如何在不重開機的情況下 Restart RHEL 的 X window?

最近有一部 RedHat 4 的機器在使用 X manager 登入時一直出現多個 GNOME 的錯誤視窗,雖然不影響登入,但還是覺得很不舒服,想要重啟機器,但因有重要的服務在 in service,只能想辦法直接在不 reboot 機器的情況下重啟 X11了,找了一下,原來在 /usr/sbin 底下就有相關的 script 可用啊:

首先一樣我們列一下這一次的測試環境:RHEL4.5 + X11:
接著我們來秀一下這個實用 script 的內容 (/usr/sbin/gdm-restart):
看到最後那一行了沒?其實我們只要拿那一行來用就夠了,不過這裡我們在重啟服務之前先看一下 X11 的 status 吧:
注意到了嗎?目前的主要 GDM 的 PID 是 4427,接著我們直接用下面的指令來重啟 X11 吧:
# kill -HUP `cat /var/run/gdm.pid`
下面就是重啟後的結果:其中第二部分多了一筆 process:
root 16547 0.0 0.0 12548 2480 ? S 14:39 0:00 \_ /usr/bin/gdm-binary -nodaemon
這是因為我用 X-manager 連進去 server 測試的結果。
重啟完只有最初的 X11 process 的 PID 不變,其餘的 process 都已經重啟了,報告完畢~

2009/08/19 補充:在 RHEL5 上面也是一樣的作法喔~
(詳全文...)

如何在 Linux server 上 turn on DNS (BIND) 的 Query logging?

在 Linux server 上開 BIND DNS service 後,發現似乎在系統的 LOG 檔案 /var/log/messages 裡面只看的到 named service 的啟動/停止訊息,卻看不到一些 Client 端 Query 的 Log,這對初期的 named 設定上來說實在是有些困擾,幸好 BIND 的 utility 中包含一個好用的工具,那就是 rndc,他有很多好用的功能可以用來細部控制 BIND,不過這裡我們只測試一下它 Turn on query logging 的功能:

首先,這裡我們的環境是 RHEL5.2 + BIND 9.3.4:
接著,我們看一下 rndc 有哪些 option 可用:
接下來就簡單了,想要 Turn on query logging 的功能,就使用下面的指令吧:
[root@ns1 named]# rndc querylog
我們來看一下系統的紀錄檔吧:
現在已經開始產生 Client query 的紀錄了。

接下來,再下一次剛剛的指令就可以 Turn off query logging 的功能了:
[root@ns1 named]# rndc querylog
我們再看一次系統的紀錄檔吧:
果然已經停止記錄了~
(詳全文...)

在 Solaris 10 以 IPMP 簡易配置網卡的 Virtual IP

這次的實作要把本來只有一個實體 IP 的 Solaris 10 的機器改成兩個實體 IP 加上共用一個對外的虛擬 IP,實際的配置將如下:在這個實作中,我們大致上要改動到以下幾個檔案:/etc/hosts, /etc/hostname.bge0, /etc/hostname.bge1, /etc/defaultrouter,其中 bge0 與 bge1 是因為本次的實作機器為 Netra 210,所以網卡的部分請自行依據機型而變。
原配置:
bge0: 10.15.25.43

新配置:
bge0:10.15.25.31
bge1:10.15.25.32
Virtual IP: 10.15.25.43
root@KHCFEMS01 # uname -a
SunOS KHCFEMS01 5.10 Generic_137137-09 sun4u sparc SUNW,Netra-210
root@KHCFEMS01 # cat /etc/release
Solaris 10 10/08 s10s_u6wos_07b SPARC
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 27 October 2008
當然這裡的設定也有幾個限制,首先是兩塊網卡要能提供同樣的工作模式,再來是所有設定的 IP 要在同一個網段之內,而且在這網段內要有其他的機器或設備存在,通常是 GW 啦,可以設置在 defaultrouter 內;當設定完之後,系統會不斷發出 ICMP 的 echo request 封包給同網路的 GW,應該會得到 ICMP Echo reply,另外還會同時監控網卡上有沒有 RUNNING 的存在 (就是用 ifconfig -a 時會在 <> 看到的),這兩項測試都 OK 的話,就判定網卡是 OK 的;任一項失敗,就判定網卡是 nOK 的。(這個最後我們再用snoop來測試一下就知道)

接下來就是開始設定了,首先編輯一下 /etc/hosts:
root@KHCFEMS01 # vi /etc/hosts
#
# Internet host table
#
127.0.0.1 localhost
10.15.25.43 KHCFEMS01 khcfems01 loghost
10.15.25.44 KHCFEMS02 khcfems02
10.15.25.31 KHCFEMS01_bge0 khcfems01_bge0
10.15.25.32 KHCFEMS01_bge1 khcfems01_bge1
10.15.25.33 KHCFEMS02_bge0 khcfems02_bge0
10.15.25.34 KHCFEMS02_bge1 khcfems02_bge1
接著我們啟動 bge1 的網卡:
1. 未啟動之前的現狀:
2. 啟動後的狀態:接著我們要編輯 /etc/hostname.bge0 與 /etc/hostname.bge1:
再來是編輯一下 /etc/defaultrouter 和 /etc/netmasks 囉:最後,用 init 6 重新開機一下吧~

重開完之後用 ifconfig -a 看一下網卡的狀態:接著我們用 snoop 來看一下封包吧:
P.S.1. 注意到網卡中被 <> 括起來的部分了嗎:
UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER
有 RUNNING 而且 ping 的到 GW 才有機會帶起 Virtual 的 Interface 喔!另外,NOFAILOVER 就是現在 IPMP group 的狀態啦。

P.S.2. 可以看到已經有一個新的 bge0:1 被帶起來了,而其對外的 Virtual IP 也是我們設定的 10.15.25.43 囉~

以上,報告完畢!
(詳全文...)

就是這道光...我也看到日偏蝕了


昨晚聽廣播說今天早上會有日全蝕的天文景象,而且還是本世紀觀看日偏食的最佳時刻,當然在台灣並沒辦法看到完整的日全蝕,而是只能看到日偏蝕,聽新聞說有百分之87左右;今天一到了機房,大家已經圍在門口的警衛室觀看大陸的杭州與武漢日全蝕的 Live 轉播了,警衛還特別借給大家一副濾光鏡,果然到外面戴上一看,已經開始有"初虧"現象出現了,是從左上方開始缺角的...

