+$Id$
+
+Contents:
+
+1 - Building ethereal
+2 - Building GTK+/GLib with HP's C compiler
+3 - nettl support
+4 - libpcap on HP-UX
+5 - HP-UX patches to fix packet capture problems
+
+1 - Building ethereal
+
The Software Porting And Archive Centre for HP-UX, at
- http://hpux.csc.liv.ac.uk/
+ http://hpux.connect.org.uk/
-(and with mirrors in various countries, listed on the Centre's home
-page) has ported versions, in both source and binary form, for Ethereal,
-as well as for the "libpcap", GLib, GTK+, "zlib", and CMU SNMP libraries
-that it uses.
+(with mirrors in various countries, listed on the Centre's home page;
+you may want to choose a mirror closer to you) has ported versions, in
+both source and binary form, for Ethereal, as well as for the libpcap,
+GLib, GTK+, and zlib libraries that it uses.
The changes they've made appear largely to be compile option changes; if
you've downloaded the source to the latest version of Ethereal (the
-O"; there's a comment "Add -Dhpux_9 if building under 9.X". It may
also build with GCC.
+They currently have libpcap 0.6.2; libpcap 0.6.2, and later versions,
+include changes to properly open network devices when given the name
+reported by the lanscan and ifconfig commands - earlier versions didn't
+do this correctly. Therefore, we strongly suggest you use libpcap 0.6.2
+or later, not libpcap 0.5.2.
+
+2 - Building GTK+/GLib with HP's C compiler
+
+By default, HP's C compiler doesn't support "long long int" to provide
+64-bit integral data types on 32-bit platforms; the "-Ae" flag must be
+supplied to enable extensions such as that.
+
+Ethereal's "configure" script automatically includes that flag if it
+detects that the native compiler is being used on HP-UX; however, the
+configure scripts for GTK+ and GLib don't do so, which means that 64-bit
+integer support won't be enabled.
+
+This may prevent some parts of Ethereal from compiling; in order to get
+64-bit integer support in GTK+/GLib, edit all the Makefiles for GTK+ and
+GLib, as generated by the GTK+ and GLib "configure" scripts, to add
+"-Ae" to all "CFLAGS = " definitions found in those Makefiles. (If a
+Makefile lacks a "CFLAGS = " definition, there's no need to add a
+definition that includes "-Ae".)
+
+3 - nettl support
+
+nettl is used on HP-UX to trace various streams based subsystems. Ethereal
+can read nettl files containing IP frames (NS_LS_IP subsystem) and LAPB
+frames (SX25L2 subsystem).
+It has been tested with files generated on HP-UX 9.04 and 10.20.
+
+Use the following commands to generate a trace (cf. nettl(1M)):
+
+# IP capture. 0x30000000 means PDU in and PDU out :
+nettl -tn 0x30000000 -e NS_LS_IP -f tracefile
+# X25 capture. You must specify an interface :
+nettl -tn 0x30000000 -e SX25l2 -d /dev/x25_0 -f tracefile
+# stop capture. subsystem is NS_LS_IP or SX25L2 :
+nettl -tf -e subsystem
+
+One may be able to specify "-tn pduin pduout" rather than
+"-tn 0x30000000"; the nettl man page for HP-UX 10.30 implies that it
+should work.
+
+4 - libpcap on HP-UX
+
If you want to use Ethereal to capture packets, you will have to install
-"libpcap"; the INSTALL file for "libpcap" has several comments about
-HP-UX, which you should read if you're going to install and use
-"libpcap" on HP-UX.
-
-Another note, from a mail message to the "ethereal-users" list:
-
- Date: Wed, 22 Dec 1999 09:05:47 -0600 (EST)
- From: Gerald Combs <gerald@zing.org>
- To: Lothar Seitter <lothar.seitter@arcormail.de>
- cc: ethereal-users@zing.org
- Subject: Re: [ethereal-users] permission problem with capturing
-
- On Wed, 22 Dec 1999, Lothar Seitter wrote:
-
- > running 'ethereal' under HP-UX 11 with root permission and
- > /dev/lan0 set to 777, I always get the message:
- > "There are no network interfaces that can be opened.
