NETWORK CONFIGURATION AT BOOT TIME:
1. /etc/rc.net
Configures and starts TCP/IP interfaces. Sets hostname, default gateway and static routes.(it is called by cfgmgr)
then during initialization the file /etc/inittab is called. There are 2 entries:
...
rctcpip:23456789:wait:/etc/rc.tcpip > /dev/console 2>&1 # Start TCP/IP daemons
rcnfs:23456789:wait:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons
...
2. /etc/rc.tcpip
starts TCP/IP daemons (sendmail, portmap, inetd, etc., and other daemons: syslogd, lpd ...)
3. /etc/inetd.conf
when inetd started, it reads its configuration from this file
contains the name of the services that inetd listens for requests and starts as needed
PORTMAP DAEMON:
The portmap daemon converts remote procedure call (RPC) program numbers into Internet port numbers. (like in the case of NFS)
When an RPC server starts up, it registers with the portmap daemon. The portmap daemon knows the location of every registered port on the host and which programs are available on each of these ports. When a client sends an RPC to the server, the portmap daemon answers to the client which port to send the call to. Portmap daemon listens on port number 111.
It is started from /etc/rc.tcpip before inetd and the RPC servers (e.g. nfs). Thus, when the RPC servers start they can register with portmap.
INETD DAEMON:
The /usr/sbin/inetd daemon provides Internet service management for a network. It reduces system load by invoking other daemons. The inetd daemon listens for connections on certain Internet sockets (info in /etc/inetd.conf) and handles those requests.
The inetd daemon is a subsystem that controls the following daemons (subservers): ftpd, fingerd, talkd, telnetd ...
/etc/inetd.conf inetd configuration file (if changed by an editor, run refresh -s inetd)
smitty inetd updates automatically the /etc/inetd.conf
lssrc -ls inetd shows details of subservers started in inetd
stopsrc -s inetd stops the inetd daemon
stopsrc -t ftp stops an inetd subserver
------------------------
NAME RESOLUTION:
You can use several methods to ensure that /etc/hosts file is used before any DNS, if the /etc/resolv.conf file exists.
You can include the NSORDER variable in the /etc/environment file, or you can include a specification line in either the /etc/irs.conf file or the /etc/netsvc.conf file.
The settings in the /etc/netsvc.conf configuration file override the settings in the /etc/irs.conf file. The NSORDER environment variable overrides the settings in the /etc/irs.conf and the /etc/netsvc.conf files.
Domain Name Service (DNS):
/etc/resolv.conf contains name servers, if this file exists then we have a domain network, if not then /etc/hosts file is used
options debug if we add this line to /etc/resolv.conf, then ping will show how name was resolved
/etc/netsvc.conf specify the ordering of name resolution (or NSORDER environment variable can contain this)
(if both exists NSORDER will override netsvc.conf)
bind=DNS, local=/etc/hosts
pl.:
NSORDER=local,bind <--this can be added to /etc/envronment
The /etc/netsvc.conf and /etc/irs.conf files are used by the resolver routines as soon as the files exist
/etc/netsvc.conf configuration:
hosts=local,bind
/etc/irs.conf configuration:
hosts local continue
hosts dns
nslookup <server name> responds similarly to the host command, but it only uses DNS (don't NIS and don't /etc/hosts)
Flat Network:
/etc/hosts contains the hostnames and their address for hosts in the network
host <hostname> searches through the /etc/hosts file, and display the ip address of the hostname
host <ip address> searches through the /etc/hosts file, and display the hostname
To work properly both should give the same result.
------------------------
ADDRESS RESOLUTION:
Internet-to-physical address (MAC address)
arp -a shows the ARP table
the manual of arp command can help
------------------------
VERIFYING OPEN PORTS:
To display TCP/IP application ports (which are opened)
netstat -an lists of opened ports with port numbers (netstat -an -f inet)
netstat -af inet lists all open UDP and TCP ports with service names (not the port numbers)
server ports are in LISTEN state, client connections to or from any port are in ESTABLISHED state
/etc/services contains information about known services and their portnumber (if changing this file: refresh -s inetd)
------------------------
ROUTING
lsattr -El inet0 shows routings in the inet0 (which is a netwotk device in the kernel (config info for inet0 is stored in the odm)
(you can check with this as well: odmget -q attribute=route CuAt)
netstat -rn shows the routing table. (-r: displays routing statistics, -n: displays the network address as an IP address)
In the routing table:
U - route is up and available
H - route is to a host
G - route is to a gateway
b - route represents a broadcast address
S - manually added??? (Static route: it will come back after reboot???)
