UNIX System Administration Handbook - Evi Nemeth [378]
For example, the following output comes from the machine jaguar.xor.com. The filter specification host jaguar limits the display of packets to those that directly involve the machine jaguar, either as source or as destination.
# tcpdump host jaguar
13:40:23 jaguar.xor.com.1697 > xor.com.domain: A? cs.colorado.edu.
13:40:23 xor.com.domain > jaguar.xor.com.1697: A mroe.cs.colorado.edu
13:40:23 jaguar.xor.com.1698 > xor.com.domain: PTR? 5.96.138.128.in-addr.arpa.
13:40:23 xor.com.domain > jaguar.xor.com.1698: PTR mroe.cs.colorado.edu.
The first packet shows jaguar sending a DNS lookup request about cs.colorado.edu to xor.com. The response is the actual name of the machine for which that name is an alias, which is mroe.cs.colorado.edu. The third packet is a reverse lookup of mroe’s IP address, and the fourth packet contains the expected response.
The tcpdump man page contains several good examples of advanced filtering along with a complete listing of primitives.
20.6 NETWORK MANAGEMENT PROTOCOLS
Networks have grown rapidly in size and value over the last decade, and along with that growth has come the need for an efficient way to manage them. Commercial vendors and standards organizations have approached this challenge in many different ways. The most significant developments have been the introduction of several standard device management protocols and a glut of high-level products that exploit those protocols.
Network management protocols provide a standard way of probing a device to discover its configuration, health, and network connections. In addition, they allow some of this information to be modified so that network management can be standardized across different kinds of machinery and performed from a central location.
The most common management protocol used with TCP/IP is the Simple Network Management Protocol, SNMP. Despite its name, SNMP is actually quite complex. It defines a hierarchical namespace of management data and a way to read and write the data at each node. It also defines a way for managed entities (“agents”) to send event notification messages (“traps”) to management stations. The protocol itself is simple; most of SNMP’s complexity lies above the protocol layer in the conventions for constructing the namespace and the conventions for formatting data items within a node. SNMP is widely supported.
Several other standards are floating around out there. Many of them originate from the Distributed Management Task Force (DMTF), which is responsible for concepts such as WBEM (Web-Based Enterprise Management), DMI (Desktop Management Interface), and the CIM (Conceptual Interface Model). Some of these concepts, particularly DMI, have been embraced by several major vendors and may become a useful complement to (or even a replacement for) SNMP. For now, however, the vast majority of network management takes place over SNMP.
Since SNMP is only an abstract protocol, you need both a server program (“agent”) and a client (“manager”) to make use of it. (Perhaps counterintuitively, the server side of SNMP represents the thing being managed, and the client side is the manager.) Clients range from simple command-line utilities to dedicated management stations that graphically display networks and faults in eye-popping color.
Dedicated network management stations are the primary reason for the existence of management protocols. Most products let you build a topographic model of the network as well as a logical model; the two are presented together on-screen, along with a continuous indication of the status of each component.
Just as a chart can reveal the hidden meaning in a page of numbers, a network management station can summarize the state of a large network in a way that’s easily accepted