[an error occurred while processing this directive]

HP OpenVMS Systems Documentation

Content starts here HP TCP/IP Services for OpenVMS

HP TCP/IP Services for OpenVMS
Tuning and Troubleshooting


Previous Contents Index

1.2.5.4 Restrictions

The following restrictions apply to using tcpdump on OpenVMS:

  • Copy-all mode is on by default on OpenVMS.
  • Promiscuous mode is not available, so tracing must be issued on either the source or destination host.
  • Only Ethernet native tracing on is supported on OpenVMS.
  • Only one user may trace at a time on OpenVMS using either tcpdump or tcptrace .
  • Name server inverse queries are not dumped correctly: The (empty) question section is displayed rather than real query in the answer section.
  • A packet trace that crosses a daylight saving time change produces skewed time stamps (the time change is ignored).

1.2.5.5 Reducing Discarded Packets

When packets are copied by the TCP/IP kernel, it places them into a ring buffer that is emptied by tcpdump . If packets are received fast enough, the ring will fill up and the TCP/IP kernel discards (drops) packets until tcpdump has caught up. Because tcpdump has not seen these dropped packets, it cannot tell whether they were relevant to the requested trace.

If the option -B is used, tcpdump indicates when the drops occur by issuing a BUFFERSFULL error. This can be useful if the drops occur outside the sequence being analyzed.

There are several methods for reducing the number of packet drops:

  • Specify a more detailed filter in the tcpdump command.
  • Trace to a file instead of SYS$OUTPUT using -w filename . For best results, use a disk with little activity or a RAM disk.
  • Increase the number of buffers in the ring using -b buffers . The default for Alpha systems is 400. For VAX systems, the default is 50. The processes working set quota (WSQUOTA) may need to be increased for larger numbers than the default.
  • Increase the default process priority of the process that issued the tcpdump command.

1.2.6 Monitoring Socket Activity

TCP/IP Services provides a call tracing facility that can be used to help characterize and debug the use of the sockets API for many applications.

To enable tracing, define the TCPIP$SOCKET_TRACE logical name. The logical name accepts the following arguments:

  • 1 or 0
    Specify 1 to enable socket tracing, or 0 to disable socket tracing. When the logical name is set to 1, the output from the trace is displayed interactively. For example:


    $ DEFINE TCPIP$SOCKET_TRACE 1
    
  • Log file name
    Specify the name of the log file for storing the tracing information. For example:


    $ DEFINE TCPIP$SOCKET_TRACE SYS$LOGIN:TCPIP$SOCKET_TRACE.LOG
    
  • Location for process-specific log files
    Specify a directory for storing the log files. Each log file name reflects the name of the process that is being traced. For example:


    $ DEFINE /SYSTEM TCPIP$SOCKET_TRACE SYS$SYSDEVICE:[LOGFILES]
    

The following example shows a sample tracing:


23:35:47.48 +socket family: 2, type: 1, proto: 0
23:35:47.48 -socket chan: 0xf0, st: 0x1, iosb: 0x1 0
23:35:47.48 *setsockopt sock: 0xf0, lev: 0xffff, opt: 0x4, val: 1, len: 4
23:35:47.49 *bind44 socket: 0xf0, st: 0x1, iosb: 0x1 0
23:35:47.50 *listen sock: 0xf0, backlog: 5
23:35:47.51 +accept44 chan: 0xf0
23:35:54.04 -accept44 rtchan: 0x100, st: 0x1, iosb: 0x1 0
23:35:54.04 *getpeername44 sock: 0x100
23:35:54.04 +send_64 sock: 0x100, addr: 0x7AEF7A00, len: 28, flags: 0x0
23:35:54.04 -send_64 st: 0x1, iosb: 0x1 28
23:35:54.04 *shutdown sock: 0x100, how: 2
23:35:54.05 *close sock: 0x100, st: 0x1
23:35:54.05 *close sock: 0xf0, st: 0x1

In this example, you can see the application opening a socket, setting socket options, binding, listening, accepting, sending data, and so forth.