A - Active Dead Gateway Detection is enabled on the route
Check both places: netstat -nr and lsattr -El inet0 (odmget -q "attribute = route" CuAt)
Commands:
chdev <--permanent: it will modify inet0 with the new route, it registers a new entry in the ODM
smitty route <--permanent: it calls the command chdev (Destination, Gateway and Netmask should be filled)
route <--temporary: this is valid only until next reboot (does not update the ODM)
ADD/REMOVE with chdev: (permanent)
(when default route is added it can be network route, dest. addres is 0.0.0.0 and network mask can be 0.0.0.0)
(we can add interface name as well, if omitted system will add 1)
add:
chdev -l inet0 -a route=net,-hopcount,0,,0,100.200.200.65
chdev -l inet0 -a route=0,<default gw address> <-this will add the default route
remove:
first check lsattr -El inet0, and copy a line exactly from the output into " ...":
chdev -l inet0 -a delroute="net,-hopcount,0,-netmask,255.255.0.0,-if,en4,,,,50.20.0.0,50.50.80.3"
chdev -l inet0 -a delroute="net,-hopcount,0,,0,100.200.200.65"
chdev -l inet0 -a delroute="net,-hopcount,0,-netmask,255.255.255.240,,,,,-static,50.20.100.80,10.10.3.1"
------------------------
ADD/REMOVE with route: (temporary)
add:
route add 0 9.19.99.11 <--adds default route (0 really stands for 0.0.0.0)
route add -net 100.100.243.0 -netmask 255.255.255.0 100.100.200.209 <--adds network route (route add -net $NETW -netmask $NETMASK $GATEWAY)
route add -net 9.19.99/22 9.19.98.11 <--adds network route without netmask
route add -host 50.200.100.31 50.200.100.20 <--adds host route
route add 10.200.40.28 10.200.40.1 -active_dgd <--sets dead gateway detection on that route (netstat -nr shows: A if enabled on a route)
remove:
(route delete ... command will remove lines only from netstat -nr output, it does not touch ODM (lasttr -El inet0))
(netstat -nr will show if host or net route. H: host route, if no H is there it is a net route.)
(to remove a line, destination ip is enough from netstat -nr output, if it does not work you can give destination and gateway pair)
route delete -host 147.167.255.255 <--it removes that line from netstat -nr (host route)
route delete -net 147.167/16 <--it removes this net route
route delete 50.20/22 50.50.80.3 <--it removes that lin
route delete 0 9.19.99.11 <--deletes only the deafult route
route -f <--clear the routing table (except those created implicitly)
mkdev -l inet0 <--recreate all routes which were in ODM (inet0) (it can help, if manually were deleted)
The route command distinguishes between routes to hosts and routes to networks by interpreting the network address of the destination address. The optional keywords -net and -host force the destination to be interpreted as given. If routes are exist only in running kernel (netstat -nr), but not in ODM (lasttr -el inet0), smitty cannot remove routes. In this case those routes have to be removed manually with "route delete...".
If there are more routes (duplicate routes) on host A, you can have some packet loss, when you ping host A from host B. On host A if you issue many times: route -n get <host B>, you will see interface names (enX) will change, this is due to bad routing)
For Static routes a solution would be:
(instead of using chdev and ODM checking)
1. add the routes with route command
2. Put the routes into /etc/rc.net file (with the same route command)
Look for "Part II - Traditional Configuration," and you will see an area in which you can add routes
This way, you have a flat file that is easily modified, contains the route information in a straightforward way, and doesn't manipulate the ODM.
To remove all the routes:
(routing table + ODM)
/etc/route -n -f and odmdelete -o CuAt -q "name=inet0 and attribute=route"
------------------------
chdev - changes are effective immediately and across boots (it is a real AIX command which works with ODM together)
ifconfig, route - changes are active immediately and are effective until reboot (these are Berkley (BSD) commands implemented in AIX.)
