.patch

If you have downloaded the source to libpcap 0.4 from the Lawrence
Berkeley Laboratory Web site, the patch to use is in the file

        libpcap-0.4.HPUX.LBL.patch

If you have downloaded the source to libpcap 0.5 from the tcpdump.org
Web site, the patch to use is in the file

        libpcap-0.5.HPUX.tcpdump.org.patch

Note that the versions from Lawrence Berkeley Laboratory and tcpdump.org
will probably not compile on HP-UX with HP's ANSI C compiler, and will
not build and install a shared library, so patching, building, and
installing those versions will require that you have GCC installed, and
that you download the source to Ethereal and build it from source.

You should apply only the patch file appropriate to the particular
version of libpcap source that you have downloaded; attempting to apply
a different patch file will probably cause errors.