Lines beginning with a plus sign (+) indicate that the relevent routine is being entered. There is usually a line beginning with a minus sign (-) soon after, when the routine returns. For routines that normally return right away, only one line is displayed, beginning with an asterisk (*).

Note

This facility does not trace QIOs and other system services.

1.2.7 Checking Name Server Operation

After verifying that the underlying transport is working, check to see whether the remote host can be reached by its host name. If your name server resides on a remote system, make sure your resolver configuration specifies that system. To determine whether the resolver is pointing to the correct server, enter the following command:


TCPIP> SHOW NAME_SERVICE

BIND Resolver Parameters

 Local domain: lkg.dec.com

 System

  State:     Started, Enabled

  Transport: UDP
  Domain:    lkg.dec.com
  Retry:     4
  Timeout:   4
  Servers:    rufus.lkg.dec.com, peach.lkg.dec.com
  Path:       lkg.dec.com

 Process

  State:     Enabled

  Transport:
  Domain:
  Retry:
  Timeout:
  Servers:
  Path:

Make sure the remote servers are reachable (using ping ) and that they are valid name servers.

If your name server resides on the local system, use the SHOW NAME_SERVICE command to make sure your resolver points to localhost .

Next, verify that the TCPIP$BIND process is enabled and running. First, enter the following command to determine whether TCPIP$BIND is enabled:


TCPIP> SHOW SERVICE

Service           Port  Proto    Process          Address            State

BIND                53  TCP,UDP  TCPIP$BIND       0.0.0.0             Enabled
DHCP                67  UDP      TCPIP$DHCP       0.0.0.0             Enabled
DIOSERVER         1451  TCP      CLM              0.0.0.0             Disabled
ECHO                 7  TCP      MULTI            0.0.0.0             Disabled
ESNMP              705  UDP      ESNMP            0.0.0.0             Disabled
FINGER              79  TCP      TCPIP$FINGER     0.0.0.0             Enabled
FTP                 21  TCP      TCPIP$FTP        0.0.0.0             Enabled
HELLO            12345  TCP      HELLO_WORLD      0.0.0.0             Disabled
JOHN               520  UDP      UCX$ROUTER       0.0.0.0             Disabled
LBROKER           6570  UDP      TCPIP$LBROKER    0.0.0.0             Disabled
LPD                515  TCP      TCPIP$LPD        0.0.0.0             Enabled
MATT              5432  TCP      TCPIP$RLOGIN     0.0.0.0             Disabled
METRIC             570  UDP      TCPIP$METRIC     0.0.0.0             Enabled
MOUNT               10  TCP,UDP  TCPIP$MOUNTD     0.0.0.0             Enabled
NFS               2049  UDP      TCPIP$NFS        0.0.0.0             Enabled
NOTES             3333  TCP      NOTESRVR         0.0.0.0             Enabled
NTP                123  UDP      TCPIP$NTP        0.0.0.0             Enabled
PCNFS             5151  TCP,UDP  TCPIP$PCNFSD     0.0.0.0             Enabled
POP                110  TCP      TCPIP$POP        0.0.0.0             Enabled
PORTMAPPER         111  TCP,UDP  TCPIP$PORTM      0.0.0.0             Enabled
REXEC              512  TCP      TCPIP$REXEC      0.0.0.0             Enabled
RLOGIN             513  TCP      not defined      0.0.0.0             Enabled
RSH                514  TCP      TCPIP$RSH        0.0.0.0             Enabled
SMTP                25  TCP      TCPIP$SMTP       0.0.0.0             Enabled
SNMP               161  UDP      TCPIP$SNMP       0.0.0.0             Enabled
TELNET              23  TCP      not defined      0.0.0.0             Enabled
TFTP                69  UDP      TCPIP$TFTP       0.0.0.0             Enabled
XDM                177  UDP      TCPIP$XDM        0.0.0.0             Enabled

If the BIND process is enabled, it will appear in the display.