------------------------
DIFFERENT INTERNET SERVICES:
ARPANET BERKLEY SECURE SHELL
secure (not powerful) powerful (not secure) secure and powerful
Remote login: telnet rlogin/rsh ssh
Remote execue: rexec rsh ssh
File Transfer: ftp rcp sftp/scp
------------------------
OTHER COMMANDS:
smitty inet configuring interfaces
smitty tcpip configuring TCP/IP
smitty mktcpip on 1 page you can set: hostname, default gateway, netmask...
smitty hostname sets the hostname (chdev -l inet0 -a hostname=<name>)
lsdev -Cc adapter lists adapters
lsdev -Cc if lists interfaces
lsattr -EHl en0 lists attributes (ez is müxik: lsattr -EHl ent0)
lscfg -vpl <device> shows vital product data (e.g. lscfg -vpl ent0)
ifconfig configure and modify properties of network interfaces
ifconfig -a displays information about all interfaces (should be UP and RUNNING)
ifconfig en0 shows attributes of a specific interface (lo0:loopback, en0:ethernet...)
ifconfig en0 up activates network interface (... down: deactivates it)
ifconfig en1 50.20.100.47 netmask 255.255.255.192 up configure ip ("up" is the default, it may be omitted)
ifconfig en3 10.200.30.106 netmask 255.255.255.0 alias configure alias (ifconfig makes changes only until reboot)
ifconfig en3 10.200.30.106 netmask 255.255.255.0 delete deletes ip from interface en3
chdev -l en8 -a netaddr=50.20.80.4 changes the ip on en8
chdev -l en1 -a netaddr=12.10.10.2 -a netmask=255.255.255.0 -a state=up
chdev -l en3 -a alias4=10.10.6.26,255.255.255.0 adds alias to en3 (last after reboot as well)
chdev -l en9 -a delalias4=10.200.200.136,255.255.255.224 removes an alias (this works as well: ifconfig en1 delete 9.37.207.29)
chdev -l en0 -a state=down; chdev -l en0 -a state=detach reconfig/delete adapter first remove ip with chdev...after rmdev…
no -a lists network tuning parameters
ping -c 1 <hostname> sends only 1 packet
ping -f <hostname> floods out packets (it is good for testing the network for handling a lot of traffic)
ping -s <packet size> <hostname> specifies the number of bytes to be sent
rpcinfo -d <pid> deletes registration of a service (clears up the port?)
spray <hostname> -c 100 -l 50 -d 1 sends a specified number of packets to a host (performance statistics)
it uses RPC which is higher level then ICMP (higher layer than ping)
sprayd must be run in host to get respond (inetd.conf)
-c number of packets to send
-l the size of a packet
-d delay time (in microseconds) between sending the packets
-i sends ICMP package not RPC
netstat -rn shows the routing table
netstat -in shows the MAC addresses (and IP addresses) of all interfaces
netstat -v shows device driver information
netstat -v ent2 shows statistical information (it uses entstat, e.g. it is similar to entstat -d ent2)
netstat -v |grep Media shows running speed (100Mbs..., Full duplex) (netstat -v | egrep "ETH|Media|Speed|Link")
netstat -p udp display UDP transport statistics (dropped, socket buffer overflow)
netstat -p tcp display TCP transport statistic (retransmitted: it means cannot ACK before timeout, duplicate packets)
netstat -I en0 2 shows traffic across that interface in 2 seconds intervals
netstat -an display the status of connections to host
route get shows info which interface, gateway ... is used to reach the ip
traceroute shows each router the packets travel through to reach the target host
+with the min., average, max. response time taken to get to that router (* means probe to the next router timed out)
traceroute <ip> <size> packet size can be added as well (once this was successful:traceroute 100.200.140.55 1456, but with 1457 it wasn't)
arp -an shows the routing table without name resolution
------------------------
tcpdump -i en0 -n it will show the traffic on en0 (good to check which VLAN/IP range we have after cabling)
tcpdump -i en0 icmp it will only watch the icmp (ping) traffic on the given interface
tcpdump -i en1 host 50.50.30.8 displays the traffic of en1 which is coming from or going to the given host
tcpdump -n -i en1 host 50.50.30.8 it is the same as above, just without name resolution (more simplified)
tcpdump -i en2 dst host <host> show only data being sent to a specific host
tcpdump -i en2 src host <host> show only packets coming from a specific host
tcpdump -i en2 host <host> and port 22 show packet destined for or sent by a specific host on a specific port (with "and" keyword)
tcpdump -w test.pcap -i en4 host 10.120.0.13 shows network traffic (if -w omitted it displays the results on the screen)
-w writes details to file test.pcap (it is not a text file, wireshark can understand it)
-i checks traffic only on specified interface
host only the communication from the given host will be watched
tcpdump -Uni en0 host 10.10.10.100 -w - | tee /tmp/tcpdump.pcap | tcpdump -r - <--save output to a pcap (wireshark) file and show it at the same time
------------------------
iptrace same as tcpdump (tcpdump better)
iptrace usage:
1. iptrace -a -i en1 -s clientip -b -d serverip -p 80 trace.out this will capture both directions on port 80 traffic to file trace.out
2. generate a test, then run: ps -ef | grep iptrace --> kill -15 <pid>
3. ipreport trace.out>trace.fmt (after this trace.fmt can be read by wireshark)
uname -n display the hostname (-x: displays operating system realease number...)
