The iptrace command, like tcpdump or snoop can be very useful to find out what network traffic flows to and from an AIX system.
You can use any combination of these options, but you do not need to use them all:
- -a Do NOT print out ARP packets.
- -s source IP Limit trace to source/client IP address, if known.
- -d destination IP Limit trace to destination IP, if known.
- -b Capture bidirectional network traffic (send and receive packets).
- -p port Specify the port to be traced.
- -i interface Only trace for network traffic on a specific interface.
Run iptrace on AIX interface en1 to capture port 80 traffic to file trace.out from a single client IP to a server IP:
root@myserver:/> iptrace -a -i en0 -s 10.10.10.19 -b -d 10.10.10.11 -p 80 /tmp/trace.out [17957068]
This trace will capture both directions of the port 80 traffic on interface en1 between the client IP and server IP and sends this to the raw file of trace.out.
To stop the trace:
root@myserver:/> ps -aef | grep iptra
root 17957068 1 0 11:09:09 - 0:00 iptrace -a -i en0 -s 10.10.10.19 -b -d 10.10.10.11 -p 80 /tmp/trace.out
root@myserver:/> kill -15 17957068
root@myserver:/> iptrace: unload success!
 | Leaving it running too long would require a large amount of disk space! |
The ipreport command can be used to transform the trace file generated by iptrace to human readable format:
root@myserver:/> ipreport /tmp/trace.out /tmp/trace.report IPTRACE version: 2.0 ++++++ END OF REPORT ++++++ processed 0 packets
No comments:
Post a Comment