Then determine whether the BIND process is running by entering the following command:


$ SHOW SYSTEM /NETWORK
OpenVMS V7.1-1H2  on node RUFUS   27-JUN-2000 16:45:46.84  Uptime  16 01:55:35
  Pid    Process Name    State  Pri      I/O       CPU       Page flts  Pages
2FC0021F TCPIP$NTP       LEF     10  2042786   0 00:02:03.43       657    190  N
2FC00221 TCPIP$LBROKER   LEF      9  3779921   0 00:06:27.51       652    271  N
2FC05046 TCPIP$POP_1     HIB     10   243688   0 00:00:48.42       955    598  N
2FC00289 TCPIP$PORTM     LEF     10    13289   0 00:00:03.23       614    189  N
2FC0628F TCPIP$RE_BG1879 LEF      6     1647   0 00:00:00.96      1709    612  N
2FC0089A NFS$SERVER      LEF     10    89284   0 00:00:19.28       978    580  N
2FC06C9E NOTES$00CD_2*   HIB      6   208844   0 00:01:22.65      1932    152  N
2FC03EC7 TCPIP$BIND_1    LEF     10   515297   0 00:01:26.06       972    322  N
2FC01CF6 TCPIP$PCNFSD    LEF     10      326   0 00:00:00.27       660    228  N
$

If the TCPIP$BIND_1 process is not running, look for errors in the SYS$SPECIFIC:[TCPIP$BIND]TCPIP$BIND_RUN.LOG file.

To reduce the possibility of a name server being unavailable, you might configure more than one name server on your network. This way, if the primary name server is unreachable or unresponsive, the resolver can query the other name server.

1.2.8 Checking the Route to a Remote Host

If you receive "network unreachable" messages, you may be experiencing a routing problem. You can easily detect whether the problem is with your local routing table by doing the following:

  • Enter a netstat -rn or SHOW ROUTE command.
    Display the routing table, then compare the output to the routing table of a properly running system. Make sure there is a default route defined and that the IP address listed in the gateway column for the default route and the local host are in the same subnet. The default route specifies the gateway to use when a route is not explicitly defined for the destination IP address.
    For example, enter the following command:


    TCPIP> netstat -rn
    
    Routing tables
    Destination      Gateway            Flags     Refs     Use Interface
    
    Route Tree for Protocol Family 2
    default          16.20.0.173        UG         17  1526068  WE0
    10.10/16         16.20.208.154      UGS         0   204911  WE0
    10.10.39/25      10.10.39.2         U           2    17942  BE0
    16.20/16         16.20.208.100      U          45  6219676  WE0
    16.20/16         16.20.208.208      U           0        0  WE0
    127.0.0.1        127.0.0.1          UH          1    69844  LO0
    
    Route Tree for Protocol Family 26
    ::1              Link#1             UH          0        0  LO0
    ff01::/16        Link#1             U           0        0  LO0
    
  • To display a default route using the TCP/IP Services management commands, enter one of the following commands:


    $ TCPIP SHOW ROUTE /PERMANENT /DEFAULT
    
    $ TCPIP SHOW ROUTE /DEFAULT
    

    The following example shows typical output from these two commands:


    $ TCPIP SHOW ROUTE /PERMANENT /DEFAULT
    
                                 PERMANENT
    
    Type           Destination                           Gateway
    
    PN    0.0.0.0                                    rufus.lkg.dec.com
    
    
    $ TCPIP SHOW ROUTE /DEFAULT
    
                                 DYNAMIC
    
    Type           Destination                           Gateway
    
    DN    0.0.0.0                               10.10.2.66
    $
    

    To set a default route, enter a command similar to the following:


    $ TCPIP SET ROUTE /DEFAULT /GATE=n.n.n.n
    

    You can also set a default route by running the TCPIP$CONFIG procedure and selecting option 1 for Core, and then option 3 for Routing. TCPIP$CONFIG prompts with:


    * Do you want to configure dynamic ROUTED or GATED routing [NO]:
    

    Take the default value by pressing the Enter key. TCPIP$CONFIG then displays the current configuration and asks whether you want to reconfigure a default route:


    The current configuration for the default route is:
    
                                 PERMANENT
    
    Type           Destination                           Gateway
    
    PN    0.0.0.0                                    rufus.lkg.dec.com
    
    * Do you want to reconfigure a default route [YES]:
    Enter the Default Gateway host name []:
    
  • Next, use ping to see whether you can reach the routing gateway.

