Re: Snapshot for debugging network problems

[Onno <ebbin200@tech.nhl.nl>]

Hmmm, 'ipchains -L' or 'ipchains -L -v' could be useful
here. If the i/o chains filter or accept packets that
could be (part of) the problem you're a step closer to
the solution.

I use ipchains sometimes to block/accept packets to see
what will happen in some circumstances.

I'm very curious what will come of this thread...

Regards,

Onno

At 02:48 PM 11/5/99 +0000, David Wright wrote:
> While tracking down network problems of any kind, it's quite handy
> to take a snapshot of the networking parameters so you can look at
> it after the event. I have a bash function which is currently:
>
>     /bin/uname -a
>     /sbin/ifconfig
>     /sbin/route -n
>     /usr/sbin/arp -n -a
>     /bin/netstat -n -a -e
>     /bin/ps auxwww
>     /bin/date
>
> Then I use
>     tcpdump -l -n -i <interface> [host <host>] | tee <somefile>
> to watch the traffic and
>     /bin/fuser -n <udp or tcp> -v <port number>
> to see what might be causing trouble. The last one I really stumbled
> across, only having seen fuser used for investigating busy files and
> directories in the past.
>
> Are there any useful commands I've missed? What's the best tool for
> translating the output from tcpdump?        [stop here if you like]
>
> For those that might be interested, the last problem I was trying
> to solve was a dramatic slowdown in ppp from my home machine to work.
> So slow that ssh just wouldn't connect, and telnet would take more
> than five minutes. Characters could take up to a minute to reflect.
>
> I was at work and had initiated the ppp connection. Looking at the
> traffic with tcpdump -l -i ppp0, it was completely dominated by traffic
> to the nameservers, and with the fuser command on the port numbers
> being shown, I was able to pin it down to icmplogd and tcplogd which
> were running on the m/c at home. (No longer.)
>
> I have no idea why this slowdown had happened only a couple of times
> in the past, but previously I'd put it down to a bad line or some
> ethernet problem at work. (It never seemed to affect the CHAP
> handshaking, though.) I attacked the problem this time because I was
> sitting at the work end, so I could easily confirm that everything
> on the ethernet was functioning. (And I really needed to transfer a
> file home.)
>
> It took me most of an hour to realise I should kill the two offending
> daemons. I'm still not sure what they were asking the nameservers,
> but I have a large traffic file available. I'm used to seeing messages
> like (from memory) "bar > 255, who is foo, tell bar" and "foo > bar,
> foo is on 0:1:2:3:4:5" but this stuff was all numerical. Is there
> something that can print what it thinks it all means?
>
> Cheers,
>
> --
> Email:  d.wright@open.ac.uk   Tel: +44 1908 653 739  Fax: +44 1908 655 151
> Snail:  David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA
> Disclaimer:   These addresses are only for reaching me, and do not signify
> official stationery. Views expressed here are either my own or plagiarised.
>
>
> --
> Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < 
> /dev/null