等到接近9點半,拿出相機來拍,卻是相當失敗,幸好還有其他人有成功拍下來的,就借他一張來貼囉,這一張是在 9:36 分左右在高雄岡山的機房前拍攝的,已經很接近"食甚"了過了幾分鐘,被遮住的太陽開始恢復...只是讓我不解的是,為什麼不是往右下角方向恢復,卻是往左下角方向恢復呢? (詳全文...)

Linux 機器上 SFTP 時出現 "Received message too long xxxxxxxx" 的錯誤訊息

以往每次登入機器時都會用 SecureCRT 去連接機器,順便在 SecureCRT 上設定登入時執行的指令去附帶檢查把機器當下服務執行的狀況給秀出來,但因為登入的機器太多台,不希望每次有變動時就要去每一台有跑 SecureCRT 的電腦上把登入指令更改,因此想偷懶透過修改 /root/.bashrc 內容來讓這些檢查的過程自動化,也就是說讓 client 透過 SSH client 去連接機器時,只要用 root 登入,或切換使用者到 root 就會自動執行 /root/.bashrc 裡面所定義的 script 把機器狀態給秀出來~

當時的 /root/.bashrc 內容如下面範例所示:
[root@KHCFTPS01 ~]# cat ~/.bashrc
# .bashrc
# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias vi='vim'
alias ls='ls --color'

TERM=xterm-color; export TERM;
alias grep='grep --color'

# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi

# Pre-health checking #
/etc/init.d/sys_chk.sh;
[root@KHCFTPS01 ~]#
其中的 /etc/init.d/sys_chk.sh; 那一段就是用來登入後檢查系統的那個小 shell script,測試從其他機器登入或本機變更使用者為 root 後都可正常秀出機器狀態檢查的結果。本來事情到這邊就結束了,但前幾天寫好這一部份後,也用的好好的,而昨天突然發現,要 SFTP 進這些機器都沒回應了,初步以為是防火牆的問題,但查了之後,繞開防火牆直接用兩台機器對測 SFTP 看到出現下面的錯誤訊息:
[root@ns1 ~]# sftp KHCFTPS01
Connecting to KHCFTPS01...
root@KHCFTPS01's password:
Received message too long 1044266528
[root@ns1 ~]#
可是用 SSH 測試卻又能正常登入,這時才想起來前幾天曾在這幾台機器上加上自動狀態檢查的 script,會不會是那個咚咚在搞鬼ㄌㄟ??於是回到機器上去修改 /root/.bashrc 把自動檢查的那一段先 mark 起來,再到 ns1 測試一次 SFTP 到我們的 FTP 機器,這次就可以成功登入了。所以果然是 /etc/init.d/sys_chk.sh 執行的東西太多,吐出太多東西到螢幕上...呵呵,既然知道問題出在哪兒了,山不轉路轉,路不轉嘛那我只好自己轉囉...回到剛才的 /root/.bashrc 中,還記得之前我們曾在 如何讓你的 Linux 色彩更豐富 中提到利用 alias 的作法來節省平常的時間,可以把一些很長的執行字串,改成好敲的短字串,這裡我們就用這種方式把 /etc/init.d/sys_chk.sh 指定給 sck 這個短字串 (sck 只是我覺得順眼的縮寫,請依個人喜好更改),改完的 /root/.bashrc 內容如下面範例所示:
[root@KHCFTPS01 ~]# cat ~/.bashrc
# .bashrc
# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias vi='vim'
alias ls='ls --color'
alias sck='/etc/init.d/sys_chk.sh'

TERM=xterm-color; export TERM;
alias grep='grep --color'

# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi

# Pre-health checking #
sck;
[root@KHCFTPS01 ~]#
這時候再試一次 SFTP 果然就不再出現 "Received message too long 1044266528" 的問題囉~而且平時沒事也可以隨時直接敲入 sck (前面提到過,sck 只是我覺得順眼的縮寫,請依個人喜好更改)這個指令來做個機器狀態檢查,人生又擱係彩色ㄟ囉~
(詳全文...)

用 Tftpd32 接收 LINUX 送來的 SYSLOG

為了驗證機器可以送 System log 訊息到指定的 EMS server,只好先在自己的電腦上跑個 Syslog server 來收,這裡稟持本人愛用綠色軟體的習慣,推薦大家可以使用上一篇所介紹的 Tftpd32 來作為 Syslog server,有興趣可以去參觀一下(首頁在此)。而今天要驗證的 Agent 機器 OS 是 RHEL ES5.2,裡面就有 syslog Daemon 的 (service 的名稱就是 syslog 不是 syslogd 喔,待會兒要重啟服務時會用到) 所以不用另外安裝 Agent 程式。

待會兒要編輯 /etc/syslog.conf 這個主要的檔案,所以我們先列一下裡面的主要格式:
在 /etc/syslog.conf 裡的每一行都有兩個部分組成,一個是 "SELECTOR",另一個是 "ACTION"。整行組合起來就是指:當符合 "SELECTOR" 事件發生時,就採取 "ACTION" 所指定的方式來記錄這個事件。

而 "SELECTOR" 是由 facility.priority 組合而成的,其中 priority 是指事件的優先等級,分成八個不同的等級,依優先順序由低至高分別為:
debug --> info --> notice --> warn (=warning) --> err (=error) --> crit --> alert --> emerg --> panic (=emerg)。
至於 Facility 則是 syslog.conf 中用來描素事件產生子系統的關鍵字。這些在 syslog.conf 的 說明中都有提到,可以用 "man syslog.conf" 去看看詳細的說明。UNIX 系統中內定的 facility 基本上包括 auth、authpriv、cron、daemon、kern、lpr、mail、mark、news、 security(same as auth)、syslog、user、uucp、local0 ~ local7 等。這些 facility 所代表的程式,隨著 UNIX 系統種類的不同,會有些差異,但大同小異啦。下面是 facility 的意義:
* auth, authpriv:與認證有關的系統,例如 login, su 等需驗證的服務
* uucp: UUCP系統
* daemon:與各個 daemon 有關的系統
* kern :核心(kernel)系統
* lpr:列印相關的系統
* mail:與郵件有關的系統
* news:與新聞群組有關的系統
* syslog:與 syslogd本身相關的系統
* user:一般使用者的系統
* local0 ~ local7:保留, 做為特別設定使用的
所以我們接著編輯 /etc/syslog.conf 檔案,在這裡我們只新增一行新的如下來做個測試:
[root@KHCDNSS01 named]# vi /etc/syslog.conf
kern.*;daemon.warn;auth,authpriv.notice;cron.err @10.19.0.194
這裡我準備將系統 kernel 的所有訊息以及各個 Daemon 在 Warning 等級以上,認證部分的訊息在 Notice 以上還有 Cron job 在 Error 等級以上的訊息都送出來,其中 @10.19.0.194 代表將前面所定義的訊息傳送到遠端的 syslog server (IP address: 10.19.0.194),也就是跑著 Tftpd32 的電腦囉~