- > Please to make sure you have sufficient permission to
- > capture packets."
- >
- > I start ethereal with 'etheral -i lan0' and lan0 is definitely
- > the lan interface.
- >
- > What am I missing???
-
- You may need to reference the card's DLPI device directly. We were having
- trouble getting Ethereal to capture on an HP-UX 10.20 machine here. I
- found an article on Deja News that says:
-
- "To access a particular interface, you would say "tcpdump -i /dev/dlpiN"
- where N is the PPA of the interface you wish to use. You get the PPA by
- looking at the output of lanscan. On 10.20, it is the same value as the
- NMID. On 11.X, it is the Card Instance number."
-
- This didn't help in our case, but it might in yours. The full article is
- at http://x34.deja.com/[ST_rn=ps]/getdoc.xp?AN=549366486 .
-
- Another article by the same author mentions that experimental versions of
- libpcap and tcpdump are available at
- ftp://ftp.cup.hp.com/dist/networking/tools/ . The article itself is at
- http://x34.deja.com/[ST_rn=ps]/getdoc.xp?AN=558665378 .
-
-The first of those articles also says:
-
- BTW, before you have to make a follow-up post, you will find that
- unless you have the latest lan common/DLPI/driver patches installed,
- you will _not_ see the system's own outbound traffic.
-
-It appears that a consequence of the fact that HP-UX's DLPI doesn't work
-like Solaris's, in that, on Solaris, to get at the device "hme0", say,
-"libpcap" has to open "/dev/hme" and then tell it to use the 0th
-interface, whilst on HP-UX you have to go through "/dev/dlpi", you won't
-get a list of interfaces in the dialog box for "Capture:Start" - you'll
-have to do through the aforementioned song and dance to find the PPA of
-the interface you want to use, and supply the "dlpiN" name by hand (I
-think you can omit the "/dev/" in both tcpdump and Ethereal).
-
-Here is a patch to "pcap-dlpi.c" in libpcap that, at least on HP-UX
-11.X, allows the name of the network interface, rather than the "dlpiN"
-name, to be specified to tcpdump and Ethereal. It has not been tried on
-HP-UX 10.20; it fixes one bug that could have caused the code in vanilla
-libpcap not to correctly find the PPA for an interface on HP-UX 10.20,
-but HP-UX 10.20's DLPI doesn't supply, in the data returned by a
-DL_HP_PPA_REQ request, network interface names, so, on systems without
-the network interface names in that data, the code continues to check
-the major device number.
-
-On HP-UX 11.00, the patch allows a network interface to be specified by
-name as an argument to tcpdump, rather than requiring that you specify a
-"dlpiN" name (and it should work equally well with Ethereal).
-
-If you try this code on HP-UX 10.20, and it doesn't let you specify the
-interface by name, please send mail to ethereal-dev@zing.org, so that we
-know that it didn't work - we'll probably send you debugging patches in
-the hopes of being able to make it work on 10.20 as well.
