Insightful tips and common use cases for network packet capture on AIX and Virtual I/O Server

General Page

This document provides insightful tips and common use cases for network packet capture on AIX and Virtual I/O Server.

The iptrace and tcpdump are network packet capture tools available on AIX and Virtual I/O Server (VIOS). You can successfully capture network traffic and debug connection problems by using these tips and common use cases.

Note: The examples in the document use the /tmp/ibm directory, but any directory with adequate free space to save a logfile can be used.

(A) Tips on useful network packet capture

(1) If you are unable to pinpoint the problem to a specific port, IP address, or interface, your initial step in debugging should be to run a wide open network packet capture.

(2) Do not filter out ARP packets unless there is sufficient evidence that ARP is not the problem. The -a flag in the iptrace filters out the ARP packets.

(3) Limit the size of the network packet capture logfile to prevent it from growing too large. A lack of a limit could lead to the filesystem running out of space, resulting in a logfile that is too large for analysis. 300~400 Mbytes is normally a suitable size.

(4) It is important to stop the network packet capture as soon as possible (i.e., within a few seconds) once the problem occurs. Otherwise, important data may be overwritten. If the problem is sporadic, then write a simple script to check to see if it has occurred every few seconds, and once the problem occurs, stop the network packet capture.

(5) Note: This only applies to VIOS when the SEA (Shared Ethernet Adapter) has no IP address configured.

On VIOS, if the SEA is not configured with an IP address, you must use ifconfig up to load the SEA interface in the kernel to allow iptrace/tcpdump to capture network packets. This will not cause any negative impact.

ifconfig <SEA interface enX> 0.0.0.0 up

Run ifconfig down/detach to unload the SEA interface after network packet capture is complete.

ifconfig <SEA interface enX> down; ifconfig <SEA interface enX> detach (Note: Run this command on the SEA interface, which was brought up in the previous step.).

For example:

If SEA is ent12 and en12 does not have an IP address configured, execute the following ifconfig commands.

To load the SEA interface: ifconfig en12 0.0.0.0 up

To unload the SEA interface: ifconfig en12 down; ifconfig en12 detach

Note: Running perfpmr with the -S flag brings up the SEA interface if the IP address is not configured on the interface. e.g., “perfpmr.sh -S <time in seconds>”

(6) If the problem being debugged is that AIX or VIOS does not have network connectivity, then it means data can't be uploaded to IBM. In this scenario, it is most effective to utilize iptrace, as it simplifies the analysis of network captures by formatting them using ipreport on the host and analyze it.

(7) Create a special directory to save the logfiles. e.g., /tmp/ibm or /tmp/ibmsupt/testcase, /tmp/data, etc. If you use /tmp/ibmsupt/testcase, be aware that running "snap -r" will delete the /tmp/ibmsupt/testcase directory.

(8) tcpdump performs very well compared to iptrace when there is very high network activity.

(9) Running tcpdump and iptrace simultaneously is not supported.

(10) If the system has multiple interfaces configured and is unsure which interface network capture needs to be done, then iptrace is recommended because it captures network traffic on all configured interfaces.

(11) One benefit of tcpdump is that it has a flag -S that captures only part of the packets. Usually, the packet's payload is not important for debugging, so using -S allows you to capture only the packet header, which is important for debugging and prevents the network packet capture logfile from becoming big.

(B) Tips on iptrace

(1) The /usr/lib/drivers/netintf kernel extension is used by iptrace.

(2) You can use srcmstr to stop or start iptrace, or you can start it without it, but using srcmstr is more common and preferred.

For example:
To start iptrace using srcmstr: startsrc -s iptrace -a "/tmp/ibm/iptrc.bin”

To stop iptrace using srcmstr: stopsrc -s iptrace

(3) Use -L (in bytes) to limit the size of the logfile. e.g., -L 300000000

If you don't use -L, you run the risk of the logfile growing too large. If the logfile grows too large, it becomes impossible to analyze and can lead to the filesystem running out of space.
Note: Do not use logfiles larger than 300~400 MBytes because it can be difficult to manage/analyze files using wireshark.

(4) If -i is not used, then it captures traffic on all configured interfaces.

