TCPIP sniffering
Hi, we are quite new to zLinux (not to linux). We have some troubles with TCPIP networking, and are trying to diagnose some things. One of the first things we do is start sniffering on the network devices (tcpdump or ethereal). When we do this on zLinux, we see only weird packets passing, not anything that is recognized by either tcpdump or ethereal. The packets look like this : 13:01:38.311734 40:00:7a:06:07:eb (oui Unknown) 45:60:00:5c:43:5c (oui Unknown), ethertype Unknown (0xac1e), length 92: 0x: aac9 9148 ccc4 0f22 0016 e598 2910 a9ca ...H...)... 0x0010: 8e23 5018 3f98 4977 2bc9 1329 5c8c .#P.?.Iw..+..)\. 0x0020: 225d e502 e80e d104 d626 3a28 cf4e 292f ]...:(.N)/ 0x0030: 64bc 1332 6db8 29df d6f3 b46d e9ce c496 d..2m.)m 0x0040: 4ef6 53a4 8c80 9c5d 581f 1df3 2c2d N.S]X...,- There are thousands of packets like this passing in just a few seconds. The symptoms are the same for both OSA devices as HiperSockets. Are we missing something here ? I know we can somehow do similar thing under z/VM, but at the moment the Linux environment is more comfortable to us, so any advice is welcome. regards, Harry Metske De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Rabobank Nederland is een handelsnaam van de Cooperatieve Centrale Raiffeisen-Boerenleenbank B.A.Rabobank Nederland staat ingeschreven bij de K.V.K. onder nr. 30046259 The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Rabobank Nederland is a trade name of Cooperatieve Centrale Raiffeisen-Boerenleenbank B.A. Rabobank Nederland is registered by the Chamber of commerce under nr. 30046259 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: TCPIP sniffering
Looks like non character data, binary file ? K -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Harry Metske Sent: Wednesday, May 16, 2007 7:05 AM To: LINUX-390@VM.MARIST.EDU Subject: TCPIP sniffering Hi, we are quite new to zLinux (not to linux). We have some troubles with TCPIP networking, and are trying to diagnose some things. One of the first things we do is start sniffering on the network devices (tcpdump or ethereal). When we do this on zLinux, we see only weird packets passing, not anything that is recognized by either tcpdump or ethereal. The packets look like this : 13:01:38.311734 40:00:7a:06:07:eb (oui Unknown) 45:60:00:5c:43:5c (oui Unknown), ethertype Unknown (0xac1e), length 92: 0x: aac9 9148 ccc4 0f22 0016 e598 2910 a9ca ...H...)... 0x0010: 8e23 5018 3f98 4977 2bc9 1329 5c8c .#P.?.Iw..+..)\. 0x0020: 225d e502 e80e d104 d626 3a28 cf4e 292f ]...:(.N)/ 0x0030: 64bc 1332 6db8 29df d6f3 b46d e9ce c496 d..2m.)m 0x0040: 4ef6 53a4 8c80 9c5d 581f 1df3 2c2d N.S]X...,- There are thousands of packets like this passing in just a few seconds. The symptoms are the same for both OSA devices as HiperSockets. Are we missing something here ? I know we can somehow do similar thing under z/VM, but at the moment the Linux environment is more comfortable to us, so any advice is welcome. regards, Harry Metske De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Rabobank Nederland is een handelsnaam van de Cooperatieve Centrale Raiffeisen-Boerenleenbank B.A.Rabobank Nederland staat ingeschreven bij de K.V.K. onder nr. 30046259 The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Rabobank Nederland is a trade name of Cooperatieve Centrale Raiffeisen-Boerenleenbank B.A. Rabobank Nederland is registered by the Chamber of commerce under nr. 30046259 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: TCPIP sniffering
On 5/16/07, Harry Metske [EMAIL PROTECTED] wrote: When we do this on zLinux, we see only weird packets passing, not anything that is recognized by either tcpdump or ethereal. The packets look like this : The level 3 packets are plain IP. I believe there was something done to the tcpdump package by SuSE to make it pick the proper type. You might be able to convince it with the -y option. Mine just works out of the box (SLES9 64bit) lrobv1:~ # rpm -q tcpdump tcpdump-3.8.1-49.4 lrobv1:~ # tcpdump -i hsi0 -n -c 20 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on hsi0, link-type EN10MB (Ethernet), capture size 96 bytes 04:13:40.484243 IP 212.61.81.181.3969 148.100.96.70.22: . ack 421602459 win 16024 04:13:40.537029 IP 148.100.96.70.22 212.61.81.181.3969: P 1:217(216) ack 0 win 19296 04:13:40.536892 IP 148.100.96.70.22 212.61.81.181.3969: P 217:333(116) ack 0 win 19296 04:13:40.641418 IP 212.61.81.181.3969 148.100.96.70.22: . ack 333 win 15692 04:13:40.641458 IP 148.100.96.70.22 212.61.81.181.3969: P 333:485(152) ack 0 win 19296 04:13:40.641753 IP 148.100.96.70.22 212.61.81.181.3969: P 485:569(84) ack 0 win 19296 04:13:40.746184 IP 212.61.81.181.3969 148.100.96.70.22: . ack 569 win 15456 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: TCPIP sniffering