-
-Here's the patch (to vanilla libpcap 0.4; it patches "configure",
-"aclocal.m4", and "configure.in", to make the configure script check
-whether your version of HP-UX supplies the interface names in the reply
-to a DL_HP_PPA_REQ request, and "pcap-dlpi.c"):
-
-*** ../libpcap-0.4/configure Sat Jul 25 12:41:51 1998
---- configure Fri Jan 14 00:40:04 2000
-***************
-*** 1702,1709 ****
-
- fi
-
- echo $ac_n "checking if unaligned accesses fail""... $ac_c" 1>&6
-! echo "configure:1707: checking if unaligned accesses fail" >&5
- if eval "test \"`echo '$''{'ac_cv_lbl_unaligned_fail'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
- else
---- 1702,1745 ----
-
- fi
-
-+ echo $ac_n "checking if dl_hp_ppa_info_t struct has dl_module_id_1 member""... $ac_c" 1>&6
-+ echo "configure:1707: checking if dl_hp_ppa_info_t struct has dl_module_id_1 member" >&5
-+ if eval "test \"`echo '$''{'ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1'+set}'`\" = set"; then
-+ echo $ac_n "(cached) $ac_c" 1>&6
-+ else
-+ cat > conftest.$ac_ext <<EOF
-+ #line 1712 "configure"
-+ #include "confdefs.h"
-+
-+ # include <sys/types.h>
-+ # include <sys/dlpi.h>
-+ # include <sys/dlpi_ext.h>
-+ int main() {
-+ u_int i = sizeof(((dl_hp_ppa_info_t *)0)->dl_module_id_1)
-+ ; return 0; }
-+ EOF
-+ if { (eval echo configure:1722: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
-+ rm -rf conftest*
-+ ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1=yes
-+ else
-+ echo "configure: failed program was:" >&5
-+ cat conftest.$ac_ext >&5
-+ rm -rf conftest*
-+ ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1=no
-+ fi
-+ rm -f conftest*
-+ fi
-+
-+ echo "$ac_t""$ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1" 1>&6
-+ if test $ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1 = yes ; then
-+ cat >> confdefs.h <<\EOF
-+ #define HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1 1
-+ EOF
-+
-+ fi
-+
- echo $ac_n "checking if unaligned accesses fail""... $ac_c" 1>&6
-! echo "configure:1743: checking if unaligned accesses fail" >&5
- if eval "test \"`echo '$''{'ac_cv_lbl_unaligned_fail'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
- else
-***************
-*** 1799,1805 ****
- # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
- # ./install, which can be erroneously created by make from ./install.sh.
- echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
-! echo "configure:1803: checking for a BSD compatible install" >&5
- if test -z "$INSTALL"; then
- if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
---- 1835,1841 ----
- # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
- # ./install, which can be erroneously created by make from ./install.sh.
- echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
-! echo "configure:1839: checking for a BSD compatible install" >&5
- if test -z "$INSTALL"; then
- if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
- echo $ac_n "(cached) $ac_c" 1>&6
-
-
-*** ../libpcap-0.4/aclocal.m4 Fri Jun 12 03:45:15 1998
---- aclocal.m4 Tue Jan 4 21:02:13 2000
-***************
-*** 415,420 ****
---- 415,454 ----
- fi])
-
- dnl
-+ dnl Checks to see if the dl_hp_ppa_info_t struct has the HP-UX 11.00
-+ dnl dl_module_id_1 member
-+ dnl
-+ dnl usage:
-+ dnl
-+ dnl AC_LBL_HP_PPA_INFO_T_DL_MODULE_ID_1
-+ dnl
-+ dnl results:
-+ dnl
-+ dnl HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1 (defined)
-+ dnl
-+ dnl NOTE: any compile failure means we conclude that it doesn't have
-+ dnl that member, so if we don't have DLPI, don't have a <sys/dlpi_ext.h>
-+ dnl header, or have one that doesn't declare a dl_hp_ppa_info_t type,
-+ dnl we conclude it doesn't have that member (which is OK, as either we
-+ dnl won't be using code that would use that member, or we wouldn't
-+ dnl compile in any case).
