Hi,
can anyone help me on how to write an AIX 4.3.2 raw ethernet sniffer?.
My intention is to sniffer all TCP packet bewtween two remore hosts
which are different from AIX machine.
I think I shold open a socket in RAW mode and via ioctl I shold set
ethernet to accept all packets...HOW??


Thanks

Christian

chdibi77@libero.it (Christian) writes:

> Hi,
> can anyone help me on how to write an AIX 4.3.2 raw ethernet sniffer?.
> My intention is to sniffer all TCP packet bewtween two remore hosts
> which are different from AIX machine.
> I think I shold open a socket in RAW mode and via ioctl I shold set
> ethernet to accept all packets...HOW??
>
>
> Thanks
>
> Christian

<http://www.ethereal.com>

--
#include <disclaimer.std> /* I don't speak for IBM ... */
/* Heck, I don't even speak for myself */
/* Don't believe me ? Ask my wife :-) */
Richard D. Latham lathamr@us.ibm.com

Christian wrote:
> Hi,
> can anyone help me on how to write an AIX 4.3.2 raw ethernet sniffer?.
> My intention is to sniffer all TCP packet bewtween two remore hosts
> which are different from AIX machine.
> I think I shold open a socket in RAW mode and via ioctl I shold set
> ethernet to accept all packets...HOW??
>
>
> Thanks
>
> Christian

also tcpdump
http://aixpdslib.seas.ucla.edu/packages/tcpdump.html

-- Jason

On Fri, 25 Mar 2005 11:19:14 -0500, Jason Mather wrote:

> Christian wrote:
>> Hi,
>> can anyone help me on how to write an AIX 4.3.2 raw ethernet sniffer?.
>> My intention is to sniffer all TCP packet bewtween two remore hosts
>> which are different from AIX machine. I think I shold open a socket in
>> RAW mode and via ioctl I shold set ethernet to accept all
>> packets...HOW??
>>
>>
>> Thanks
>>
>> Christian
>
> also tcpdump
> http://aixpdslib.seas.ucla.edu/packages/tcpdump.html

Tcpdump is part of AIX and has been since at least 4.2.1 (I don't have
anything more ancient. It's in bos.net.tcp.server which IME gets
installed by default.

What the OP wants to do may not be possible, depending on the ethernet
fabric. Switches, which are most common nowadays, do not send packets to
all ports indiscriminately, they remember what MAC address is on what port
and send the packets only to the required destination. So if macine C is
trying to sniff packets between A and B, it won't see most of them. It'll
work with a hub.

BTW I don't recommend running ethereal on AIX, not in packet capture mode
anyway, I've had a couple of instances of it crashing it - with IBM's
build of ethereal from the "Toolbox for Linux" CD. To be safe, I don't
install ethereal on AIX. I run tcpdump with output to a file and ship the
file to a Linux machine and examine it with ethereal.

Regards, Ian

Ian Northeast <ian@house-from-hell.demon.co.uk> wrote in message news:<pan.2005.03.25.21.32.25.810797@house-from-hell.demon.co.uk>...
> On Fri, 25 Mar 2005 11:19:14 -0500, Jason Mather wrote:
>
> > Christian wrote:
> >> Hi,
> >> can anyone help me on how to write an AIX 4.3.2 raw ethernet sniffer?.
> >> My intention is to sniffer all TCP packet bewtween two remore hosts
> >> which are different from AIX machine. I think I shold open a socket in
> >> RAW mode and via ioctl I shold set ethernet to accept all
> >> packets...HOW??
> >>
> >>
> >> Thanks
> >>
> >> Christian
> >
> > also tcpdump
> > http://aixpdslib.seas.ucla.edu/packages/tcpdump.html
>
> Tcpdump is part of AIX and has been since at least 4.2.1 (I don't have
> anything more ancient. It's in bos.net.tcp.server which IME gets
> installed by default.
>
> What the OP wants to do may not be possible, depending on the ethernet
> fabric. Switches, which are most common nowadays, do not send packets to
> all ports indiscriminately, they remember what MAC address is on what port
> and send the packets only to the required destination. So if macine C is
> trying to sniff packets between A and B, it won't see most of them. It'll
> work with a hub.
>
> BTW I don't recommend running ethereal on AIX, not in packet capture mode
> anyway, I've had a couple of instances of it crashing it - with IBM's
> build of ethereal from the "Toolbox for Linux" CD. To be safe, I don't
> install ethereal on AIX. I run tcpdump with output to a file and ship the
> file to a Linux machine and examine it with ethereal.
>
> Regards, Ian



Thanks all,
my problem is that TCPDUMP sniff only the header of each TCP packet,
but I need to sniffer the data in the packet. How can I do this?

Christian wrote:
> my problem is that TCPDUMP sniff only the header of each TCP packet,
> but I need to sniffer the data in the packet. How can I do this?

Not true. Try:

tcpdump -n -l -X -s <# Bytes> <Filter>

Regards,

Frank

chdibi77@libero.it (Christian) writes:

>Ian Northeast <ian@house-from-hell.demon.co.uk> wrote in message news:<pan.2005.03.25.21.32.25.810797@house-from-hell.demon.co.uk>...
>> Tcpdump is part of AIX and has been since at least 4.2.1 (I don't have
>> anything more ancient. It's in bos.net.tcp.server which IME gets
>> installed by default.
....
>my problem is that TCPDUMP sniff only the header of each TCP packet,
>but I need to sniffer the data in the packet. How can I do this?

Will the -s parameter of tcpdump help? Set it to larger than the MTU
of your interface to get the whole packet. (-s 1514 seems to work
for me on Ethernet.)

--
Dale Talcott, Rosen Center for Advanced Computing, Purdue University
aeh@quest.cc.purdue.edu http://quest.cc.purdue.edu/~aeh/

"Richard D. Latham" <lathamr@us.ibm.com> a écrit dans le message de news:
3bujolma.fsf@us.ibm.com...
> chdibi77@libero.it (Christian) writes:
>
>> Hi,
>> can anyone help me on how to write an AIX 4.3.2 raw ethernet sniffer?.
>> My intention is to sniffer all TCP packet bewtween two remore hosts
>> which are different from AIX machine.
>> I think I shold open a socket in RAW mode and via ioctl I shold set
>> ethernet to accept all packets...HOW??
>>
>>
>> Thanks
>>
>> Christian
>
> <http://www.ethereal.com>
>
> --
> #include <disclaimer.std> /* I don't speak for IBM ... */
> /* Heck, I don't even speak for myself */
> /* Don't believe me ? Ask my wife :-) */
> Richard D. Latham lathamr@us.ibm.com