no -o ipforwarding shows if the host fowards IP datagrams or not (0=not, 1=yes; to change it: no -o ipforwarding=<value>)
Hosts should not forward IP datagrams unless specifically configured as a router
Hostname setting:
hostname <any name> changes the hostname until next reboot
chdev -l inet0 -a hostname=<néame> permanent change
------------------------
Who is using my port?
1. netstat -Aan | grep <port number> <-- shows if the specified <port number> is being used.
The hex number in the first column is the address of protocol control block (PCB)
$ netstat -Aan | grep 30542
f10000f303321b58 tcp4 0 0 *.30542 *.* LISTEN
2. rmsock <addr of PCB> tcpcb <-- This shows the process (PID) who is holding the socket. (should be runas root)
$ rmsock f10000f303321b58 tcpcb
The socket 0x3321800 is being held by proccess 692476 (db2sysc).
Note that rmsock, unlike what its name implies, does not remove the socket, if the socket is being used by any process.
It just reports the process holding the socket. The second argument of rmsock is the protocol. (tcpcb in the example indicates TCP.)
------------------------
If ping does not work and arp -a shows incomplete entry:
server.domain.com (111.111.222.222) at (incomplete)
There is an IFIX (IV13759s01) for this issue, but manually can be fixed by removing this entry from arp table and adding a new one with MAC address.
1. on destination server: check mac address of the network interface (111.111.222.222)
# netstat -i
Name Mtu Network Address
en1 1500 link#2 1e.2f.ed.3c.e4.c <--MAC address is here, replace "." (dots) with ":" (colons), arp command needs this
en1 1500 111.111.222 server.domain
2. on the server with wrong arp table:
arp -d server.domain.com <--delete wrong entry from arp table
arp -s ether server.domain.com 1e:2f:ed:3c:e4:c <--add arp entry with correct MAC address
After that arp -a will show correct entry and ping should work.
bind=DNS, local=/etc/hosts
pl.:
NSORDER=local,bind <--this can be added to /etc/envronment
The /etc/netsvc.conf and /etc/irs.conf files are used by the resolver routines as soon as the files exist
/etc/netsvc.conf configuration:
hosts=local,bind
/etc/irs.conf configuration:
hosts local continue
hosts dns
nslookup <server name> responds similarly to the host command, but it only uses DNS (don't NIS and don't /etc/hosts)
Flat Network:
/etc/hosts contains the hostnames and their address for hosts in the network
host <hostname> searches through the /etc/hosts file, and display the ip address of the hostname
host <ip address> searches through the /etc/hosts file, and display the hostname
To work properly both should give the same result.
