TRACING - Trace all packets seen by the device driver on the HP nodes,
          except diskless packets.  Trace packets sent by the node, or
          addressed to the node.

Network tracing can be done with nettl(1M).  nettl can only be used by the
superuser, so su to root before proceeding.

1.  Start Trace - put data into 1MB trace file. The data
    will be stored in /tmp/raw.TRC0 and /tmp/raw.TRC1
    The most recent data will always be in TRC0, when
    it fills up, TRC0 is renamed TRC1, and new logging
    continues in the TRC0 file.  They fill up quickly!

      nettl -tn all -e ns_ls_ip -size 1024 -tracemax 99999 -f /tmp/raw

    This will trace packets in, packets out, and loopback packets at the
IP
    Layer (ns_ls_ip).  If you need link-specific packet tracing you must
    specify the appropriate network driver or "-e all".

2.  Stop trace as soon as an event occurs!

    nettl -tf -e all

3.  Format trace into a print file:

    netfmt -N -n -l -f /tmp/raw.TRC0 [ -c /tmp/filter ] > /tmp/fmt0
    netfmt -N -n -l -f /tmp/raw.TRC1 [ -c /tmp/filter ] > /tmp/fmt1

    -N - print in "nice" format (e.g. interpret)
    -n - print IP addresses, not hostnames
    -l - do not highlight fields (for hpterm)
    -f - input file (nettl-generated trace data)
    -c - optional, use a filter file (see "filtering", below)

    NOTE: netfmt takes a while to run!  There will be plenty of info in
          the trace file - interpretation may be necessary!

3a. Filtering.  Create a filter file to tell netfmt what packets you
    are interested in seeing.

    E.g. only display packets to/from IP address 192.10.11.1:
    filter ip_saddr 192.10.11.1
    filter ip_daddr 192.10.11.1

    Filter out all put NFS packets (to/from UDP port 2049)
    filter udp_sport 2049
    filter udp_dport 2049

    Filter out all but TCP packets to/from port 25 (sendmail):
    filter tcp_sport 25
    filter tcp_dport 25

    Filter on ethernet addresses:
    filter dest 08-00-09-49-91-4a
    filter source 08-00-09-49-91-4a

    You can put these together (e.g. filter all NFS packets to/from IP
    addr):
    filter ip_saddr 192.10.11.1
    filter ip_daddr 192.10.11.1
    filter udp_sport 2049
    filter udp_dport 2049

3b. To create timestamped 1-liner trace analysis file of all packets in
    capture file:

      # netfmt -N -n -l -1 -T -f /tmp/raw.TRC0 >/tmp/fmt0-1

    ...take note, that there is a -l (ell) and a -1 (number one)
    specified!

    To create a timestamped 1-liner trace analysis file using a packet
    filter, first see information in Step #3a on creating a filter file,
    then:

      # netfmt -N -n -l -1 -T -c /tmp/filterfile -f /tmp/raw.TRC0 \
        >/tmp/fmt0-1f

    ...take note, that there is a -l (ell) and a -1 (number one)
    specified!

HP-UX 10.20 and 11.X can use tcpdump/libpcap as found at
<ftp://ftp.ee.lbl.gov/> To select the interface to trace, one uses the -i
option and gives the interface name as "/dev/dlpiN" where N is the PPA
of the device. One uses lanscan to find PPAs. On 10.20, the PPA happens
to be the same as the Network Management ID (NMID) and is not the same
as the N in "lanN." On 11.X, the PPA happens to be the same as the Card
Instance number and happens to be the same as the N in "lanN." The
/dev/dlpiN specified to tcpdump/libpcap is not the same as the device
file /dev/dlpiM. What actually happens is tcpdump/libcap opens /dev/dlpi
and bind to PPA N. The /dev/dlpiM device files are for other uses.