how to monitor socket traffic that doesn't go out?

how to monitor socket traffic that doesn't go out?

Post by Xah L » Sun, 18 Aug 2002 14:08:41



how to monitor localhost network socket traffic that does not go
through a physical interface?

for example, we run the server Apache + JServe on Solaris. I can use
Solaris's "snoop" to diagnose traffic from apache to the outside, but
i if i use snoop to monitor the port Jserve is using to communicate
with Apache, snoop returns nothing.

i don't know much about unix sockets, but i suspect this is because
snoop only capture traffics that goes thru the physical network
interface card.

What really happens in my case is that browser stalls in the middle of
a particular web page in a site using our in-house application server
that involves apache + jserv and an in-house application server. I can
see when packets stalls between host and the browser client, but i
need to see which one of these application is responsible for the
stalling. So if i can see the traffic between Apache and JServe, or
between JServe and inhouse-server, that'll pinpoint my problem.

few weeks ago i learned about lsof here, but haven't studied it yet.
Would lsof be useful?

PS what's snoop equivalent in linux?

thanks.

 Xah

 http://xahlee.org/PageTwo_dir/more.html

 
 
 

how to monitor socket traffic that doesn't go out?

Post by Juha Laih » Sun, 18 Aug 2002 16:17:01



Quote:>how to monitor localhost network socket traffic that does not go
>through a physical interface?

IIRC, not doable on Solaris. I tried to do this a while ago, but
when looking for documentation, found a reference that snooping
net traffic internal to a single host is not supported on Solaris.
On linux, it seems I get host internal traffic just fine by monitoring
the localhost interface.

Quote:>for example, we run the server Apache + JServe on Solaris. I can use
>Solaris's "snoop" to diagnose traffic from apache to the outside, but
>i if i use snoop to monitor the port Jserve is using to communicate
>with Apache, snoop returns nothing.
...
>What really happens in my case is that browser stalls in the middle of
>a particular web page in a site using our in-house application server
>that involves apache + jserv and an in-house application server. I can
>see when packets stalls between host and the browser client, but i
>need to see which one of these application is responsible for the
>stalling. So if i can see the traffic between Apache and JServe, or
>between JServe and inhouse-server, that'll pinpoint my problem.

Would it be possible for you to either add diagnostics to
- the actual application you're running
- the application server you're running

Another possibility might be (?) to temporarily move the JServe to another
machine, and log the traffic between two machines.

Yet another would be to run the JServe (or Apache) under "truss" to see
the I/O at system call level.

Quote:>PS what's snoop equivalent in linux?

tcpdump
--
Wolf  a.k.a.  Juha Laiho     Espoo, Finland

         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

 
 
 

how to monitor socket traffic that doesn't go out?

Post by Xah L » Sat, 24 Aug 2002 06:08:39


is there any way at all to monitor _localhost_ network traffic on
solaris at ALL? (snoop and tcpdump both skips localhost traffic on
solaris 7 and 8)

snoop -d lo
gives
snoop: /dev/lo: No such file or directory

similar for tcpdump

snoop host localhost
sits there empty too; similar for tcpdump.
--

Thanks Juha for the suggestions.

We couldn't do the things you suggested, because this bug happens on
production and is only 50% reproducible with the one and only unique
account. (and it is through HTTPS, btw.)

I tried tcpdump on solaris and apparently it doesn't capture localhost
traffic either.

Thanks.

 Xah

 http://xahlee.org/PageTwo_dir/more.html

.


> >how to monitor localhost network socket traffic that does not go
> >through a physical interface?

> IIRC, not doable on Solaris. I tried to do this a while ago, but
> when looking for documentation, found a reference that snooping
> net traffic internal to a single host is not supported on Solaris.
> On linux, it seems I get host internal traffic just fine by monitoring
> the localhost interface.

> >for example, we run the server Apache + JServe on Solaris. I can use
> >Solaris's "snoop" to diagnose traffic from apache to the outside, but
> >i if i use snoop to monitor the port Jserve is using to communicate
> >with Apache, snoop returns nothing.
>  ...
> >What really happens in my case is that browser stalls in the middle of
> >a particular web page in a site using our in-house application server
> >that involves apache + jserv and an in-house application server. I can
> >see when packets stalls between host and the browser client, but i
> >need to see which one of these application is responsible for the
> >stalling. So if i can see the traffic between Apache and JServe, or
> >between JServe and inhouse-server, that'll pinpoint my problem.

> Would it be possible for you to either add diagnostics to
> - the actual application you're running
> - the application server you're running

> Another possibility might be (?) to temporarily move the JServe to another
> machine, and log the traffic between two machines.

> Yet another would be to run the JServe (or Apache) under "truss" to see
> the I/O at system call level.

> >PS what's snoop equivalent in linux?

> tcpdump

 
 
 

1. Running screen savers, but monitor doesn't go to sleep after XX min.

Any ideas why after XX minutes, my monitor doesn't go to sleep (power
management)? If I put no screen saver, then the monitor goes to sleep (I
can see my monitor light is orange that means turned off). The screen
savers don't even take up that much CPU (depending on which one I pick).

I am using RedHat Linux v7.1, Pentium II 300 Mhz, 128 MB of RAM, an old
Diamond Stealth64 3000 series card (4 MB VRAM), IBM P72 17" monitor,
etc.

--
           "Everything tastes better at a picnic...the ants, the sand,
                                                everything." --unknown
--
  If you are replying to Ant's news post by e-mail, then please kindly
       remove ANT in the e-mail addresses listed below. Note the CaSe!
----------------------------------------------------------------------
  /\___/\


   \ _ /                     The Ant Farm: http://antfarm.home.dhs.org
    ( )   ICQ UIN: 2223658. Resume: http://apu.edu/~philpi/resume.html

2. HELP: secure mailer product

3. pci-et4000w32p doesn't work at all (green monitor goes down)

4. incompetent newbie begs for help

5. VPN doesn't go on a RFC1483 LLC routed, and goes on PPPoE

6. Shadow passwords

7. pppd doesn't reset idle-counter when there's traffic

8. length of postscript files (from dvi)

9. 'Socket destroy delayed...' loop on console - what's going on ?

10. RAW sockets to monitor network traffic level?

11. Monitoring Traffic on a Socket

12. X doesn't use monitor's and graphic adapter's capabilities

13. problem: 2 NICs, traffics won't go to 2nd