------------------------
ADDRESS RESOLUTION:
Internet-to-physical address (MAC address)
arp -a shows the ARP table
the manual of arp command can help
------------------------
VERIFYING OPEN PORTS:
To display TCP/IP application ports (which are opened)
netstat -an lists of opened ports with port numbers (netstat -an -f inet)
netstat -af inet lists all open UDP and TCP ports with service names (not the port numbers)
server ports are in LISTEN state, client connections to or from any port are in ESTABLISHED state
/etc/services contains information about known services and their portnumber (if changing this file: refresh -s inetd)
------------------------
ROUTING
lsattr -El inet0 shows routings in the inet0 (which is a netwotk device in the kernel (config info for inet0 is stored in the odm)
(you can check with this as well: odmget -q attribute=route CuAt)
netstat -rn shows the routing table. (-r: displays routing statistics, -n: displays the network address as an IP address)
In the routing table:
U - route is up and available
H - route is to a host
G - route is to a gateway
b - route represents a broadcast address
S - manually added??? (Static route: it will come back after reboot???)
A - Active Dead Gateway Detection is enabled on the route
Check both places: netstat -nr and lsattr -El inet0 (odmget -q "attribute = route" CuAt)
Commands:
chdev <--permanent: it will modify inet0 with the new route, it registers a new entry in the ODM
smitty route <--permanent: it calls the command chdev (Destination, Gateway and Netmask should be filled)
route <--temporary: this is valid only until next reboot (does not update the ODM)
ADD/REMOVE with chdev: (permanent)
(when default route is added it can be network route, dest. addres is 0.0.0.0 and network mask can be 0.0.0.0)
(we can add interface name as well, if omitted system will add 1)
add:
chdev -l inet0 -a route=net,-hopcount,0,,0,100.200.200.65
chdev -l inet0 -a route=0,<default gw address> <-this will add the default route
remove:
first check lsattr -El inet0, and copy a line exactly from the output into " ...":
chdev -l inet0 -a delroute="net,-hopcount,0,-netmask,255.255.0.0,-if,en4,,,,50.20.0.0,50.50.80.3"
chdev -l inet0 -a delroute="net,-hopcount,0,,0,100.200.200.65"
chdev -l inet0 -a delroute="net,-hopcount,0,-netmask,255.255.255.240,,,,,-static,50.20.100.80,10.10.3.1"
------------------------
ADD/REMOVE with route: (temporary)
add:
route add 0 9.19.99.11 <--adds default route (0 really stands for 0.0.0.0)
route add -net 100.100.243.0 -netmask 255.255.255.0 100.100.200.209 <--adds network route (route add -net $NETW -netmask $NETMASK $GATEWAY)
route add -net 9.19.99/22 9.19.98.11 <--adds network route without netmask
route add -host 50.200.100.31 50.200.100.20 <--adds host route
route add 10.200.40.28 10.200.40.1 -active_dgd <--sets dead gateway detection on that route (netstat -nr shows: A if enabled on a route)
remove:
(route delete ... command will remove lines only from netstat -nr output, it does not touch ODM (lasttr -El inet0))
(netstat -nr will show if host or net route. H: host route, if no H is there it is a net route.)
(to remove a line, destination ip is enough from netstat -nr output, if it does not work you can give destination and gateway pair)
route delete -host 147.167.255.255 <--it removes that line from netstat -nr (host route)
route delete -net 147.167/16 <--it removes this net route
route delete 50.20/22 50.50.80.3 <--it removes that lin
route delete 0 9.19.99.11 <--deletes only the deafult route
route -f <--clear the routing table (except those created implicitly)
mkdev -l inet0 <--recreate all routes which were in ODM (inet0) (it can help, if manually were deleted)
The route command distinguishes between routes to hosts and routes to networks by interpreting the network address of the destination address. The optional keywords -net and -host force the destination to be interpreted as given. If routes are exist only in running kernel (netstat -nr), but not in ODM (lasttr -el inet0), smitty cannot remove routes. In this case those routes have to be removed manually with "route delete...".
If there are more routes (duplicate routes) on host A, you can have some packet loss, when you ping host A from host B. On host A if you issue many times: route -n get <host B>, you will see interface names (enX) will change, this is due to bad routing)
For Static routes a solution would be:
(instead of using chdev and ODM checking)
1. add the routes with route command
2. Put the routes into /etc/rc.net file (with the same route command)
Look for "Part II - Traditional Configuration," and you will see an area in which you can add routes
This way, you have a flat file that is easily modified, contains the route information in a straightforward way, and doesn't manipulate the ODM.