-+ dnl
-+ AC_DEFUN(AC_LBL_HP_PPA_INFO_T_DL_MODULE_ID_1,
-+ [AC_MSG_CHECKING(if dl_hp_ppa_info_t struct has dl_module_id_1 member)
-+ AC_CACHE_VAL(ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1,
-+ AC_TRY_COMPILE([
-+ # include <sys/types.h>
-+ # include <sys/dlpi.h>
-+ # include <sys/dlpi_ext.h>],
-+ [u_int i = sizeof(((dl_hp_ppa_info_t *)0)->dl_module_id_1)],
-+ ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1=yes,
-+ ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1=no))
-+ AC_MSG_RESULT($ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1)
-+ if test $ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1 = yes ; then
-+ AC_DEFINE(HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1)
-+ fi])
-+
-+ dnl
- dnl Checks to see if -R is used
- dnl
- dnl usage:
-
-
-*** ../libpcap-0.4/configure.in Sun Jul 27 22:16:22 1997
---- configure.in Tue Jan 4 21:02:13 2000
-***************
-*** 154,159 ****
---- 154,161 ----
-
- AC_LBL_SOCKADDR_SA_LEN
-
-+ AC_LBL_HP_PPA_INFO_T_DL_MODULE_ID_1
-+
- AC_LBL_UNALIGNED_ACCESS
-
- if test "${srcdir}" = "." ; then
-
-*** ../libpcap-0.4/pcap-dlpi.c Wed Oct 15 21:59:34 1997
---- pcap-dlpi.c Tue Jan 4 21:02:13 2000
-***************
-*** 246,255 ****
- }
- memset(p, 0, sizeof(*p));
-
- /*
-! ** Determine device and ppa
- */
-! cp = strpbrk(device, "0123456789");
- if (cp == NULL) {
- sprintf(ebuf, "%s missing unit number", device);
- goto bad;
---- 246,266 ----
- }
- memset(p, 0, sizeof(*p));
-
-+ #ifdef HAVE_DEV_DLPI
- /*
-! ** Remove any "/dev/" on the front of the device.
- */
-! cp = strrchr(device, '/');
-! if (cp == NULL)
-! cp = device;
-! else
-! cp++;
-! strcpy(dname, cp);
-!
-! /*
-! * Split the name into a device type and a unit number.
-! */
-! cp = strpbrk(dname, "0123456789");
- if (cp == NULL) {
- sprintf(ebuf, "%s missing unit number", device);
- goto bad;
-***************
-*** 259,281 ****
- sprintf(ebuf, "%s bad unit number", device);
- goto bad;
- }
-
-! if (*device == '/')
-! strcpy(dname, device);
-! else
-! sprintf(dname, "%s/%s", PCAP_DEV_PREFIX, device);
-! #ifdef HAVE_DEV_DLPI
-! /* Map network device to /dev/dlpi unit */
- cp = "/dev/dlpi";
- if ((p->fd = open(cp, O_RDWR)) < 0) {
- sprintf(ebuf, "%s: %s", cp, pcap_strerror(errno));
- goto bad;
- }
-! /* Map network interface to /dev/dlpi unit */
- ppa = get_dlpi_ppa(p->fd, dname, ppa, ebuf);
- if (ppa < 0)
- goto bad;
- #else
- /* Try device without unit number */
- strcpy(dname2, dname);
- cp = strchr(dname, *cp);
---- 270,331 ----
- sprintf(ebuf, "%s bad unit number", device);
- goto bad;
- }
-+ *cp = '\0';
-
-! /*
-! * Use "/dev/dlpi" as the device.
-! *
-! * XXX - HP's DLPI Programmer's Guide for HP-UX 11.00 says that
-! * the "dl_mjr_num" field is for the "major number of interface
-! * driver"; that's the major of "/dev/dlpi" on the system on
-! * which I tried this, but there may be DLPI devices that
-! * use a different driver, in which case we may need to
-! * search "/dev" for the appropriate device with that major
-! * device number, rather than hardwiring "/dev/dlpi".
-! *
-! * I'm assuming that the code that was used for HP-UX 10.x
-! * is valid, and therefore that, in 10.x, DLPIable devices have
-! * "/dev" entries corresponding to them and that their
-! * major device number is what appears in the "dl_hp_ppa_info_t"
-! * structure for that device. We can search by name in 11.x
-! * (and we may have to, as it's not clear that DLPIable devices
-! * will have those sorts of "/dev" entries), but we can't in
-! * 10.x, as 10.x doesn't have the "dl_module_id_1" and
-! * "dl_module_id_2" members in the "dl_hp_ppa_info_t" structure.
-! */
- cp = "/dev/dlpi";
- if ((p->fd = open(cp, O_RDWR)) < 0) {
- sprintf(ebuf, "%s: %s", cp, pcap_strerror(errno));
- goto bad;
- }
-!