P.S. 另外的應用啦:如果選端收 syslog 的機器安裝的 OS 也是 LINUX server 的話,那遠端機器上要多加一個動作:
編輯 vi /etc/sysconfig/syslog 檔案,將 SYSLOGD_OPTIONS="-m 0" 變更為 SYSLOGD_OPTIONS="-m 0 -r" (增加 -r remote) 參數 ,存檔,重啟 syslog service.
[root@KHCDNSS01 named]# vi /etc/syslog.conf
kern.*;daemon.warn;auth,authpriv.notice;cron.err @10.19.0.194
[root@KHCDNSS01 named]# service syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
[root@KHCDNSS01 named]# service syslog status
syslogd (pid 15144) is running...
klogd (pid 15147) is running...
所以我們可以在 Syslog server (跑 Tftpd32 的那台機器啦) 上收到來自剛剛測試機器上 restart syslog daemon 的 kernel syslog 送過來如下圖所示:

讓我們再試一次關於 kernel 的 syslog,這次我們拿兩張網卡中的其中一張,將它重起看看會發生什麼事?(P.S. 這裡兩張網卡有做 channel bonding 所以我可以隨便把其中一張網卡 down 下來,如果你的環境不是這樣,就不要隨便拿網卡來玩喔,免得連不進去囉)
[root@KHCDNSS01 named]# ifconfig eth1 down; ifconfig eth1 up;
一樣到 Syslog server 上收到來自剛剛測試機器上 eth1 down 以及 up 後 kernel infomation 的 syslog 送過來如下圖所示:

接著,我們再做個小測試,在測試機器上面搞個 daemon 的 warning syslog 來玩玩,這裡我們拿 snmpd 來做範例:
[root@KHCDNSS01 named]# service dhcpd restart
Stopping dhcpd: [ OK ]
Starting dhcpd: [ OK ]
再回到 Syslog server 上收到來自剛剛測試機器上 restart dhcpd daemon 後在帶起 dhcpd daemon warning 的 syslog 送過來如下圖所示:

接著我們測試一下關於系統登入認證的 syslog,首先我們先測試 auth,authpriv.notice; 的這種設定方式,接著我們到另一台嘗試登入測試機器,並故意第一次敲錯密碼然後第二次敲正確的密碼登入再以 exit 登出測試機器,接著我們可以在 Syslog server 上發現只收到來自剛剛測試機器上 auth,authpri notice 關於有某個 user 從某一台機器嘗試登入失敗的 syslog 送過來,至於正確敲入密碼登入及登出的部分就沒有 syslog 送出了,如下圖所示:

[root@KHCBKPS01 ~]# ssh 10.15.25.13
root@10.15.25.13's password:
Permission denied, please try again.
root@10.15.25.13's password:
Last login: Thu Jun 4 18:54:37 2009 from 10.15.25.51
[root@KHCDNSS01 named]# exit
logout

Connection to 10.15.25.13 closed.
[root@KHCBKPS01 ~]#
再來我們再測試一下 auth,authpriv.info; 的這種設定方式,接著我們到另一台嘗試登入測試機器,重複剛才的測試步驟,接著我們就可以在 Syslog server 上收到來自剛剛測試機器上 auth,authpri information 關於有某個 user 從某一台機器嘗試登入失敗,然後正確登入以及登出的 syslog 送過來如下圖所示:

[root@KHCBKPS01 ~]# ssh 10.15.25.13
root@10.15.25.13's password:
Permission denied, please try again.
root@10.15.25.13's password:
Last login: Thu Jun 4 18:56:44 2009 from 10.15.25.51
[root@KHCDNSS01 named]# exit
logout

Connection to 10.15.25.13 closed.
[root@KHCBKPS01 ~]#
以上只是一些簡單的使用範例,至於實際組合,就看個人的需求自行變更囉~
(詳全文...)

用 Tftpd32 更新 D-Link DES-3828 的 Firmware

為了幫手邊的 D-Link DES-3828DC switch 加上跨 VLAN 的 DHCP relay 功能,所以得將機器上的 Firmware 從 4.50.B12 更新到 4.50.B16,至於更新的方式就是將新的 firmware image 檔放在 tftp server 上,然後更新到 D-Link 上~這裡稟持本人愛用綠色軟體的習慣,推薦大家可以使用 Tftpd32 來作為 tftp server,有興趣可以去參觀一下(首頁在此),或者直接下載 Tftpd32 v3.3 英文綠色版

首先要將電腦接上網路線連到要更新 Firmware 的 D-Link 上然後直接執行 Tftpd32 讓他跑起來就好,然後把新的 Firmware Image 檔放到 Tftp server,也就是剛剛的電腦上的任意一個目錄下(這裡就先用 C:\ 當範本囉),然後把 tftp 欄位上的 Current Directory 點 Browse 去選取剛剛的目錄,也就是 C:\ 就好了,接著 telnet 或者要直接連 console 進去 D-Link 都可以,登入之後 (D-Link DES-3828DC 初始是沒有帳號密碼的,直接 enter 就可登入了,記得設個新帳號和密碼喔) 可以看到目前的 Firmware 版本為 Build 4.50.B12。

接著敲入下面的指令:
download firmware_fromTFTP 10.255.251.252 des3828r4_4.50.b16.had
其中 10.255.251.252 是我電腦也就是跑 Tftpd server 的 IP address,然後 des3828r4_4.50.b16.had 便是新的 Firmware 檔囉~

這時應該可以看到電腦上的 Tftpd32 有進度出現:

等到跑完時,D-Link 上的結果如下:(做完之後,就下指令 reboot 一下 D-Link switch 吧~)
DES-3800:admin# download firmware_fromTFTP 10.255.251.252 des3828r4_4.50.b16.had
Command: download firmware_fromTFTP 10.255.251.252 des3828r4_4.50.b16.had

Connecting to server................... Done.
Download firmware...................... Done. Do not power off!
Please wait, programming flash......... Done.