1.2.9 Checking the Routes Known to a Gateway

The traceroute command helps you locate problems between the local host and the remote destination by tracing the route of UDP packets from the local host to a remote host. Tracing attempts to determine the name and IP address of each gateway along the route to the remote host.

The traceroute command works by sending UDP packets with small time-to-live (TTL) values and an invalid port number to the remote system. The TTL values increase in increments of one for each group of three UDP packets sent. When a gateway receives a packet, it decrements the TTL. If the TTL is zero, the packet is not forwarded, and an ICMP "time exceeded" message is returned.

Intermediate gateways are detected when they return an ICMP "time exceeded" message. When traceroute receives an "invalid port" message, it knows that it reached the remote destination. ( traceroute operates by intentionally using an invalid port.) When traceroute receives this message, it knows it has reached the destination host and terminates the trace. In this way, traceroute develops a list of gateways starting at one hop away, and increasing one hop at a time until the remote host is reached.

For more information about using traceroute , see Appendix A.

1.2.10 Determine Whether Network Services Are Available

The auxiliary server functions like the UNIX internet daemon ( inetd ) by managing access to the network services. The auxiliary server assigns standard port numbers to services such as the BOOTP, SMTP, or FTP servers, and starts the appropriate image after receiving an incoming request.

To verify correct operation of a service, you need to verify that the service:

  • Has an entry in the service database
  • Has the correct attributes defined
  • Account has the correct privileges
  • Is enabled
  • Is started

1.2.10.1 Displaying the Service Database

To display the services database, enter the SHOW SERVICE command. For example:


TCPIP> SHOW SERVICE
  (1)                 (2)    (3)         (4)              (5)                 (6)
Service             Port  Proto    Process          Address            State

FINGER                79  TCP      TCPIP$FINGER     0.0.0.0             Disabled
FTP                   21  TCP      TCPIP$FTP        0.0.0.0             Enabled
LPD                  515  TCP      TCPIP$LPD        0.0.0.0             Enabled
MOUNT                 10  UDP      TCPIP$NFS_M      0.0.0.0             Enabled
NFS                 2049  UDP      TCPIP$NFS        0.0.0.0             Enabled
NTP                  123  UDP      TCPIP$NTP        0.0.0.0             Enabled
PCNFS               5151  TCP,UDP  TCPIP$PCNFSD     0.0.0.0             Enabled
POP                  110  TCP      TCPIP$POP        0.0.0.0             Enabled
PORTMAPPER           111  TCP,UDP  TCPIP$PORTM      0.0.0.0             Enabled
REXEC                512  TCP      TCPIP$REXEC      0.0.0.0             Enabled
RLOGIN               513  TCP      not defined      0.0.0.0             Enabled
RSH                  514  TCP      TCPIP$RSH        0.0.0.0             Enabled
SMTP                  25  TCP      TCPIP$SMTP       0.0.0.0             Enabled
SNMP                 161  UDP      TCPIP$SNMP       0.0.0.0             Enabled
TELNET                23  TCP      not defined      0.0.0.0             Enabled
TFTP                  69  UDP      TCPIP$TFTP       0.0.0.0             Enabled
  1. This column lists those services with entries in the TCPIP services database. If not listed in this column, the service was never enabled during the configuration procedure (using TCPIP$CONFIG.COM). To enable additional services, run the TCPIP$CONFIG procedure.
  2. This column lists the port on which the service listens for connection requests. The port number is either the well-known port number for the service or an ephemeral port number assigned when the socket is assigned a protocol address.
  3. This column lists the TCP/IP protocol that the service uses to communicate with the client process.
  4. This column lists the process name for the service. If you use the DCL command SHOW SYSTEM /NETWORK, this is the process name you should see if the process is running.
  5. This column lists the IP address of the interface on which the service accepts connection requests. IP address 0.0.0.0 indicates that the service will accept connection requests received on any of the local interfaces.
  6. This column lists whether the service is enabled or disabled. The term enabled indicates that the next time TCP/IP Services starts, TCP/IP Services starts all services that are marked in the service database as enabled. In this example, of the services listed, all services except finger will start the next time TCP/IP Services restarts.

