Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
4.  Administering TCP/IP (Task) netstat Command How to Display Network Interface Status  Previous   Contents   Next 
   
 

How to Display Routing Table Status

The -r option of netstat displays the IP routing table.

  • On the command line, type the following command.

    % netstat -r

netstat -r produces the following sample display on machine tenere:

Routing tables
Destination   Gateway Flags Refcnt Use   Interface
temp8milptp   elvis   UGH   0      0	
irmcpeb1-ptp0 elvis   UGH   0      0	
route93-ptp0  speed   UGH   0      0	
mtvb9-ptp0    speed   UGH   0      0	
	              .
mtnside       speed   UG    1      567	
ray-net       speed   UG    0      0	
mtnside-eng   speed   UG    0      36	
mtnside-eng   speed   UG    0      558	
mtnside-eng   tenere  U     33     190248  le0

The first column shows the destination network, the second the router through which packets are forwarded. The U flag indicates that the route is up. The G flag indicates that the route is to a gateway. The H flag indicates that the destination is a fully qualified host address, rather than a network.

The Refcnt column shows the number of active uses per route, and the Use column shows the number of packets sent per route. Finally, the Interface column shows the network interface that the route uses.

Logging Network Problems

If you suspect a routing daemon malfunction, you can log its actions, including all packet transfers when you start up the routed daemon.

How to Log Network Problems

  1. Become superuser.

  2. Create a log file of routing daemon actions by typing the following command at a command-line prompt.

    # /usr/sbin/in.routed /var/logfilename

Caution - On a busy network, this command can generate almost continuous output.


Displaying Packet Contents

You can use snoop to capture network packets and display their contents. Packets can be displayed as soon as they are received, or saved to a file. When snoop writes to an intermediate file, packet loss under busy trace conditions is unlikely. snoop itself is then used to interpret the file. For information about using the snoop command, refer to the snoop(1M) man page.

The snoop command must be run by root (#) to capture packets to and from the default interface in promiscuous mode. In summary form, only the data that pertains to the highest-level protocol is displayed. For example, an NFS packet only displays NFS information. The underlying RPC, UDP, IP, and Ethernet frame information is suppressed but can be displayed if either of the verbose options is chosen.

The snoop capture file format is described in RFC 1761.

snoop server client rpc rstatd collects all RPC traffic between a client and server, and filters the traffic for rstatd.

Displaying Packet Contents Task Map

Table 4-9 Displaying Packet Contents Task Map

Task

Description

For Instructions, Go To ...

Check all packets from your system

Involves using the netstat and snoop commands and interpreting the results

"How to Check All Packets From Your System"

Capture snoop results to a file

Involves using the -o option of the snoop command

"How to Capture snoop Results to a File"

Check packets between server and client

Involves saving the results of the snoop command to a file and inspecting the results

"How to Check Packets Between Server and Client"

How to Check All Packets From Your System

  1. Become superuser.

  2. Type the following command at the command-line prompt to find the interfaces that are attached to the system.

    # netstat -i

    snoop normally uses the first non-loopback device (le0).

  3. Type snoop.

    Use Control-C to halt the process.

    # snoop
    Using device /dev/le (promiscuous mode)
         maupiti -> atlantic-82  NFS C GETATTR FH=0343
     atlantic-82 -> maupiti      NFS R GETATTR OK
         maupiti -> atlantic-82  NFS C GETATTR FH=D360
     atlantic-82 -> maupiti      NFS R GETATTR OK
         maupiti -> atlantic-82  NFS C GETATTR FH=1A18
     atlantic-82 -> maupiti      NFS R GETATTR OK
         maupiti -> (broadcast)  ARP C Who is 120.146.82.36, npmpk17a-82 ?
  4. Interpret the results.

    In the example, client maupiti transmits to server atlantic-82 by using NFS file handle 0343. atlantic-82 acknowledges with OK. The conversation continues until maupiti broadcasts an ARP request that asks who is 120.146.82.36?

    This example demonstrates the format of snoop. The next step is to filter snoop to capture packets to a file.

    Interpret the capture file by using details that are described in RFC 1761.

How to Capture snoop Results to a File

  1. Become superuser.

  2. On the command line, type the following command.

    # snoop -o filename

    For example:

    # snoop -o /tmp/cap
    Using device /dev/le (promiscuous mode)
    30 snoop: 30 packets captured

    By using this command, you have captured 30 packets in a file /tmp/cap. The file can be anywhere with enough disk space. The number of packets that are captured is displayed on the command line, enabling you to press Control-C to abort at any time.

    snoop creates a noticeable networking load on the host machine, which can distort the results. To see the actual results, run snoop from a third system (see the next section).

  3. On the command line, type the following command to inspect the file.

    # snoop -i filename

    For example:

    # snoop -i /tmp/cap
     
    1  0.00000 frmpk17b-082 -> 224.0.0.2    IP  D=224.0.0.2 S=129.146.82.1 LEN=32, ID=0
    2  0.56104        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
    3  0.16742  atlantic-82 -> (broadcast)  ARP C Who is 129.146.82.76, honeybea ?
    4  0.77247        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
    5  0.80532 frmpk17b-082 -> (broadcast)  ARP C Who is 129.146.82.92, holmes ?
    6  0.13462        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
    7  0.94003        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
    8  0.93992        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
    9  0.60887        towel -> (broadcast)  ARP C Who is 129.146.82.35, udmpk17b-82 ?
    10 0.86691  nimpk17a-82 -> 129.146.82.255 RIP R (1 destinations)

    Refer to specific protocol documentation for detailed analysis and recommended parameters for ARP, IP, RIP and so forth. The Web contains a number of requests for comments.

 
 
 
  Previous   Contents   Next