-! /*
-! * Get a table of all PPAs for that device, and search that
-! * table for the specified device type name and unit number.
-! */
- ppa = get_dlpi_ppa(p->fd, dname, ppa, ebuf);
- if (ppa < 0)
- goto bad;
- #else
-+ /*
-+ ** Determine device and ppa
-+ */
-+ cp = strpbrk(device, "0123456789");
-+ if (cp == NULL) {
-+ sprintf(ebuf, "%s missing unit number", device);
-+ goto bad;
-+ }
-+ ppa = strtol(cp, &eos, 10);
-+ if (*eos != '\0') {
-+ sprintf(ebuf, "%s bad unit number", device);
-+ goto bad;
-+ }
-+
-+ if (*device == '/')
-+ strcpy(dname, device);
-+ else
-+ sprintf(dname, "%s/%s", PCAP_DEV_PREFIX, device);
-+
- /* Try device without unit number */
- strcpy(dname2, dname);
- cp = strchr(dname, *cp);
-***************
-*** 391,397 ****
- break;
-
- default:
-! sprintf(ebuf, "unknown mac type 0x%lu", infop->dl_mac_type);
- goto bad;
- }
-
---- 441,448 ----
- break;
-
- default:
-! sprintf(ebuf, "unknown mac type 0x%lu",
-! (unsigned long)infop->dl_mac_type);
- goto bad;
- }
-
-***************
-*** 709,715 ****
-
- #ifdef DL_HP_PPA_ACK_OBS
- /*
-! * Under HP-UX 10, we can ask for the ppa
- */
-
-
---- 760,766 ----
-
- #ifdef DL_HP_PPA_ACK_OBS
- /*
-! * Under HP-UX 10 and HP-UX 11, we can ask for the ppa
- */
-
-
-***************
-*** 719,736 ****
- register char *ebuf)
- {
- register dl_hp_ppa_ack_t *ap;
-! register dl_hp_ppa_info_t *ip;
- register int i;
- register u_long majdev;
-- dl_hp_ppa_req_t req;
- struct stat statbuf;
- bpf_u_int32 buf[MAXDLBUF];
-
-! if (stat(device, &statbuf) < 0) {
-! sprintf(ebuf, "stat: %s: %s", device, pcap_strerror(errno));
- return (-1);
- }
- majdev = major(statbuf.st_rdev);
-
- memset((char *)&req, 0, sizeof(req));
- req.dl_primitive = DL_HP_PPA_REQ;
---- 770,800 ----
- register char *ebuf)
- {
- register dl_hp_ppa_ack_t *ap;
-! register dl_hp_ppa_info_t *ipstart, *ip;
- register int i;
-+ #ifndef HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1
-+ char dname[100];
- register u_long majdev;
- struct stat statbuf;
-+ #endif
-+ dl_hp_ppa_req_t req;
- bpf_u_int32 buf[MAXDLBUF];
-
-! #ifndef HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1
-! /*
-! * HP-UX 10 doesn't put the interface name in the
-! * "dl_hp_ppa_info_t" structure, so we have to
-! * try to get the major device number for the device
-! * corresponding to the device and unit name provided to
-! * us, and search for the entry with that major device number.