    Note

    In this example, the finger service was configured with TCPIP$CONFIG. However, at some point, finger was disabled either by a TCPIP management command or by an incremental shutdown of the service.

1.2.10.2 Displaying Service Attributes

Each service should have the following items defined in the services database:

  • OpenVMS user account (also in user authorization file [UAF])
  • Unique port number
  • Protocol
  • Name and location of the startup command procedure and log file
  • Service parameters (for example, timeouts, privileges)
  • Flags

If these items are not defined correctly, or if the service account privileges and file protections are not assigned correctly, the service will fail to respond to an incoming request. This failure may be logged in the service-specific log file.

To display information about a service, enter the TCPIP command SHOW SERVICE /FULL and specify the service name. For example:


$ TCPIP
TCPIP> SHOW SERVICE /FULL TELNET

Service: TELNET                                          (1)
                           State:     Enabled
Port:               23     Protocol:  TCP             Address:  0.0.0.0
Inactivity:          1     User_name: not defined     Process:  not defined
Limit:              57     Active:     12             Peak:      14

File:         not defined
Flags:        Listen Rtty

Socket Opts:  Keepalive Rcheck Scheck                    (2)
 Receive:         3000     Send:            3000

Log Opts:     Actv Dactv Conn Error Logi Logo Mdfy Rjct  (3)
 File:        not defined

Security                                                 (4)
 Reject msg:  not defined
 Accept host: 0.0.0.0
 Accept netw: 0.0.0.0
TCPIP>
  1. This section displays information about the service: service name, process name, user name, port and interface on which the service is listening, whether the service is enabled or disabled, and the number of copies of the service that can run at one time.
  2. This section displays the socket options that the service uses. The service's socket options can be changed dynamically, though it is unlikely that someone would change them. If you suspect that improper socket options are in effect, you can reestablish the default values by disabling the service, running TCPIP$CONFIG, and then enabling the service.
  3. This section displays the name of the log file that receives event messages and the events that the service will log. Checking the log file may indicate the cause of a problem.
  4. This security section displays a list of hosts and networks that are specifically given or denied access to the service. If one system is unable to access a service, check this section to see whether the system or its associated network is being denied the service.

1.2.10.3 Verifying Process Privileges

To check the privileges associated with a service's process, enter a command for the process, as follows:


$ INSTALL LIST/FULL TCPIP$SMTP_RECEIVER

DISK$VMS721:<SYS0.SYSCOMMON.SYSEXE>.EXE
   TCPIP$SMTP_RECEIVER;1
                    Open Hdr Shared   Prv
        Entry access count         = 20
        Current / Maximum shared   = 1 / 1
        Global section count       = 1
        Privileges = SYSPRV
        Authorized = SYSPRV

$ INSTALL LIST/FULL TCPIP$FTP_CHILD

DISK$VMS721:<SYS0.SYSCOMMON.SYSEXE>.EXE
   TCPIP$FTP_CHILD;1
                    Open Hdr Shared   Prv
        Entry access count         = 42
        Current / Maximum shared   = 1 / 3
        Global section count       = 1
        Privileges = PSWAPM OPER
        Authorized = PSWAPM OPER


Previous Next Contents Index