iptrace Daemon
Purpose
Provides interface-level packet tracing for Internet protocols.
Syntax
iptrace [ -a ] [ -b ] [ -e ] [ -u ] [ -P Protocol_list ] [ -i Interface ] [ -p Port_list ] [ -s Host [ -b ] ] [ -d Host ] [ -L Log_size ] [ -B ] [ -Q [ -V ] ] [ -T ] [ -S snap_length ] LogFile
Description
The iptrace daemon records Internet packets that are received from configured interfaces. Command flags provide a filter so that the daemon traces only packets that meeting specific criteria. Packets are traced only between the local host on which the iptrace daemon is started and the remote host.
If the iptrace process was started from a command line without the System Resource Controller (SRC), it must be stopped with the kill -15 command. The kernel extension that is loaded by the iptrace daemon remains active in memory if iptrace is stopped in any other way.
TRACING DROPPED xxxx PACKETS
. This count of dropped packets indicates only
the number of packets that the iptrace command was unable to grab because of a
large packet size that exceeded the socket-receive buffer size. This message does NOT mean that the
packets are being dropped by the system. - The file that is specified by the LogFile variable must not exist on an NFS-mounted file system. Specifying an output file on an NFS-mounted file system can cause the iptrace daemon to hang. In this case, you might not be able to kill the iptrace daemon, thus, requiring that you restart the system.
- If iptrace command is killed with kill -9 command, it is
required that you issue iptrace -u command to unload the
bpf
kernel extensions, or simply reboot. Sometimes, on a busy system, it is required that you issue iptrace -u multiple times because of the possibility that the kernel extension used by iptrace is busy processing packets. - The iptrace command supports srcmstr command as well and can be started and stopped from the command line. If started from the command line, it can be stopped by using the kill -9 command.
- Running tcpdump and iptrace commands on two sessions simultaneously is not supported.
Flags
Item | Description |
---|---|
-a | Suppresses ARP packets. |
-b | Changes the -d or -s flags to bidirectional mode. |
-B | Uses BPF for packet capture. The iptrace command when used along with the -B option returns error if the command is run inside the WPAR. |
-d Host | Records packets that are headed for the destination host-specified by the
Host variable. The Host variable can be a host name or an IP
address in dotted decimal format. If used with the -b flag, the -d flag records packets both going to and coming from the host-specified by the Host variable. |
-e | Enables promiscuous mode on network adapters that support this function. |
-i Interface | Records packets received on the interface that is specified by the Interface variable. |
-L Log_size | This option causes iptrace to log data in such a way that the LogFile is copied to LogFile.old at the start and also every time it becomes approximately Log_size bytes long. |
-P Protocol_list | Records packets that use the protocol that is specified by the Protocol_list variable that is a comma-separated list of protocols. The Protocols can be a decimal number or name from the /etc/protocols file. |
-p Port_list | Records packets that use the port number that is specified by the Port_list variable that is a comma-separated list of ports. The Port_list variable can be a decimal number or name from the /etc/services file. |
-Q | Enables filtered system tracing for the recorded packets. After the tracing feature is
enabled, the AIX® trace daemon is run to record the selected
system events that are related to the network communication subsystem. Note: The tracing feature uses
Berkeley Packet Filter (BPF) for packet capture.
|
-s Host | Records packets that come from the source that is host-specified by the
Host variable. The Host variable can be a host name or an IP
address in dotted decimal format. If used with the -b flag, the -s flag records packets both going to and coming from the host that is specified by the Host variable. |
-S snap_length | Specifies the snap size (how much of each packet is captured from the wire)
when you run the iptrace daemon with the -B flag (the
bpf support). The command iptrace -S 1500 /tmp/iptrace.dump limits
captured packet size to 1500 bytes. The default is 80 bytes. |
-T | Creates a tcpdump compatible dump file. To read the output, use ipreport -T or tcpdump -r. |
-u | Unloads the kernel extension that was loaded by the iptrace daemon at startup. |
-V | Sets the socket debug flag (the SO_DEBUG socket option) and trace level on
sockets. This flag must be used along with the -Q flag. |
Exit Status
The command returns the following exit values:
Item | Description |
---|---|
0 |
The daemon ran successfully. |
1 |
|
2 |
The fread subroutine on a trace file failed. |
5 |
|
9 |
|
Security
Examples
- To start the iptrace daemon with the SRC, enter the following command:
To stop the iptrace daemon with SRC, enter the following command:startsrc -s iptrace -a "/tmp/nettrace"
stopsrc -s iptrace
- To record packets that come in and go out to any host on every interface, enter the command in
the following format:
The recorded packets are received on and sent from the local host. All packet flow between the local host and all other hosts on any interface is recorded. The trace information is placed into the /tmp/nettrace file.iptrace /tmp/nettrace
- To record packets that are received on an interface from a specific remote host, enter the
command in the following format:
The packets to be recorded are received on theiptrace -i en0 -p telnet -s airmail /tmp/telnet.trace
en0
interface, from remote hostairmail
, over thetelnet
port. The trace information is placed into the /tmp/telnet.trace file. - To record packets that come in and go out from a specific remote host, enter the command in the
following format:
The packets to be recorded are received on theiptrace -i en0 -s airmail -b /tmp/telnet.trace
en0
interface, from remote hostairmail
. The trace information is placed into the /tmp/telnet.trace file.
Files
Item | Description |
---|---|
/usr/sbin/iptrace | Contains the iptrace command. |