(C) Common iptrace use cases

(1) To capture all packets through all interfaces. It creates maximum two files, each 300 MBytes, and rotates
startsrc -s iptrace -a “-L 300000000 /tmp/ibm/iptrc.bin”

(2) To capture all packets through the en0 interface. It creates maximum two files, each 300 MBytes, and rotates
startsrc -s iptrace -a “-i en0 L 300000000 /tmp/ibm/iptrc.bin”

(3) To capture all packets except arp packets through all interfaces. It creates maximum two files, each 300 MBytes, and rotates
startsrc -s iptrace -a “-a -L 300000000 /tmp/ibm/iptrc.bin”

(4) To capture all packets to/from port 20 through all interfaces. It creates maximum two files, each 300 MBytes, and rotates
startsrc -s iptrace -a “-p 22 -L 300000000 /tmp/ibm/iptrc.bin”

(5) To capture all packets to/from a remote IP address 10.0.0.5. It creates maximum two files, each 300 MBytes, and rotates
startsrc -s iptrace -a “-d 10.0.0.5 -b -L 300000000 /tmp/ibm/iptrc.bin”

(6) To capture all packets to/from remote IP address 10.0.0.5 and port 22. It creates maximum two files, each 300 MBytes, and rotates
startsrc -s iptrace -a “-d 10.0.0.5 -b -p 22 -L 300000000 /tmp/ibm/iptrc.bin”

(7) To capture all packets to/from a remote IP address 10.0.0.5 and port 20 or 21. It creates maximum two files, each 300 MBytes, and rotates
startsrc -s iptrace -a “-d 10.0.0.5 -b -p 20,21 -L 300000000 /tmp/ibm/iptrc.bin”

(8) To capture LACP (IEEE 802.3ad) packets, do not use the “-a” flag to suppress ARP packets because it also suppresses LACP (IEEE 802.3ad) packets.

startsrc -s iptrace -a “-L 300000000 /tmp/ibm/iptrc.bin”

(9) You can format the Iptrace binary logfile into a text file using ipreport or read it using Wireshark.
e.g. ipreport -rsnvNC /tmp/ibm/iptrc.bin > /tmp/ibm/iptrc.txt

(D) Tips on tcpdump

(1) tcpdump uses /usr/lib/drivers/bpf (Berkley Packet Filter) kernel extension.

(2) You cannot stop or start tcpdump using srcmstr.
To stop the tcpdump, use the kill command. Do not use “kill -9” to stop the tcpdump.

e.g., run “ps -ef | grep tcpdump” to find the process id of tcpdump, then run “kill <process id of tcpdump>”.

(3) One tcpdump captures network traffic through one interface only. If interface specified using the -i flag, then network traffic through that specific interface. If -i is not specified, then it will capture network traffic through the interface with the default route.

(4) If tcpdump fails with the error "No such device or address," it indicates that ent22 is not the correct interface device name. The interface device name is en22.
# tcpdump -i ent22 tcpdump: BIOCSETIF: ent22: No such device or address

(5) If tcpdump fails with the error "bpf_load: could not configure driver: Do not specify an existing file," it indicates that a lock on bpf is being held by another application or driver. To find who is holding a lock on bpf, run the following steps as root. Refer to the following link to find a root cause.
https://www.ibm.com/support/pages/node/7166347

(E) Common tcpdump use cases

(1) To capture ping packets to/from 10.0.0.5 through interface en3. It creates a maximum of three files, each 200 MBytes, and rotates.
tcpdump -C 200 -W 3 -w /tmp/ibm/td.bin -i en3 'proto 1 and host 10.0.0.5’ > /tmp/ibm/td.log 2>&1 &

Note: proto 1 is for ICMP protocols used by ping. Refer to the /etc/protocols file for the protocol name and number.

(2) To capture all packets to/from 10.0.0.5 through interface en3 and all ARP packets. It creates a maximum of three files, each 200 MBytes, and rotates.
tcpdump -C 200 -W 3 -w /tmp/ibm/td.bin -i en3 host 10.0.0.5 > /tmp/ibm/td.log 2>&1 &

(3) To capture 128 bytes of each packet through interface en0. It creates a maximum of three files, each 200 MBytes, and rotates.
tcpdump -s 128 -C 200 -W 3 -w /tmp/ibm/td.bin -i en0 > /tmp/ibm/td.log 2>&1 &

(4) To capture 128 bytes of each packet through interface en1 and port 22. It creates a maximum of three files, each 200 MBytes, and rotates.
tcpdump -s 128 -C 200 -W 3 -w /tmp/ibm/td.bin -i en1 port 22 > /tmp/ibm/td.log 2>&1 &

(5) To capture 128 bytes of all packets through interface en1 and port 22 or 23 and ARP packets. It creates maximum three files, each 200 MBytes, and rotates.
tcpdump -s 128 -C 200 -W 3 -w /tmp/ibm/td.bin -i en1 'port 22 or 23 or arp' > /tmp/ibm/td.log 2>&1 &

(6) To capture LACP (IEEE 802.3ad - Link Aggregation) packets only through interface en10. It creates a maximum of three files, each 200 MBytes, and rotates.
tcpdump -C 200 -W 3 -w /tmp/ibm/td.bin -i en10 ether proto 0x8809 > /tmp/ibm/td.log 2>&1 &

Author: Darshan Patel
Platform: AIX/VIOS on Power
Feedback: aix_feedback@wwpdl.vnet.ibm.com

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzIAAQ","label":"Networking"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips

Insightful tips and common use cases for network packet capture on AIX and Virtual I/O Server

General Page

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?