To remove all the routes:
(routing table + ODM)
/etc/route -n -f and odmdelete -o CuAt -q "name=inet0 and attribute=route"
------------------------
chdev - changes are effective immediately and across boots (it is a real AIX command which works with ODM together)
ifconfig, route - changes are active immediately and are effective until reboot (these are Berkley (BSD) commands implemented in AIX.)
------------------------
ARPANET BERKLEY SECURE SHELL
secure (not powerful) powerful (not secure) secure and powerful
Remote login: telnet rlogin/rsh ssh
Remote execue: rexec rsh ssh
File Transfer: ftp rcp sftp/scp
------------------------
OTHER COMMANDS:
smitty inet configuring interfaces
smitty tcpip configuring TCP/IP
smitty mktcpip on 1 page you can set: hostname, default gateway, netmask...
smitty hostname sets the hostname (chdev -l inet0 -a hostname=<name>)
lsdev -Cc adapter lists adapters
lsdev -Cc if lists interfaces
lsattr -EHl en0 lists attributes (ez is müxik: lsattr -EHl ent0)
lscfg -vpl <device> shows vital product data (e.g. lscfg -vpl ent0)
ifconfig configure and modify properties of network interfaces
ifconfig -a displays information about all interfaces (should be UP and RUNNING)
ifconfig en0 shows attributes of a specific interface (lo0:loopback, en0:ethernet...)
ifconfig en0 up activates network interface (... down: deactivates it)
ifconfig en1 50.20.100.47 netmask 255.255.255.192 up configure ip ("up" is the default, it may be omitted)
ifconfig en3 10.200.30.106 netmask 255.255.255.0 alias configure alias (ifconfig makes changes only until reboot)
ifconfig en3 10.200.30.106 netmask 255.255.255.0 delete deletes ip from interface en3
chdev -l en8 -a netaddr=50.20.80.4 changes the ip on en8
chdev -l en1 -a netaddr=12.10.10.2 -a netmask=255.255.255.0 -a state=up
chdev -l en3 -a alias4=10.10.6.26,255.255.255.0 adds alias to en3 (last after reboot as well)
chdev -l en9 -a delalias4=10.200.200.136,255.255.255.224 removes an alias (this works as well: ifconfig en1 delete 9.37.207.29)
chdev -l en0 -a state=down; chdev -l en0 -a state=detach reconfig/delete adapter first remove ip with chdev...after rmdev…
no -a lists network tuning parameters
ping -c 1 <hostname> sends only 1 packet
ping -f <hostname> floods out packets (it is good for testing the network for handling a lot of traffic)
ping -s <packet size> <hostname> specifies the number of bytes to be sent
rpcinfo -d <pid> deletes registration of a service (clears up the port?)
spray <hostname> -c 100 -l 50 -d 1 sends a specified number of packets to a host (performance statistics)
it uses RPC which is higher level then ICMP (higher layer than ping)
sprayd must be run in host to get respond (inetd.conf)
-c number of packets to send
-l the size of a packet
-d delay time (in microseconds) between sending the packets
-i sends ICMP package not RPC
netstat -rn shows the routing table
netstat -in shows the MAC addresses (and IP addresses) of all interfaces
netstat -v shows device driver information
netstat -v ent2 shows statistical information (it uses entstat, e.g. it is similar to entstat -d ent2)
netstat -v |grep Media shows running speed (100Mbs..., Full duplex) (netstat -v | egrep "ETH|Media|Speed|Link")
netstat -p udp display UDP transport statistics (dropped, socket buffer overflow)
netstat -p tcp display TCP transport statistic (retransmitted: it means cannot ACK before timeout, duplicate packets)
netstat -I en0 2 shows traffic across that interface in 2 seconds intervals
netstat -an display the status of connections to host
route get shows info which interface, gateway ... is used to reach the ip
traceroute shows each router the packets travel through to reach the target host
+with the min., average, max. response time taken to get to that router (* means probe to the next router timed out)
traceroute <ip> <size> packet size can be added as well (once this was successful:traceroute 100.200.140.55 1456, but with 1457 it wasn't)
arp -an shows the routing table without name resolution
------------------------
tcpdump -i en0 -n it will show the traffic on en0 (good to check which VLAN/IP range we have after cabling)
tcpdump -i en0 icmp it will only watch the icmp (ping) traffic on the given interface