DES-3800:admin#reboot
Command: reboot

Are you sure to proceed with the system reboot?(y/n)
Please wait, the switch is rebooting...
等到重新開機完畢應該就可以看到如下面的結果:(已經成功更新為 Build 4.50.B16 囉)
DES-3828DC Fast Ethernet Switch Command Line Interface

Firmware: Build 4.50.B16
Copyright(c) 2008 D-Link Corporation. All rights reserved.
UserName:Admin
PassWord:********

DES-3800:admin#show switch
Command: show switch

Device Type : DES-3828DC Fast-Ethernet Switch
Combo Port Type : 1000Base-T + 1000Base-T
MAC Address : 00-22-B0-3A-3F-00
IP Address : 10.255.251.253 (Manual)
VLAN Name : default
Subnet Mask : 255.255.255.248
Default Gateway : 10.255.251.254
Boot PROM Version : Build 0.00.010
Firmware Version : Build 4.50.B16
Hardware Version : A2
Serial Number : P19B18B000076
System Name :
System Location :
System Contact :
Spanning Tree : Disabled
GVRP : Disabled
IGMP Snooping : Disabled
MLD Snooping : Disabled
TELNET : Enabled (TCP 23)
SSH : Disabled
WEB : Enabled (TCP 80)
RMON : Disabled
RIP : Disabled
DVMRP : Disabled
PIM : Disabled
OSPF : Disabled
SNMP : Disabled

DES-3800:admin#
(詳全文...)

Linux Channel Bonding -- 實作合併網卡

一直想把這一篇寫完,但卻找不出時間,剛好手邊有機器要做 Channel Bonding,就順便實作順便貼上來分享一下囉,簡單講,在 Linux 上,允許把多個網路介面用一個叫 "bonding" 的 kernel module 以及 Channel bonding interface 來綁成一個 single channel,當然你可以將兩個網卡或更多的網卡綁成一個來用,簡單講就是增加頻寬,達到備援機制~

其實 Channel Bonding 的作法很簡單,只要編輯幾個檔案,再將網路重啟便可,這裡我們的環境是在一台 RHEL5 ES 的機器上要將 eth0 與 eth1 做成 bond0,那麼我們就需要編輯如下的檔案:
[root@KHCDNSS01 ~]# vi /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
NETWORK=10.15.25.0
NETMASK=255.255.255.0
IPADDR=10.15.25.13
USERCTL=no
P.S. 其中 bond0 的 0 視你的需求而定,這裡可以是 1, 2, 3....隨你高興。

接著編輯要被綁訂的網卡介面,這裡要綁訂的是 eth0 跟 eth1 所以就編輯這兩個檔囉:
[root@KHCDNSS01 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
# Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:22:19:50:BC:7E
ONBOOT=yes
MASTER=bond0
SLAVE=yes

USERCTL=no
[root@KHCDNSS01 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth1
# Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet
DEVICE=eth1
BOOTPROTO=none
HWADDR=00:22:19:50:BC:80
ONBOOT=yes
MASTER=bond0
SLAVE=yes

USERCTL=no
[root@KHCDNSS01 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=KHCDNSS01
GATEWAY=10.15.25.254
再來是編輯 /etc/modprobe.conf 檔案:(這個檔案在 RHEL3 是在:/etc/modules.conf 而在 RHEL4 以後的版本則在:/etc/modprobe.conf)
[root@KHCDNSS01 ~]# vi /etc/modprobe.conf
alias eth0 bnx2
alias eth1 bnx2
alias scsi_hostadapter megaraid_sas
alias scsi_hostadapter1 ata_piix
alias bond0 bonding
options bond0 miimon=100
P.S. 這裡要注意一下喔,假如你想綁兩個以上的話,那 option 這一行的後面要再多加一個選項喔:max_bonds=3,這代表我要將三個網卡綁成一個 Channel...像下面這樣:
options bond0 miimon=100 max_bonds=3
接著只要重啟一下網路就行了,在這之前我們先看一下目前的網路狀況:
[root@KHCDNSS01 ~]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:22:19:50:BC:7E
inet addr:10.15.25.13 Bcast:10.15.25.255 Mask:255.255.255.0
inet6 addr: fe80::222:19ff:fe50:bc7e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48374222 errors:0 dropped:0 overruns:0 frame:0
TX packets:4928117 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3254586862 (3.0 GiB) TX bytes:561588414 (535.5 MiB)
Interrupt:169 Memory:f8000000-f8012100

eth1 Link encap:Ethernet HWaddr 00:22:19:50:BC:80
inet6 addr: fe80::222:19ff:fe50:bc80/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:128 (128.0 b) TX bytes:3354 (3.2 KiB)
Interrupt:169 Memory:f4000000-f4012100

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:27284 errors:0 dropped:0 overruns:0 frame:0
TX packets:27284 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19766775 (18.8 MiB) TX bytes:19766775 (18.8 MiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
接著我們就重啟一下網路吧:
[root@KHCDNSS01 ~]# service network restart
Shutting down interface eth0: /etc/sysconfig/network-scripts/ifdown-eth: line 101: /sys/class/net/bond0/bonding/slaves: No such file or directory
[ OK ]
Shutting down interface eth1: /etc/sysconfig/network-scripts/ifdown-eth: line 101: /sys/class/net/bond0/bonding/slaves: No such file or directory
[ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface bond0: [ OK ]
[root@KHCDNSS01 ~]#
剛設定完 Channel Bonding 後的第一次重啟看到的這些錯誤訊息是正常的,下次再重啟就不會在看到這些訊息了...我們先看一下 Bonding 的狀態吧:
[root@KHCDNSS01 ~]# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:22:19:50:bc:7e

Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:22:19:50:bc:80
我們順便看一下網路卡的狀況吧:
[root@KHCDNSS01 ~]# mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:08:18, model 54 rev 6
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:08:18, model 54 rev 6
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
[root@KHCDNSS01 ~]# ethtool eth0
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: d
Link detected: yes
[root@KHCDNSS01 ~]# ethtool eth1
Settings for eth1:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: d
Link detected: yes
[root@KHCDNSS01 ~]#
再來我們看一下目前網卡的 IP 為何:是不是多了一個 bond0 的介面了啊?
[root@KHCDNSS01 ~]# ifconfig -a
bond0 Link encap:Ethernet HWaddr 00:22:19:50:BC:7E
inet addr:10.15.25.13 Bcast:10.15.25.255 Mask:255.255.255.0
inet6 addr: fe80::222:19ff:fe50:bc7e/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:42 errors:0 dropped:0 overruns:0 frame:0
TX packets:76 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8088 (7.8 KiB) TX bytes:20800 (20.3 KiB)

eth0 Link encap:Ethernet HWaddr 00:22:19:50:BC:7E
inet6 addr: fe80::222:19ff:fe50:bc7e/64 Scope:Link
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:23 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4548 (4.4 KiB) TX bytes:10601 (10.3 KiB)
Interrupt:169 Memory:f8000000-f8012100

eth1 Link encap:Ethernet HWaddr 00:22:19:50:BC:7E
inet6 addr: fe80::222:19ff:fe50:bc7e/64 Scope:Link
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3540 (3.4 KiB) TX bytes:10199 (9.9 KiB)
Interrupt:169 Memory:f4000000-f4012100

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:27284 errors:0 dropped:0 overruns:0 frame:0
TX packets:27284 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19766775 (18.8 MiB) TX bytes:19766775 (18.8 MiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@KHCDNSS01 ~]#
接著我們做個小試驗,把 eth0 跟 eth1 的網路線拔插個幾次看看,我發現每次的拔插大概掉一個封包,所以兩條網路線各五次的拔插共掉了 10 個封包,不過 session 倒是不會斷:
[root@KHCDNSS01 ~]# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth0
MII Status: up
Link Failure Count: 5
Permanent HW addr: 00:22:19:50:bc:7e

Slave Interface: eth1
MII Status: up
Link Failure Count: 5
Permanent HW addr: 00:22:19:50:bc:80
[root@KHCDNSS01 ~]#
以上,報告完畢~
(詳全文...)

ZURICH Z-1000 GPS NTP server 終於來了...

等了好一陣子的 GPS NTP server 終於到料了,在裝配及拉好線之後,當然要連進去看看,首先第一次的連線就是直接用電腦接上去,打開瀏覽器,在網址列敲入 http://192.168.0.100 就可以連上 Z-1000 內建的 Web server 了...

首先這就是 Z-1000 的登入畫面:
敲入帳號密碼之後即可登入 Z-1000 進入 Status 的畫面:(右下角看的到同步的衛星數量)
下面這是 Config 的部分:
接著是 Admin 的畫面:
最後是 Log 的畫面囉:

就先這樣吧~
(詳全文...)

要如何在 Linux 和 Solaris 上 capture the network packets?

之前寫到過在 linux 機器上面跑 Ethereal 來抓封包,不過這 Ethereal 都已經進版到 Wireshark 了,所以乾脆再把這方便的指令記錄一下當作備檔,順便也列一下幾個好用的抓封包的指令來做為參考:

首先是 Wireshark,在這裡因為機器多半跑在 run level 3 ,所以我還是用指令來秀就好,先看一下 tshark 有什麼用法:
Usage: tshark [options] ...

Capture interface:
-i (interface) name or idx of interface (def: first non-loopback)
-f (capture) packet filter in libpcap filter syntax
-s (snaplen) packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-y (link) link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit

Capture stop conditions:
-c (packet) stop after n packets (def: infinite)
-a (autostop) ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b (ringbuffer) ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r (infile) set the filename to read from (no pipes or stdin!)

Processing:
-R (read) packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N (name) enable specific name resolution(s): "mntC"
-d (layer_type)==(selector),(decode_as_protocol) ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
Output:
-w (outfile|-) set the output filename (or '-' for stdout)
-F (output) set the output file type, default is libpcap
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e (field) field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E(fieldsoption)=(value) set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|(char) select tab, space, printable character as separator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X (key):(value) eXtension options, see the man page for details
-z (statistics) various statistics, see the man page for details

Miscellaneous:
-h display this help and exit
-v display version info and exit
-o (name):(value) ... override preference setting
這裡秀了不少相關的參數,不過一般我們用不了這麼多,我就用最簡單的例子來示範一下就好:

