Hello, I have the following problem: On a solaris 10 machine, with 5 "zones" there is a process that is talking to the wrong db server. I need to find out which process this is, so I can analize this further. I have tried to doing this using tcpsnoop from the DTrace toolkit, but without success. This is what I''ve done. First I started tcpsnoop, dumping it''s output to a file. like this: tcpsnoop > /tmp/tcp.snoop out & Then I started a regular snoop. snoop port 1521 and waited till I saw a packet pass. eg: [root at msnvflcs1]# snoop -n hosts port 1521 Loading name file hosts Using device /dev/ipge (promiscuous mode) AAADBT.********. -> msnvfllawls1v.******* TCP D=44947 S=1521 Push Ack=2428689568 Seq=2807055520 Len=10 Win=49640 msnvfllawls1v.******* -> AAADBT.******** TCP D=1521 S=44947 Ack=2807055530 Seq=2428689568 Len=0 Win=49640 As you can see, there _is_ traffic between something on my machine and the AAADBT server on port 1521. WHen I however have a look in the output that tcpsnoop collected at the same moment this TCP connection is not there. tcpsnoop seems to have missed it completely. Why would that be? Thanks in advance for any help. Krist -- krist.vanbesien at gmail.com Bremgarten b. Bern, Switzerland
On Fri, 20 Oct 2006, Krist van Besien wrote:> Hello, > > I have the following problem: > > On a solaris 10 machine, with 5 "zones" there is a process that is > talking to the wrong db server. I need to find out which process this > is, so I can analize this further. I have tried to doing this using > tcpsnoop from the DTrace toolkit, but without success. > > This is what I''ve done. > > First I started tcpsnoop, dumping it''s output to a file. like this: > tcpsnoop > /tmp/tcp.snoop out & > > Then I started a regular snoop. > > snoop port 1521 > > and waited till I saw a packet pass. eg: > > [root at msnvflcs1]# snoop -n hosts port 1521 > Loading name file hosts > Using device /dev/ipge (promiscuous mode) > AAADBT.********. -> msnvfllawls1v.******* TCP D=44947 S=1521 Push > Ack=2428689568 Seq=2807055520 Len=10 Win=49640 > msnvfllawls1v.******* -> AAADBT.******** TCP D=1521 S=44947 > Ack=2807055530 Seq=2428689568 Len=0 Win=49640 > > As you can see, there _is_ traffic between something on my machine and > the AAADBT server on port 1521. > > WHen I however have a look in the output that tcpsnoop collected at > the same moment this TCP connection is not there. tcpsnoop seems to > have missed it completely. > > Why would that be?Hi Krist, Tcpsnoop captures and prints new TCP connections, which Brendan mentioned in the header of the tcpsnoop script: "This analyses TCP network packets and prints the responsible PID and UID, plus standard details such as IP address and port. This captures traffic of newly created TCP connections that were established while this program was running. It can help identify which processes is causing TCP traffic." The two lines you posted above do not contain IP datagrams with the "Syn" flag set, so I am assuming this is your problem. If these connections were created while tcpsnoop was running, I reckon Brendan can provide some additional details for debugging this. Thanks, - Ryan -- UNIX Administrator http://prefetch.net
> > I have the following problem: > > > > On a solaris 10 machine, with 5 "zones" there is a process that is > > talking to the wrong db server. I need to find out which > process this > > is, so I can analize this further. I have tried to doing this using > > tcpsnoop from the DTrace toolkit, but without success.>From port number I assume you''re dealing with Oracle?Maybe this issue can be solved with standard Oracle tools. If you know your database name, then you could issue "tnsping <dbname>" from your client where the connection is made from (for that you need to source the Oracle client library environment file though). Tnsping should show you on which actual address the connections are made.. Tanel.
Krist, If you can determine the port number and the destination address using snoop, using Solaris 10 tools, you can find the culprit like this: ksh -c ''cd /proc;for i in *; do x=$(pfiles $i|egrep 1.1.1.1|egrep 1521);if [[ -n $x ]] ; then echo $i; fi done'' I wouldn''t rely on tools like dtrace to show you all of the TCP packets that Solaris sends out over the wire - that''s what tcpdump, snoop, etc are for. Darren
I solved a similar problem a little while back by looking at the output of netstat. Each zone will have an IP address, each connection to the DB will show up with the associated IP. Russ Krist van Besien wrote:> Hello, > > I have the following problem: > > On a solaris 10 machine, with 5 "zones" there is a process that is > talking to the wrong db server. I need to find out which process this > is, so I can analize this further. I have tried to doing this using > tcpsnoop from the DTrace toolkit, but without success. > > This is what I''ve done. > > First I started tcpsnoop, dumping it''s output to a file. like this: > tcpsnoop > /tmp/tcp.snoop out & > > Then I started a regular snoop. > > snoop port 1521 > > and waited till I saw a packet pass. eg: > > [root at msnvflcs1]# snoop -n hosts port 1521 > Loading name file hosts > Using device /dev/ipge (promiscuous mode) > AAADBT.********. -> msnvfllawls1v.******* TCP D=44947 S=1521 Push > Ack=2428689568 Seq=2807055520 Len=10 Win=49640 > msnvfllawls1v.******* -> AAADBT.******** TCP D=1521 S=44947 > Ack=2807055530 Seq=2428689568 Len=0 Win=49640 > > As you can see, there _is_ traffic between something on my machine and > the AAADBT server on port 1521. > > WHen I however have a look in the output that tcpsnoop collected at > the same moment this TCP connection is not there. tcpsnoop seems to > have missed it completely. > > Why would that be? > > Thanks in advance for any help. > > Krist > > > > >