-! */
-! sprintf(dname, "/dev/%s%d", device, unit);
-! if (stat(dname, &statbuf) < 0) {
-! sprintf(ebuf, "stat: %s: %s", dname, pcap_strerror(errno));
- return (-1);
- }
- majdev = major(statbuf.st_rdev);
-+ #endif
-
- memset((char *)&req, 0, sizeof(req));
- req.dl_primitive = DL_HP_PPA_REQ;
-***************
-*** 741,760 ****
- return (-1);
-
- ap = (dl_hp_ppa_ack_t *)buf;
-! ip = (dl_hp_ppa_info_t *)((u_char *)ap + ap->dl_offset);
-
- for(i = 0; i < ap->dl_count; i++) {
-! if (ip->dl_mjr_num == majdev && ip->dl_instance_num == unit)
- break;
-
-! ip = (dl_hp_ppa_info_t *)((u_char *)ip + ip->dl_next_offset);
- }
- if (i == ap->dl_count) {
-! sprintf(ebuf, "can't find PPA for %s", device);
- return (-1);
- }
- if (ip->dl_hdw_state == HDW_DEAD) {
-! sprintf(ebuf, "%s: hardware state: DOWN\n", device);
- return (-1);
- }
- return ((int)ip->dl_ppa);
---- 805,831 ----
- return (-1);
-
- ap = (dl_hp_ppa_ack_t *)buf;
-! ipstart = (dl_hp_ppa_info_t *)((u_char *)ap + ap->dl_offset);
-! ip = ipstart;
-
- for(i = 0; i < ap->dl_count; i++) {
-! #ifdef HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1
-! if ((strcmp(ip->dl_module_id_1, device) == 0 ||
-! strcmp(ip->dl_module_id_2, device) == 0) &&
-! #else
-! if (ip->dl_mjr_num == majdev &&
-! #endif
-! ip->dl_instance_num == unit)
- break;
+libpcap; binary distributions are, as noted above, available from the
+Software Porting And Archive Centre for HP-UX, as well as source code.
+
+Versions of libpcap prior to 0.6 didn't handle HP-UX as well as 0.6 and
+later versions do. You should install the latest version.
+
+The source code is also available from the official home of libpcap and
+tcpdump, at
+
+ http://www.tcpdump.org/
+
+if you want a version later than the version available from the Software
+Porting And Archive Centre; however, the versions available from
+tcpdump.org might not, for example, include support for building libpcap
+as a shared library.
+
+5 - HP-UX patches to fix packet capture problems
+
+Note that packet-capture programs such as Ethereal/Tethereal or tcpdump
+may, on HP-UX, not be able to see packets sent from the machine on which
+they're running. Some articles on groups.google.com discussing this
+are:
+
+ http://groups.google.com/groups?selm=82ld3v%2480i%241%40mamenchi.zrz.TU-Berlin.DE
+
+which says:
+
+ Newsgroups: comp.sys.hp.hpux
+ Subject: Re: Did someone made tcpdump working on 10.20 ?
+ Date: 12/08/1999
+ From: Lutz Jaenicke <jaenicke@emserv1.ee.TU-Berlin.DE>
+
+ In article <82ks5i$5vc$1@news1.dti.ne.jp>, mtsat <mtsat@iris.dti.ne.jp>
+ wrote:
+ >Hello,
+ >
+ >I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use
+ >it, but I can only see incoming data, never outgoing.
+ >Someone (raj) explained me that a patch was missing, and that this patch
+ >must me "patched" (poked) in order to see outbound data in promiscuous mode.
+ >Many things to do .... So the question is : did someone has already this
+ >"ready to use" PHNE_**** patch ?
+
+ Two things:
+ 1. You do need a late "LAN products cumulative patch" (e.g. PHNE_18173
+ for s700/10.20).
+ 2. You must use
+echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem
+ You can insert this e.g. into /sbin/init.d/lan
+
+ Best regards,
+ Lutz
+
+and
+
+ http://groups.google.com/groups?selm=88cf4t%24p03%241%40web1.cup.hp.com
+
+which says:
+
+ Newsgroups: comp.sys.hp.hpux
+ Subject: Re: tcpdump only shows incoming packets
+ Date: 02/15/2000
+ From: Rick Jones <foo@bar.baz.invalid>
+
+ Harald Skotnes <harald@cc.uit.no> wrote:
+ > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have
+ > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a
+ > closer look I only get to see the incoming packets not the
+ > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the
+ > same thing happens. Could someone please give me a hint on how to
+ > get this right?
+
+ Search/Read the archives ?-)
+
+ What you are seeing is expected, un-patched, behaviour for an HP-UX
+ system. On 11.00, you need to install the latest lancommon/DLPI
+ patches, and then the latest driver patch for the interface(s) in use.
