[dtrace-discuss] tcptop/tcpsnoop on Solaris 10

Gerhard Strangar g.s at arcor.de
Thu Jul 5 10:54:37 PDT 2007 

High,

I did some experiments with dtrace and stumbled across DTraceToolkit,
where tcpsnoop and tcptop are my favourites. However on a
Solaris 10 with the latest patches it does not work on some architectures.
The most interesting part is that I get sensible output on Solaris 10
for Sparc running on a Fujitsu-Siemens PrimePower 850, but on a Sun Fire
V440 I just get nonsense. Both systems share the same install server and
patch sets and uname -a shows the same kernel version. On Solaris 10 for
x86 (i386, not x86_64) I get nonsense, too:

For example if I telnet to the SSH daemon on Port 22:
  UID    PID LADDR           LPORT DR RADDR           RPORT  SIZE CMD
 1001  24557 0.0.255.255        92 -> 0.0.255.255     49320    54 telnet
 1001  24557 0.0.255.255        92 <- 0.0.255.255     49320    66 telnet
 1001  24557 0.0.255.255        92 -> 0.0.255.255     49320    54 telnet
    0    273 0.0.255.255        92 <- 0.0.255.255     49320    54 sshd
    0    273 0.0.255.255        92 -> 0.0.255.255     49320    54 sshd
    0    273 0.0.255.255        92 <- 0.0.255.255     49320    54 sshd
 1001    498 0.0.255.255        95 -> 0.0.255.255     49320   879 Xvnc

UID and PID are correct, the IP addresses used are 192.168.0.92 for
telnet/ssh and 192.168.0.95 for Xvnc, and my subnet mask is 255.255.255.0.

Okay, the IPs are wrong, because the numbers in
(int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[12];
might have changed, but I wonder why the ports are wrong as well.

I don't know which patch it was caused by, but an old lsof (compiled on
Solaris 7) has the same problem - except on the PrimePower 850. Any
ideas why the port numbers are wrong and where to get the correct ones?

And on x86 I had a second problem:
> dtrace -Cs tcpsnoop.d
error: cpp: /dev/fd/4 No such file or directory
dtrace: failed to compile script tcpsnoop.d: Preprocessor failed to
process input program

Calling the preprocessor myself, I can see that __i386 is not defined.
Is that something in my installation or is that a bug on 32-bit x86?


Gerhard

-- 
 * Origin: Fido over IP (2:240/2188.575)

More information about the dtrace-discuss mailing list