Rob, we run SLES10 with : lnxt002:~ # rpm -q tcpdump tcpdump-3.9.4-14.2 Any suggestions for the datalinktype, I tried a few, but they are not accepted, or when specifying En10MB I get the same junk as without the -y option. Same for the SLES9 system we run: lnxt003:~ # rpm -q tcpdump tcpdump-3.8.1-49.1 regards, Harry -Oorspronkelijk bericht- Van: Linux on 390 Port [mailto:[EMAIL PROTECTED] Namens Rob van der Heij Verzonden: Wednesday, May 16, 2007 1:19 PM Aan: LINUX-390@VM.MARIST.EDU Onderwerp: Re: TCPIP sniffering On 5/16/07, Harry Metske [EMAIL PROTECTED] wrote: When we do this on zLinux, we see only weird packets passing, not anything that is recognized by either tcpdump or ethereal. The packets look like this : The level 3 packets are plain IP. I believe there was something done to the tcpdump package by SuSE to make it pick the proper type. You might be able to convince it with the -y option. Mine just works out of the box (SLES9 64bit) lrobv1:~ # rpm -q tcpdump tcpdump-3.8.1-49.4 lrobv1:~ # tcpdump -i hsi0 -n -c 20 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on hsi0, link-type EN10MB (Ethernet), capture size 96 bytes 04:13:40.484243 IP 212.61.81.181.3969 148.100.96.70.22: . ack 421602459 win 16024 04:13:40.537029 IP 148.100.96.70.22 212.61.81.181.3969: P 1:217(216) ack 0 win 19296 04:13:40.536892 IP 148.100.96.70.22 212.61.81.181.3969: P 217:333(116) ack 0 win 19296 04:13:40.641418 IP 212.61.81.181.3969 148.100.96.70.22: . ack 333 win 15692 04:13:40.641458 IP 148.100.96.70.22 212.61.81.181.3969: P 333:485(152) ack 0 win 19296 04:13:40.641753 IP 148.100.96.70.22 212.61.81.181.3969: P 485:569(84) ack 0 win 19296 04:13:40.746184 IP 212.61.81.181.3969 148.100.96.70.22: . ack 569 win 15456 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Rabobank Nederland is een handelsnaam van de Cooperatieve Centrale Raiffeisen-Boerenleenbank B.A.Rabobank Nederland staat ingeschreven bij de K.V.K. onder nr. 30046259 The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Rabobank Nederland is a trade name of Cooperatieve Centrale Raiffeisen-Boerenleenbank B.A. Rabobank Nederland is registered by the Chamber of commerce under nr. 30046259 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: TCPIP sniffering
Harry Metske [EMAIL PROTECTED] wrote on 16.05.2007 13:37:41: we run SLES10 with : lnxt002:~ # rpm -q tcpdump tcpdump-3.9.4-14.2 This may be the same as a known problem on SLES10 (Novell Bugzilla 148371). The suggested workaround is to use the fake_ll option of the qeth driver as described in the Linux on zSeries Device Driver's manual at http://www-128.ibm.com/developerworks/linux/linux390/october2005_documentation.html Regards, Peter Oberparleiter -- Peter Oberparleiter Linux on System z Development IBM Deutschland Entwicklung GmbH -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: TCPIP sniffering
excellent ! echo 1 /sys/devices/qeth/0.0.0600/fake_ll did the job. At least for the incoming packets, I'll read the manual a bit further, I understand there are more options. thanks ! Harry -Oorspronkelijk bericht- Van: Linux on 390 Port [mailto:[EMAIL PROTECTED] Namens Peter 1 Oberparleiter Verzonden: Wednesday, May 16, 2007 1:58 PM Aan: LINUX-390@VM.MARIST.EDU Onderwerp: Re: TCPIP sniffering Harry Metske [EMAIL PROTECTED] wrote on 16.05.2007 13:37:41: we run SLES10 with : lnxt002:~ # rpm -q tcpdump tcpdump-3.9.4-14.2 This may be the same as a known problem on SLES10 (Novell Bugzilla 148371). The suggested workaround is to use the fake_ll option of the qeth driver as described in the Linux on zSeries Device Driver's manual at http://www-128.ibm.com/developerworks/linux/linux390/october2005_documen tation.html Regards, Peter Oberparleiter -- Peter Oberparleiter Linux on System z Development IBM Deutschland Entwicklung GmbH -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Rabobank Nederland is een handelsnaam van de Cooperatieve Centrale Raiffeisen-Boerenleenbank B.A.Rabobank Nederland staat ingeschreven bij de K.V.K. onder nr. 30046259 The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Rabobank Nederland is a trade name of Cooperatieve Centrale Raiffeisen-Boerenleenbank B.A. Rabobank Nederland is registered by the Chamber of commerce under nr. 30046259 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: TCPIP sniffering
Harry Metske wrote: Hi, we are quite new to zLinux (not to linux). We have some troubles with TCPIP networking, and are trying to diagnose some things. One of the first things we do is start sniffering on the network devices (tcpdump or ethereal). Use tcpdump-qeth , or use a Network with Layer-2 support. Mark -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390