iptrace Daemon

Purpose

Provides interface-level packet tracing for Internet protocols.

Syntax

/usr/sbin/iptrace [ -a ] [ -b ][ -e ] [ -u ] [ -PProtocol_list ] [ -iInterface ] [ -pPort_list ] [ -sHost [ -b ] ] [ -dHost ] [ -L Log_size ] [ -B ] [ -T ] [ -S snap_length] LogFile

Description

The /usr/sbin/iptrace daemon records Internet packets received from configured interfaces. Command flags provide a filter so that the daemon traces only packets meeting specific criteria. Packets are traced only between the local host on which the iptrace daemon is invoked and the remote host.

If the iptrace process was started from a command line without the System Resource Controller (SRC), it must be stopped with the kill -15 command. The kernel extension loaded by the iptrace daemon remains active in memory if iptrace is stopped any other way.

The LogFile parameter specifies the name of a file to which the results of the iptrace command are sent. To format this file, run the ipreport command. The ipreport command may display the message TRACING DROPPED xxxx PACKETS. This count of dropped packets indicates only the number of packets that the iptrace command was unable to grab because of a large packet, the size of which exceeded the socket-receive buffer size. This message does NOT mean that the packets are being dropped by the system.
Note:
  1. The file specified by the LogFile parameter should not reside on an NFS-mounted file system. Specifying an output file on an NFS-mounted file system can cause the iptrace daemon to hang. In this case, you might not be able to kill the iptrace daemon, thus, requiring that you restart the system.
  2. If iptrace is killed with kill -9, it is required that you issue iptrace -u to unload the bpf kernel extensions or simply reboot. Sometimes, on a busy system, it is required that you issue iptrace -u multiple times due to a possibility that the kernel extension used by iptrace is busy processing packets.
  3. The iptrace command supports srcmstr as well and can be started and stopped from the command line. If started from the command line, it can be stopped using the kill -9 command.

Flags

Item Description
-a Suppresses ARP packets.
-b Changes the -d or -s flags to bidirectional mode.
-B Uses bpf for packet capture.
-d Host Records packets headed for the destination host specified by the Host variable. The Host variable can be a host name or an Internet address in dotted-decimal format.

If used with the -b flag, the -d flag records packets both going to and coming from the host specified by the Host variable.
-e Enables promiscuous mode on network adapters that support this function.
-i Interface Records packets received on the interface specified by the Interface variable.
-L Log_size This option causes iptrace to log data in such that the LogFile is copied to LogFile.old at the start and also every time it becomes approximately Log_size bytes long.
-P Protocol_list Records packets that use the protocol specified by the Protocol_list variable which is a comma separated list of protocols. The Protocols can be a decimal number or name from the /etc/protocols file.
-p Port_list Records packets that use the port number specified by the Port_list variable which is a comma separated list of ports. The Port_list variable can be a decimal number or name from the /etc/services file.
-s Host Records packets coming from the source host specified by the Host variable. The Host variable can be a host name or an Internet address in dotted-decimal format.

If used with the -b flag, the -s flag records packets both going to and coming from the host specified by the Host variable.
-S snap_length Specifies the snap size (how much of each packet is actually captured from the wire) when you run the iptrace daemon with the -B flag (the bpf support). The command iptrace -S 1500 /tmp/iptrace.dump will limit captured packet size to 1500 bytes. The default is 80 bytes.
-T Creates a tcpdump compatible dump file. To read the output, use ipreport -T or tcpdump -r. iptrace -T in AIX® 5.3.0 is not compatible with release 5.2 and earlier, due to different versions of packet capture library (libpcap). Captured files created with iptrace -T in AIX 5.3 cannot be read with standard AIX tcpdump or ipreport on AIX 5.2 and earlier.
-u Unloads the kernel extension that was loaded by the iptrace daemon at startup.

Exit Status

The command returns the following exit values:

Item Description
0 The daemon has run successfully.
1
  • No interfaces were found.
  • The pcap_open_live subroutine failed.
  • The pcap_datalink subroutine failed.
  • The pcap_lookupnet subroutine failed.
  • The pcap_loop subroutine failed.
  • The hostname was not found.
  • The address was formed incorrectly.
  • The WPAR did not permit the operation.
  • The setpri subroutine failed.
  • The fopen subroutine failed.
  • The fstat subroutine failed.
  • The interface is unknown when the daemon looks up the link type.
2 The fread subroutine on a trace file failed.
5
  • Socket creation failed.
  • The specified file already exists, but the file is not a trace file.
9
  • The protocol is not in the /etc/protocols file.
  • The service is not in the /etc/services file.
  • The daemon failed to load trace extension (netintf).
  • The daemon failed to unload trace extension.

Security

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To start the iptrace daemon with the System Resource Controller (SRC), enter: 
    startsrc -s iptrace -a "/tmp/nettrace"
    To stop the iptrace daemon with SRC enter the following: 
    stopsrc -s iptrace
  2. To record packets coming in and going out to any host on every interface, enter the command in the following format: 
    iptrace /tmp/nettrace
    The recorded packets are received on and sent from the local host. All packet flow between the local host and all other hosts on any interface is recorded. The trace information is placed into the /tmp/nettrace file.
  3. To record packets received on an interface from a specific remote host, enter the command in the following format: 
    iptrace -i en0 -p telnet -s airmail /tmp/telnet.trace
    The packets to be recorded are received on the en0 interface, from remote host airmail, over the telnet port. The trace information is placed into the /tmp/telnet.trace file.
  4. To record packets coming in and going out from a specific remote host, enter the command in the following format: 
    iptrace -i en0 -s airmail -b /tmp/telnet.trace
    The packets to be recorded are received on the en0 interface, from remote host airmail. The trace information is placed into the /tmp/telnet.trace file.