• Choose a category
• All
• Classic-Fiction

57 calls to icmp_error

Output histogram:

echo reply: 157

destination unreachable: 57

Input histogram:

echo reply: 6

destination unreachable: 4

echo: 157

time exceeded: 14

157 message responses generated

The number of echo requests, responses generated, and echo replies all match. Note that “destination unreachable” messages can still be generated even when all packets are apparently forwardable. Bad packets can eventually reach a gateway that rejects them, and error messages are then sent back along the gateway chain.

tcp:

25087 packets sent

25499 packets received

31 connection requests

30 connection accepts

56 connections established (including accepts)

64 connections closed (including 13 drops)

4 embryonic connections dropped

It’s a good idea to develop a feel for the normal ranges of these statistics so that you can recognize pathological states.

20.5 PACKET SNIFFERS

tcpdump, snoop, and nettl belong to a class of tools known as packet sniffers. They listen to the traffic on a network and record or print packets that meet certain criteria specified by the user. For example, all packets sent to or from a particular host or TCP packets related to one particular network connection could be inspected.

Packet sniffers are useful both for solving problems you know about and for discovering entirely new problems. It’s a good idea to take an occasional sniff of your network to make sure the traffic is in order.

Since packet sniffers need to be able to intercept traffic that the local machine would not normally receive (or at least, pay attention to), the underlying network hardware must allow access to every packet. Broadcast technologies such as Ethernet work fine, as do some types of token ring network on which the sender of a packet removes it from the ring after it has made a complete circuit.

Since packet sniffers need to see as much of the raw network traffic as possible, they can be thwarted by network switches, which by design try to limit the propagation of “unnecessary” packets. However, it can still be informative to try out a sniffer on a switched network. You may discover problems related to broadcast or multicast packets. Depending on your switch vendor, you may be surprised at how much traffic you can see.

See page 377 for more information about network switches.

In addition to having potential access to all network packets, the interface hardware must provide a way to actually transport those packets up to the software layer. Packet addresses are normally checked in hardware, and only broadcast/multicast packets and those addressed to the local host are relayed to the kernel. In “promiscuous mode,” an interface lets the kernel read all packets on the network, even the ones intended for other hosts.

Packet sniffers understand many of the packet formats used by standard UNIX daemons, and they can often print out packets in a human-readable form. This capability makes it easier to track the flow of a conversation between two programs. Some sniffers print the ASCII contents of a packet in addition to the packet header, which can be useful for investigating high-layer protocols. Since some of these protocols send information (and even passwords) across the network as cleartext, you must exercise caution to avoid invading the privacy of your users.

Each of our example operating systems comes with a packet sniffer. The sniffer must read data from a raw network device, so it must run as root. Although the root limitation serves to decrease the chance that normal users will listen in on your network traffic, it is really not much of a barrier. Some sites choose to remove the sniffers from most hosts to reduce the chance of abuse. If nothing else, you should check your systems’ interfaces to be sure they are not running in promiscuous mode without your knowledge or consent.

snoop: Solaris’s packet sniffer

Solaris includes a packet sniffer called snoop. It takes arguments on the command line that specify how to behave and what packets to collect. snoop can filter