+ At that point, a miracle happens and you should start seeing outbound
+ traffic.
+
+[That article also mentions the patch that appears below.]
+
+and
+
+ http://groups.google.com/groups?selm=38AA973E.96BE7DF7%40cc.uit.no
+
+which says:
+
+ Newsgroups: comp.sys.hp.hpux
+ Subject: Re: tcpdump only shows incoming packets
+ Date: 02/16/2000
+ From: Harald Skotnes <harald@cc.uit.no>
+
+ Rick Jones wrote:
-! ip = (dl_hp_ppa_info_t *)((u_char *)ipstart + ip->dl_next_offset);
- }
- if (i == ap->dl_count) {
-! sprintf(ebuf, "can't find PPA for %s%d", device, unit);
- return (-1);
- }
- if (ip->dl_hdw_state == HDW_DEAD) {
-! sprintf(ebuf, "%s%d: hardware state: DOWN\n", device, unit);
- return (-1);
- }
- return ((int)ip->dl_ppa);
-***************
-*** 783,789 ****
- register int kd;
- void *addr;
- struct ifnet ifnet;
-! char if_name[sizeof(ifnet.if_name)], tifname[32];
+ ...
+
+ > What you are seeing is expected, un-patched, behaviour for an HP-UX
+ > system. On 11.00, you need to install the latest lancommon/DLPI
+ > patches, and then the latest driver patch for the interface(s) in
+ > use. At that point, a miracle happens and you should start seeing
+ > outbound traffic.
+
+ Thanks a lot. I have this problem on several machines running HPUX
+ 10.20 and 11.00. The machines where patched up before y2k so did not
+ know what to think. Anyway I have now installed PHNE_19766,
+ PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the
+ outbound traffic too. Thanks again.
+
+(although those patches may not be the ones to install - there may be
+later patches).
+
+And another message to tcpdump-workers@tcpdump.org, from Rick Jones:
+
+ Date: Mon, 29 Apr 2002 15:59:55 -0700
+ From: Rick Jones
+ To: tcpdump-workers@tcpdump.org
+ Subject: Re: [tcpdump-workers] I Can't Capture the Outbound Traffic
+
+ ...
+
+ http://itrc.hp.com/ would be one place to start in a search for the most
+ up-to-date patches for DLPI and the lan driver(s) used on your system (I
+ cannot guess because 9000/800 is too generic - one hs to use the "model"
+ command these days and/or an ioscan command (see manpage) to guess what
+ the drivers (btlan[3456], gelan, etc) might be involved in addition to
+ DLPI.
+
+ Another option is to upgrade to 11i as outbound promiscuous mode support
+ is there in the base OS, no patches required.
+
+Another posting:
+
+ http://groups.google.com/groups?selm=7d6gvn%24b3%241%40ocean.cup.hp.com
+
+indicates that you need to install the optional STREAMS product to do
+captures on HP-UX 9.x:
+
+ Newsgroups: comp.sys.hp.hpux
+ Subject: Re: tcpdump HP/UX 9.x
+ Date: 03/22/1999
+ From: Rick Jones <foo@bar.baz>
+
+ Dave Barr (barr@cis.ohio-state.edu) wrote:
+ : Has anyone ported tcpdump (or something similar) to HP/UX 9.x?
- cp = strrchr(ifname, '/');
- if (cp != NULL)
---- 854,860 ----
- register int kd;
- void *addr;
- struct ifnet ifnet;
-! char if_name[sizeof(ifnet.if_name) + 1];
+ I'm reasonably confident that any port of tcpdump to 9.X would require
+ the (then optional) STREAMS product. This would bring DLPI, which is
+ what one uses to access interfaces in promiscuous mode.
