iptrace as a service

There are many tools for observing the activity, both normal and pathological,on the network. Some run under AIX, others run on dedicated hardware.
One tool that can be used to obtain a detailed, packet-by-packet description of the LAN activity generated by a workload is the combination of the iptrace daemon and the ipreport command. The iptrace daemon can only be started by root. By default, iptrace traces all packets.

An option (-a) allows exclusion of address resolution protocol (ARP) packets. Other options can narrow the scope of tracing to a particular source host (-s), destination host (-d), or protocol (-p). For more information, see AIX Commands Reference.

Because iptrace can consume significant amounts of processor time, you should be as specific as possible in describing the packets you want traced. Since iptrace is a daemon, it should be started with a startsrc command rather that directly from the command line. This makes it easier to control and shut down cleanly. A typical invocation would be:

 # startsrc -s iptrace -a "-a -i en0 /user/iptrace/log1" 

For more information on all the available options, read the iptrace manual page in the AIX documentation. This command starts the iptrace daemon with directions to trace all activity on the interface, en0, and place the trace data in /user/iptrace/log1.

To stop the daemon, use:

 # stopsrc -s iptrace 

If you hadn’t started it with startsrc, you would have to find its process ID with ps and kill it.

The ipreport command is a formatter for the log file. Its output is written to stdout. Options allow recognition and formatting of RPC packets (-r), identifying each packet with a number (-n), and prefixing each line with a 3-character string that identifies the protocol (-s). A typical ipreport command to format the log1 file just created (which is owned by root) would be:

 # ipreport -rns log1 > log1_formatted

This would result in a sequence of packet reports similar to the following example. The fields of most interest are: the source (SRC) and destination (DST) host address, both in dotted decimal and in ASCII; the IP packet length (ip_len); and the indication of the higher-level protocol in use (ip_p).

the ‘stuff” above is a quote from an old Bull (France) AIX manual.

To see how to start iptrace as a process follow to this post “iptrace on AIX host