下面這個範例示範最常用到就是抓 eth0 的封包並寫到 /tmp/test.cap 去:
[root@KHCDNSS01 ~]# tshark -i eth0 -w /tmp/test.cap
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
145
[root@KHCDNSS01 ~]#
如果要讀出這個 .cap 檔,可以用 -r 的參數,或者直接把檔案抓下來在自己的電腦上用 Wireshark 去開啟,不過有時就是急著要在機器上直接檢視所抓取的封包的結果,那就用 -S 吧,讓存檔的時候還順便把結果秀在螢幕上來檢視:
[root@KHCDNSS01 ~]# tshark -i eth0 -w /tmp/test.log -S
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.013780 IntelCor_0c:9c:e3 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.019267 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.026100 IntelCor_0c:a2:40 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.106711 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.125997 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.149380 10.255.131.253 -> 10.15.25.13 NTP NTP client
0.149424 10.15.25.13 -> 10.255.131.253 NTP NTP server
0.213424 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.232625 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.321434 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.340753 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.428148 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.447482 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
14 packets captured
[root@KHCDNSS01 ~]#
不過這樣的封包訊息很難對時間對吧?那我們變換一下隊形,加上時間戳記在每個封包前面好了,這樣也比較方便檢視:
[root@KHCDNSS01 ~]# tshark -i eth1 -ta -w /tmp/test.log -S
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
22:52:38.637125 SunMicro_9b:ab:99 -> Broadcast ARP Who has 172.24.132.9? Tell 172.24.132.5
22:52:38.637154 SunMicro_9b:ab:99 -> Broadcast ARP Who has 172.24.132.7? Tell 172.24.132.5
22:52:38.642615 SunMicro_d0:3e:07 -> Broadcast ARP Who has 172.24.4.8? Tell 172.24.4.9
22:52:38.645906 SunMicro_1a:4e:3b -> Broadcast ARP Who has 172.24.4.87? Tell 172.24.4.84
22:52:38.646316 SunMicro_1a:b6:37 -> Broadcast ARP Who has 172.24.4.87? Tell 172.24.4.86
22:52:38.650723 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34734
22:52:38.657893 172.24.4.7 -> 172.24.4.44 TCP 706 > login [ACK] Seq=0 Ack=0 Win=24820 Len=0
22:52:38.657904 172.24.4.44 -> 172.24.4.7 Rlogin Data: Capturing on eth0\r\n22:52:38.637125 SunMicro_9b:ab:99 -> Broadcast ARP Who has 172.24.132.9? Tell 172.24.132.5\r\n22:52:38.6371
22:52:38.672427 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732
再列出另一種我比較喜歡的時間格式:
[root@KHCDNSS01 ~]# tshark -i eth1 -tad -w /tmp/test.log -S
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
2009-04-26 22:57:47.071895 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732
2009-04-26 22:57:47.073645 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34734
2009-04-26 22:57:47.089852 172.24.4.7 -> 172.24.4.44 TCP 706 > login [ACK] Seq=0 Ack=0 Win=24820 Len=0
2009-04-26 22:57:47.089863 172.24.4.44 -> 172.24.4.7 Rlogin Data: Capturing on eth0\r\n2009-04-26 22:57:47.071895 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732\r\n200
2009-04-26 22:57:47.098563 SunMicro_9b:ad:c9 -> Broadcast ARP Who has 172.24.132.9? Tell 172.24.132.2
2009-04-26 22:57:47.098599 SunMicro_9b:ad:c9 -> Broadcast ARP Who has 172.24.132.7? Tell 172.24.132.2
2009-04-26 22:57:47.116810 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732
2009-04-26 22:57:47.137607 172.24.4.14 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34730
2009-04-26 22:57:47.138241 172.24.4.28 -> 172.24.4.44 UDP Source port: 3030 Destination port: 34726
不過這樣的封包訊息又太精簡了,看不習慣對吧,那我們再變換一下隊形,這樣應該會更方便檢視:(加上 -V 把封包的 detail 訊息秀出來,加上 -x 後把 output 用 hex 和 ASCII 給 dump 出來,現在是不是清楚多了?)
[root@KHCDNSS01 ~]# tshark -i eth0 -Vta -x
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
Frame 1 (104 bytes on wire, 104 bytes captured)
Arrival Time: Apr 26, 2009 18:56:34.406686000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 104 bytes
Capture Length: 104 bytes
[Frame is marked: False]
[Protocols in frame: eth:llc:data]
IEEE 802.3 Ethernet
Destination: UscInfor_00:00:00 (01:00:5e:00:00:00)
Address: UscInfor_00:00:00 (01:00:5e:00:00:00)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: IntelCor_11:57:ec (00:1c:c0:11:57:ec)
Address: IntelCor_11:57:ec (00:1c:c0:11:57:ec)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Length: 90
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
.... ..11 = Frame type: Unnumbered frame (0x03)
Organization Code: Unknown (0x020000)
Protocol ID: 0x0001
Data (82 bytes)
Data: 01011201020000635FFE001CC01157EC01800319112A0000...

0000 01 00 5e 00 00 00 00 1c c0 11 57 ec 00 5a aa aa ..^.......W..Z..
0010 03 02 00 00 00 01 01 01 12 01 02 00 00 63 5f fe .............c_.
0020 00 1c c0 11 57 ec 01 80 03 19 11 2a 00 00 00 00 ....W......*....
0030 00 00 00 00 00 05 0f 49 6e 74 65 72 4e 45 54 2d .......InterNET-
0040 50 72 69 2d 42 6b 00 00 00 1c c0 0c a2 40 00 00 Pri-Bk.......@..
0050 00 00 00 00 00 0c 11 86 f9 ba 00 07 29 5e 4f 88 ............)^O.
0060 4c c8 04 85 e2 ff c3 f9 L.......

Frame 2 (104 bytes on wire, 104 bytes captured)
Arrival Time: Apr 26, 2009 18:56:34.427783000
[Time delta from previous captured frame: 0.021097000 seconds]
[Time delta from previous displayed frame: 0.021097000 seconds]
[Time since reference or first frame: 0.021097000 seconds]
Frame Number: 2
Frame Length: 104 bytes
Capture Length: 104 bytes
[Frame is marked: False]
[Protocols in frame: eth:llc:data]
IEEE 802.3 Ethernet
Destination: UscInfor_00:00:00 (01:00:5e:00:00:00)
Address: UscInfor_00:00:00 (01:00:5e:00:00:00)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: IntelCor_0c:5e:84 (00:1c:c0:0c:5e:84)
Address: IntelCor_0c:5e:84 (00:1c:c0:0c:5e:84)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Length: 90
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
.... ..11 = Frame type: Unnumbered frame (0x03)
Organization Code: Unknown (0x020000)
Protocol ID: 0x0001
Data (82 bytes)
Data: 01011001020000DC8C04001CC00C5E84017F0318112A0000...