tcpdump -i en1 host 50.50.30.8 displays the traffic of en1 which is coming from or going to the given host
tcpdump -n -i en1 host 50.50.30.8 it is the same as above, just without name resolution (more simplified)
tcpdump -i en2 dst host <host> show only data being sent to a specific host
tcpdump -i en2 src host <host> show only packets coming from a specific host
tcpdump -i en2 host <host> and port 22 show packet destined for or sent by a specific host on a specific port (with "and" keyword)
tcpdump -w test.pcap -i en4 host 10.120.0.13 shows network traffic (if -w omitted it displays the results on the screen)
-w writes details to file test.pcap (it is not a text file, wireshark can understand it)
-i checks traffic only on specified interface
host only the communication from the given host will be watched
tcpdump -Uni en0 host 10.10.10.100 -w - | tee /tmp/tcpdump.pcap | tcpdump -r - <--save output to a pcap (wireshark) file and show it at the same time
------------------------
iptrace same as tcpdump (tcpdump better)
iptrace usage:
1. iptrace -a -i en1 -s clientip -b -d serverip -p 80 trace.out this will capture both directions on port 80 traffic to file trace.out
2. generate a test, then run: ps -ef | grep iptrace --> kill -15 <pid>
3. ipreport trace.out>trace.fmt (after this trace.fmt can be read by wireshark)
uname -n display the hostname (-x: displays operating system realease number...)
no -o ipforwarding shows if the host fowards IP datagrams or not (0=not, 1=yes; to change it: no -o ipforwarding=<value>)
Hosts should not forward IP datagrams unless specifically configured as a router
------------------------
configure/remove an IP:
configure:
ifconfig enX inet 10.11.12.97 netmask 255.255.255.0 up configure enX with an IP/netmask until reboot
chdev -l enX -a netaddr=10.11.12.47 -a netmask=255.255.255.0 -a state=up configure enX with an IP/netmask permanently
remove:
ifconfig enX down; ifconfig enX detach change status to down and unload interface (it will not be busy) until reboot
chdev -l en1 -a state=down; chdev -l en1 -a state=detach change status to down and unload interface (it will not be busy) permanently
rmdev -dl enX; rmdev -dl etX; rmdev -dl entX after interface is detached rmdev will remove interface
------------------------
Hostname setting:
hostname <any name> changes the hostname until next reboot
chdev -l inet0 -a hostname=<néame> permanent change
------------------------
Check if Firewall blocks network traffic to a specific port
TCP ports: telnet
telnet 10.10.10.100 1500 <--checking if the TCP port 1500 is reachable on 10.10.10.100
Trying...Connected to 10.10.10.100 <--no firewall is blocking the connection (and there is a service listening on that port)
Trying...A remote host refused... <--no firewall is blocking the connection (and there is no service on that port)
Trying... <--output is hanging on Trying… means firewall is blocking to reach that port
UDP ports: iperf
In this example we want to test connection from a Client to a Server with IP: 10.10.10.100 on UDP Port 1500
iperf -s -p 1500 -u <--setup iperf to listen on Server on UDP port 1500
iperf -c 10.10.10.100 -u -p 1500 -b 10M <--run this on client side to check connection to server on UDP 1500 with 10Mb/s speed
if at client side the output shows like:
Server Report: 0.00-10.00 sec 11.9Mbytes 9.99Mbits/sec <---connection is OK
WARNING: did not receive ack of last datagram... <---connection is NOT OK
------------------------
Who is using my port?
1. netstat -Aan | grep <port number> <-- shows if the specified <port number> is being used.
The hex number in the first column is the address of protocol control block (PCB)
$ netstat -Aan | grep 30542
f10000f303321b58 tcp4 0 0 *.30542 *.* LISTEN
2. rmsock <addr of PCB> tcpcb <-- This shows the process (PID) who is holding the socket. (should be runas root)
$ rmsock f10000f303321b58 tcpcb
The socket 0x3321800 is being held by proccess 692476 (db2sysc).
Note that rmsock, unlike what its name implies, does not remove the socket, if the socket is being used by any process.
It just reports the process holding the socket. The second argument of rmsock is the protocol. (tcpcb in the example indicates TCP.)