- cp = strrchr(ifname, '/');
- if (cp != NULL)
-***************
-*** 811,823 ****
- if (dlpi_kread(kd, (off_t)addr,
- &ifnet, sizeof(ifnet), ebuf) < 0 ||
- dlpi_kread(kd, (off_t)ifnet.if_name,
-! if_name, sizeof(if_name), ebuf) < 0) {
- (void)close(kd);
- return (-1);
- }
-! sprintf(tifname, "%.*s%d",
-! (int)sizeof(if_name), if_name, ifnet.if_unit);
-! if (strcmp(tifname, ifname) == 0)
- return (ifnet.if_index);
- }
+ I'm not sure that HP even sells the 9.X STREAMS product any longer,
+ since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K
+ devices).
---- 882,893 ----
- if (dlpi_kread(kd, (off_t)addr,
- &ifnet, sizeof(ifnet), ebuf) < 0 ||
- dlpi_kread(kd, (off_t)ifnet.if_name,
-! if_name, sizeof(ifnet.if_name), ebuf) < 0) {
- (void)close(kd);
- return (-1);
- }
-! if_name[sizeof(ifnet.if_name)] = '\0';
-! if (strcmp(if_name, ifname) == 0 && ifnet.if_unit == unit)
- return (ifnet.if_index);
- }
+ Your best bet is to be up on 10.20 or better if that is at all
+ possible. If your hardware is supported by it, I'd go with HP-UX 11.
+ If you want to see the system's own outbound traffic, you'll never get
+ that functionality on 9.X, but it might happen at some point for 10.20
+ and 11.X.
+ rick jones
+
+(as per other messages cited here, the ability to see the system's own
+outbound traffic did happen).
+
+Rick Jones reports that HP-UX 11i needs no patches for outbound
+promiscuous mode support.
+
+An additional note, from Jost Martin, for HP-UX 10.20:
+
+ Q: How do I get ethereral on HPUX to capture the _outgoing_ packets
+ of an interface
+ A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or
+ newer, this is as of 4.4.00) and its dependencies. Then you can
+ enable the feature as descibed below:
+
+ Patch Name: PHNE_20892
+ Patch Description: s700 10.20 PCI 100Base-T cumulative patch
+ To trace the outbound packets, please do the following
+ to turn on a global promiscuous switch before running
+ the promiscuous applications like snoop or tcpdump:
+
+ adb -w /stand/vmunix /dev/mem
+ lanc_outbound_promisc_flag/W 1
+ (adb will echo the result showing that the flag has
+ been changed)
+ $quit
+ (Thanks for this part to HP-support, Ratingen)
+
+ The attached hack does this and some security-related stuff
+ (thanks to hildeb@www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who
+ posted the security-part some time ago)
+
+ <<hack_ip_stack>>
+
+ (Don't switch IP-forwarding off, if you need it !)
+ Install the hack as /sbin/init.d/hacl_ip_stack (adjust
+ permissions !) and make a sequencing-symlink
+ /sbin/rc2.d/S350hack_ip_stack pointing to this script.
+ Now all this is done on every reboot.
+
+Here's the "hack_ip_stack" script:
+
+-----------------------------------Cut Here-------------------------------------
+#!/sbin/sh
+#
+# nettune: hack kernel parms for safety
+
+OKAY=0
+ERROR=-1
+
+# /usr/contrib/bin fuer nettune auf Pfad
+PATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin
+export PATH
+
+
+##########
+# main #
+##########
+
+case $1 in
+ start_msg)
+ print "Tune IP-Stack for security"
+ exit $OKAY
+ ;;
+
+ stop_msg)
+ print "This action is not applicable"
+ exit $OKAY
+ ;;
+
+ stop)
+ exit $OKAY
+ ;;
+
+ start)
+ ;; # fall through
+
+ *)
+ print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2
+ exit $ERROR
+ ;;
+ esac
+
+###########
+# start #
+###########
+
+#
+# tcp-Sequence-Numbers nicht mehr inkrementieren sondern random
+# Syn-Flood-Protection an
+# ip_forwarding aus
+# Source-Routing aus
+# Ausgehende Packets an ethereal/tcpdump etc.
+
+/usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR
+/usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR
+/usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR
+echo 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR
+echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem || exit $ERROR
+
+exit $OKAY
+-----------------------------------Cut Here-------------------------------------