0000 01 00 5e 00 00 00 00 1c c0 0c 5e 84 00 5a aa aa ..^.......^..Z..
0010 03 02 00 00 00 01 01 01 10 01 02 00 00 dc 8c 04 ................
0020 00 1c c0 0c 5e 84 01 7f 03 18 11 2a 00 00 00 01 ....^......*....
0030 00 01 00 00 00 07 0d 41 53 4e 2d 53 65 63 2d 42 .......ASN-Sec-B
0040 72 69 63 6b 00 00 00 00 00 1c c0 0c 9c e3 00 00 rick............
0050 00 00 00 00 00 0c 11 86 f9 bb 00 05 e3 0c 4e a3 ..............N.
0060 fd 42 49 17 bb 9e bd 64 .BI....d

Frame 3 (90 bytes on wire, 90 bytes captured)
Arrival Time: Apr 26, 2009 18:56:34.444956000
[Time delta from previous captured frame: 0.017173000 seconds]
[Time delta from previous displayed frame: 0.017173000 seconds]
[Time since reference or first frame: 0.038270000 seconds]
Frame Number: 3
Frame Length: 90 bytes
Capture Length: 90 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:ntp]
Ethernet II, Src: 02:00:00:dc:8c:04 (02:00:00:dc:8c:04), Dst: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
Destination: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
Address: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 02:00:00:dc:8c:04 (02:00:00:dc:8c:04)
Address: 02:00:00:dc:8c:04 (02:00:00:dc:8c:04)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.255.131.253 (10.255.131.253), Dst: 10.15.25.13 (10.15.25.13)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 76
Identification: 0x284a (10314)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 27
Protocol: UDP (0x11)
Header checksum: 0xc53f [correct]
[Good: True]
[Bad : False]
Source: 10.255.131.253 (10.255.131.253)
Destination: 10.15.25.13 (10.15.25.13)
User Datagram Protocol, Src Port: ntp (123), Dst Port: ntp (123)
Source port: ntp (123)
Destination port: ntp (123)
Length: 56
Checksum: 0x4170 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Network Time Protocol
Flags: 0x0b
00.. .... = Leap Indicator: no warning (0)
..00 1... = Version number: reserved (1)
.... .011 = Mode: client (3)
Peer Clock Stratum: unspecified or unavailable (0)
Peer Polling Interval: invalid (0)
Peer Clock Precision: 1.000000 sec
Root Delay: 0.0000 sec
Root Dispersion: 0.0000 sec
Reference Clock ID: NULL
Reference Clock Update Time: NULL
Originate Time Stamp: NULL
Receive Time Stamp: NULL
Transmit Time Stamp: NULL

0000 00 22 19 50 bc 7e 02 00 00 dc 8c 04 08 00 45 00 .".P.~........E.
0010 00 4c 28 4a 00 00 1b 11 c5 3f 0a ff 83 fd 0a 0f .L(J.....?......
0020 19 0d 00 7b 00 7b 00 38 41 70 0b 00 00 00 00 00 ...{.{.8Ap......
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 00 00 00 00 00 00 ..........
對了,補充一下,當在抓封包時在 /var/log/messages 裡面常會出現一堆如下所列的訊息:
kernel: device eth0 entered promiscuous mode
kernel: device eth0 left promiscuous mode
這代表你的網卡處於"混雜模式時",在同一個 broadcast segment 下的封包,都會被監聽,如果你的 LAN 是用 HUB 來接,那整個 LAN 的封包都會被監聽,若你的 LAN 是用 switch 接,一般來說就只能看到自己和 broadcast 的封包。

假如你不想在 /var/log/messages 裡面再看到這些訊息的話,可以再加上一個 -p 的參數,就好了...

當然如果還要加上一些 filter 的話就只需依想要過濾的條件去設定就行了,舉例來說,我想過濾只抓關於 RTSP 的封包就好:
[root@KHCDNSS01 ~]# tshark -i eth1 -Vtad -x -p port rtsp
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
Frame 1 (74 bytes on wire, 74 bytes captured)
Arrival Time: Apr 26, 2009 23:39:12.773857000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 74 bytes
Capture Length: 74 bytes
Protocols in frame: eth:ip:tcp
Ethernet II, Src: 00:15:60:a3:f4:67, Dst: 00:15:60:a3:f8:e5
Destination: 00:15:60:a3:f8:e5 (00:15:60:a3:f8:e5)
Source: 00:15:60:a3:f4:67 (00:15:60:a3:f4:67)
Type: IP (0x0800)
Internet Protocol, Src Addr: 172.24.4.44 (172.24.4.44), Dst Addr: 172.24.4.14 (172.24.4.14)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 60
Identification: 0x03e6 (998)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xd66b (correct)
Source: 172.24.4.44 (172.24.4.44)
Destination: 172.24.4.14 (172.24.4.14)
Transmission Control Protocol, Src Port: 57606 (57606), Dst Port: rtsp (554), Seq: 0, Ack: 0, Len: 0
Source port: 57606 (57606)
Destination port: rtsp (554)
Sequence number: 0 (relative sequence number)
Header length: 40 bytes
Flags: 0x0002 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 5792
Checksum: 0x57d2 (correct)
Options: (20 bytes)
Maximum segment size: 1460 bytes
SACK permitted
Time stamp: tsval 2080473562, tsecr 2080479415
NOP
Window scale: 0 (multiply by 1)

0000 00 15 60 a3 f8 e5 00 15 60 a3 f4 67 08 00 45 00 ..`.....`..g..E.
0010 00 3c 03 e6 40 00 40 06 d6 6b ac 18 04 2c ac 18 .(..@.@..k...,..
0020 04 0e e1 06 02 2a 01 28 82 3c 00 00 00 00 a0 02 .....*.(.(......
0030 16 a0 57 d2 00 00 02 04 05 b4 04 02 08 0a 7c 01 ..W...........|.
0040 81 da 7c 01 98 b7 01 03 03 00 ..|.......
綜合以上所說的,其實我一般最常用的便是類似下面組合起來的 command 囉:
[root@KHCDNSS01 ~]# tshark -i eth0 -Vtad -x icmp -p -w /tmp/test.log -S
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
Frame 1 (98 bytes on wire, 98 bytes captured)
Arrival Time: Apr 27, 2009 10:53:50.326876000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 98 bytes
Capture Length: 98 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:icmp:data]
Ethernet II, Src: 00:22:19:50:bc:7e (00:22:19:50:bc:7e), Dst: All-HSRP-routers_04 (00:00:0c:07:ac:04)
Destination: All-HSRP-routers_04 (00:00:0c:07:ac:04)
Address: All-HSRP-routers_04 (00:00:0c:07:ac:04)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
Address: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.15.25.13 (10.15.25.13), Dst: 192.168.161.5 (192.168.161.5)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 84
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: ICMP (0x01)
Header checksum: 0xb5df [correct]
[Good: True]
[Bad : False]
Source: 10.15.25.13 (10.15.25.13)
Destination: 192.168.161.5 (192.168.161.5)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0x866f [correct]
Identifier: 0x7a27
Sequence number: 1 (0x0001)
Data (56 bytes)
Data: 3E1EF549D4FC040008090A0B0C0D0E0F1011121314151617...