------------------------
If ping does not work and arp -a shows incomplete entry:
server.domain.com (111.111.222.222) at (incomplete)
There is an IFIX (IV13759s01) for this issue, but manually can be fixed by removing this entry from arp table and adding a new one with MAC address.
1. on destination server: check mac address of the network interface (111.111.222.222)
# netstat -i
Name Mtu Network Address
en1 1500 link#2 1e.2f.ed.3c.e4.c <--MAC address is here, replace "." (dots) with ":" (colons), arp command needs this
en1 1500 111.111.222 server.domain
2. on the server with wrong arp table:
arp -d server.domain.com <--delete wrong entry from arp table
arp -s ether server.domain.com 1e:2f:ed:3c:e4:c <--add arp entry with correct MAC address
After that arp -a will show correct entry and ping should work.
Hi,
ReplyDeletewhat is hopcount in route add entry. Also explain the entries available in route addition command
"net,-hopcount,0,,0,100.200.200.65"
Hi,
Delete"man route" says about hopcount:
-hopcount n
Specifies maximum number of gateways in the route.
That example what you gave I usually get from "lsattr -El inet0", and I copy that line without modification to i.e. delroute. But for decoding it, I guess the first 0 after hopcount relates to hopcount and the second 0 means default gateway (it can be translated to 0.0.0.0)
:-)
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHi, I have to add new IP/second IP(124.23.43.22) as the loopback interface, I have settings like below..
ReplyDelete[/]# ifconfig lo0
lo0: flags=e08084b,c0
inet 127.0.0.1 netmask 0xff000000 broadcast 127.255.255.255
inet6 ::1%1/0
tcp_sendspace 131072 tcp_recvspace 131072 rfc1323 1
==================
Please let me know the command (as permanent and temporary) to add new IP/second IP as the loopback interface
How to add new ip to the loopback interface lo0 as permanent ?
ReplyDeleteThanks,
Sri
What is the command to add new ip to the loopback interface lo0 as alias and it should be permanent
ReplyDeleteThis command should work: ifconfig lo0 alias netmask 255.255.255.255
DeleteTo make this permanent, I would add this to inittab or to an rc script (/etc/rc.d/rc2.d) so at boot time this alias would be configured.
(I checked around on the net, and I saw netmask 255.255.255.255 was used many times with lo0, so probably there is a reason for this.)
thanks,
ReplyDeletebut can u pls tell me how to add this to inittab or to an rc script to make it permanent... ?
or Can't we make this permanent to use the command chdev or through smitty ?
I made a typo, correct command should look like: ifconfig lo0 alias ip_address netmask 255.255.255.255
Delete(chdev would be a good solution, just for lo0 device it doesn't work)
I think easiest would be in your case to add this command to /etc/rc.net file. You can read more about that:
http://pic.dhe.ibm.com/infocenter/aix/v7r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Frc.net.htm
(If you add things to that file, in case you do an OS upgrade, there is a chance you modifications will be lost, so document them very well.)
very basic question, Can you please help me understand the output format of arp -an
ReplyDeletexxx (some_ip) at probably_mac_address [enthernet] stored in bucket 6
what is 'xxx', is it remote server name(dns server)?
"some_ip" is address of remote host
"probably_mac_address" is mac address of this remote host?
Hi, when there is an attempt to reach server B from server A (for example ping server B), then Server B IP address and MAC address is stored on server A in the arp table. This helps server A to maintain a good table to know to which IP/MAC address should send the packet and who will answer. ARP table belongs to the Data/Link layer which is between the TCP/IP and physical network layer, and with the help of this packets can go through from appl. layer to the physical network.
DeleteHope this helps...
What is active Dead gateway detection
ReplyDeleteHi, when i rebooted the server after patching new route entry is coming up and i permanently deleted the entry and rebooted the server again. Again the route entry came up..checked no entry exits in /etc/rc.net and rc.tcpip.. Can you please help me out for the root cause..
ReplyDeletenetstat -a stuck without giving complete o/p any suggestions on this please
ReplyDeleteHi
ReplyDeletein AIX, when i ping , the time delay shows 2ms or 3 ms
how do we fix this?
This blog is nice and very informative. I like this blog.
ReplyDeleteblog Please keep it up.