0000 00 00 0c 07 ac 04 00 22 19 50 bc 7e 08 00 45 00 .......".P.~..E.
0010 00 54 00 00 40 00 40 01 b5 df 0a 0f 19 0d c0 a8 .T..@.@.........
0020 a1 05 08 00 86 6f 7a 27 00 01 3e 1e f5 49 d4 fc .....oz'..)..I..
0030 04 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 ................
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$%
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345
0060 36 37 67

1 packets captured
[root@KHCDNSS01 ~]#
既然說到在 Linux 上使用 Wireshark, 那在 Solaris 上面呢?簡單來說你可以使用 snoop 跟 tcpdump,不過個人是偏好 snoop 啦,下面先簡單列一下可用的選項:
Usage: snoop
[ -a ] # Listen to packets on audio
[ -d device ] # Listen on interface named device
[ -s snaplen ] # Truncate packets
[ -c count ] # Quit after count packets
[ -P ] # Turn OFF promiscuous mode
[ -D ] # Report dropped packets
[ -S ] # Report packet size
[ -i file ] # Read previously captured packets
[ -o file ] # Capture packets in file
[ -n file ] # Load addr-to-name table from file
[ -N ] # Create addr-to-name table
[ -t r|a|d ] # Time: Relative, Absolute or Delta
[ -v ] # Verbose packet display
[ -V ] # Show all summary lines
[ -p first[,last] ] # Select packet(s) to display
[ -x offset[,length] ] # Hex dump from offset for length
[ -C ] # Print packet filter code
[ -q ] # Suppress printing packet count
[ -r ] # Do not resolve address to name

[ filter expression ]
其實簡單說起來,用法跟 Wireshark 大同小異啦,比方說,下面是我常用的一個指令,用來檢查 NTP client 有沒有過來做 NTP 的同步,當然也可以把 filter 的部分改成其他的用法,比方說用 "bootp" 來取代掉 "port ntp" 的部分,就可以檢查 DHCP Client 有沒有來 request IP...其他的選項部分跟 Wireshark 其實差異不大,-d 是用來指定抓封包的 interface,-P 一樣可以避免網卡處於"混雜模式",-r 是不要解析 IP address,-v 是秀出詳細的 packet,而 -ta 則是秀出時間戳記.....
47ksh# snoop -vVta -r -d bge0 -P -x5 port ntp
Using device /dev/bge0 (non promiscuous)
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 11 arrived at 18:21:4.42140
ETHER: Packet size = 90 bytes
ETHER: Destination = 0:14:4f:a9:83:50,
ETHER: Source = 0:1a:f0:bc:b6:6d,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0xc0
IP: xxx. .... = 6 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 76 bytes
IP: Identification = 0
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 254 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 757e
IP: Source address = 10.16.25.34, 10.16.25.34
IP: Destination address = 10.17.25.32, 10.17.25.32
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 123
UDP: Destination port = 123 (NTP)
UDP: Length = 56
UDP: Checksum = F8E2
UDP:
NTP: ----- Network Time Protocol -----
NTP:
NTP: Leap = 0x0 (OK)
NTP: Version = 3
NTP: Mode = 3 (client)
NTP: Stratum = 3 (secondary reference)
NTP: Poll = 6
NTP: Precision = 238 seconds
NTP: Synchronizing distance = 0x0000.0064 (0.001526)
NTP: Synchronizing dispersion = 0x0000.040d (0.015823)
NTP: Reference clock = 10.17.25.32 (10.17.25.32)
NTP: Reference time = 0xcda00550.6bbe484f (2009-04-27 18:20:00.42087)
NTP: Originate time = 0xcda00550.6b9f8000 (2009-04-27 18:20:00.42040)
NTP: Receive time = 0xcda00550.6bbe484f (2009-04-27 18:20:00.42087)
NTP: Transmit time = 0xcda00590.6bc46a2c (2009-04-27 18:21:04.42097)


0: 8350 001a f0bc b66d 0800 45c0 004c 0000 .P.....m..E..L..
16: 0000 fe11 757e 0a10 1922 0a11 1920 007b ....u~..."... .{
32: 007b 0038 f8e2 1b03 06ee 0000 0064 0000 .{.8.........d..
48: 040d 0a11 1920 cda0 0550 6bbe 484f cda0 ..... .?.Pk.HO.?
64: 0550 6b9f 8000 cda0 0550 6bbe 484f cda0 .Pk?...?.Pk.HO.?
80: 0590 6bc4 6a2c ..k.j,

^C
root@KHXDNSS1:/etc/domain
好囉,就先寫到這兒吧~

---------- 補充於 2009/04/30 -------------
追加補充個我常用的 filer,因為常需要分析 AAA server 間的 Radius protocol,所以常會這麼下指令:(這些是在 Linux OS 上的指令)
[root@TEST01 ~]# tshark -Vtad -p -i bond1 -x -z "radius,rtd,ip.addr==xx.xx.xx.xx" -w /tmp/AAA-radius.cap -S
或者是:
[root@TEST01 ~]# tshark -Vtad -p -i bond1 -x -z radius,rtd. -w /tmp/AAA-radius.cap -S
又或者是乾脆就這麼用:
[root@TEST01 ~]# tshark -Vtad -p -i bond1 -x port radius -w /tmp/AAA-radius.cap -S
對了,加上這個 -z 的參數,在抓完封包時,會多出如下的處理訊息:
RADIUS Response Time Delay (RTD) Statistics:
Filter for statistics:
Duplicate requests: 3
Duplicate responses: 0
Open requests: 3
Discarded responses: 0
Type | Messages | Min RTD | Max RTD | Avg RTD | Min in Frame | Max in Frame |
Overall | 1 | 1.53 msec | 1.53 msec | 1.53 msec | 11 | 11 |
Access | 1 | 1.53 msec | 1.53 msec | 1.53 msec | 11 | 11 |
OK,補充完畢...
(詳全文...)