How can I take packet captures on a NetWare server?

  • 7003517
  • 11-Jun-2009
  • 27-Apr-2012


Novell Volera Excelerator 2.3
Novell Volera Excelerator 2.2
Novell iChain 2.1
Novell iChain 2.2
Novell BorderManager 3.7
Novell NetWare 5.1
Novell NetWare 6.0
Novell NetWare 6.5


How can I take packet captures on a NetWare server?


Download and Install PKTSCAN.NLM.

Additional Information


This utility enables system administrators to capture Sniffer-compatible protocol traces. It can be very useful in troubleshooting network problems.  Packet Scan is provided as a convenience, and is not supported by Novell Technical Services.


a.  Create the following directory structure: SYS:RDB\OUTBOX
b.  Copy PKTSCAN.NLM to your SYS:SYSTEM directory
c.  At the server console, type
d.  Press F2 to start the trace
e.  Duplicate the process we want to capture
f.  Press F2 to stop the trace
g.  Press F4 to save the trace. Give the captured file a name(your incident number.CAP). Hit ENTER.
h.  Press ESC to exit.

Press F1 in PKTSCAN to see a list of shortcut keys.  Options include changing/editing  capture profiles, capturing on multiple interfaces, saving the capture, and require login.


Changes in version 1.02 (since 1.01)
1.  Fixed 'select profile' in the HTML interface to work properly.
2.  Fixed the 'You will need to restart PKTSCAN.NLM in order to increase the capture buffer size' message continue button in the HTML interface to go to the configuration screen instead of the main menu.
3.  Modified PKTSCAN's NORM (PORTAL) heading to be 'Packet Scanner' instead of 'PKTSCAN.NLM'.
4.  Fixed the processing of ESCAPE keys in the Select Capture LAN Adapters screen (and a few other places) to work properly on machines that don't generate the scancode value of 1.

Changes in version 1.01 (since 1.00)
1.  Fixed file system accesses (INI, save file) to use an allocated task.
2.  Fixed packet decode help (F1) to be accessed by the '1' key as well.
3.  Fixed the 'DeRegisterServiceMethod failed (FF)' warning received when PKTSCAN is unloaded.
4.  Fixed a timing bug that occurred while unloading PKTSCAN that would cause it to 'hang'.  The problem was that the code would potentially unget two ESCAPE keys between each console delay causing the console to just become delayed again and thus prevent the ExitProcedure from finishing.


The following notes are largely for the text console-based interface.  If HTTPSTK.NLM has been loaded, Packetscan will also be available from http://<ip_address>:8008/packetscan .  If PORTAL.NLM has been loaded, PKTSCAN.NLM will be available under the Server Management section.

1.  F1 toggles the help screen. Pressing *any* key will exit the help screen, even if that key is a function key (i.e. F2, F3, etc).

2.  PKTSCAN requires that its capture buffer be contiguous memory.  To ensure that PKTSCAN can properly allocate enough memory, PKTSCAN should be unloaded and reloaded when the capture buffer size is increased in a capture profile.   Otherwise, PKTSCAN may not be able to use the desired buffer size. 

Though typically not necessary, rebooting the server prior to running PKTSCAN will also ensure that most of memory is unfragmented, making it easier to allocate contiguous memory. 

NOTE:  When using PKTSCAN.NLM on Volera Excelerator, memory tuning leaves the the biggest workable capture buffer at about 32 MB.

3.  Though PKTSCAN can now capture on multiple interfaces, it is a good idea to ensure that the capture is being taken on the correct interface(s).  To verify that the capture runs on the correct interface(s), issue the "config" command from the NetWare server prompt, noting the node address (MAC address) and IP address of the interface(s) to be captured.  Alternately, if after pressing F2 no data is displayed, press F5 to select the adapter(s).

4.  In console mode, PKTSCAN.NLM saves capture files to the SYS:\RDB\OUTBOX directory.    Before running PKTSCAN.NLM make sure the folder SYS:\RDB\OUTBOX exists.  Verify that by loading TOOLBOX.NLM ("toolbox" at the command line) and then do a "DIR SYS:\RDB\OUTBOX".  If the folder doesn't exist, use the command "MKDIR SYS:\RDB\OUTBOX" to create it.

If the web interface to PKTSCAN is being used, capture files may be downloaded
by simply clicking the "Retrieve Packets" button.

5.  If Novell iChain or Volera Excelerator are being used, capture files may
also be downloaded via FTP using the MiniFTPserver.

NOTE1:  Depending on the version of Excelerator being used, SYS:\RDB\OUTBOX may not be accessible via FTP.  IT may be necessary to copy the files to SYS:\ETC\PROXY\DATA, or to SYS:\ETC\PROXY\APPLIANCE\CONFIG\USER, the default MiniFTPserver directory.

NOTE2:  Unloading PKTSCAN.NLM via "unload pktscan" may not always work.  PKTSCAN.NLM should be unloaded by exiting the utility via the ESC key.

PKTSCAN.NLM v1.00 FAQ (Frequently Asked Questions):

PKTSCAN.NLM is a utility that allows a person to capture packets on a NetWare server.  It is similar to a packet analyzer, except that it does not put the LAN adapter(s) into promiscuous mode.  It will only capture the packets that naturally pass through a NetWare server's LAN adapters.  However, like a packet analyzer, PKTSCAN allows a person to capture and view network traffic.  PKTSCAN includes a limited level of packet decoding (DLC, IP, TCP, UDP, ARP and some HTTP).  To enable more advanced decoding, PKTSCAN will save a packet trace as a .CAP file so that the trace can be viewed by programs like SnifferPro and Ethereal.

Why was PKTSCAN.NLM written?
PKTSCAN was written to make our jobs easier.  The following difficulties were often encountered when needing a packet trace in order to debug a customer's problem:
  1)  The customer did not have or know how to operate a packet analyzer.
  2)  The customer had to get permission to place a packet analyzer inside the DMZ.
  3)  The customer did not have a hub or know how to configure the switch to perform port mirroring to facilitate packet tracing.  In the end, days to weeks were lost trying to get a packet trace.  So, in my frustration, I decided to write an NLM that could capture packets on a NetWare box and save them out as a .CAP file.  A few days later, the pre-alpha version of PKTSCAN was born.

How do I install and use PKTSCAN.NLM?
To use PKTSCAN simply copy the file to a NetWare server's system directory (SYS:SYSTEM) and load (type 'load pktscan' at the console). PKTSCAN will automatically configure itself to capture packets from all ETHERNET_II adapters (currently ETHERNET_II is the only media type supported).  When PKTSCAN loads, it will pop up the PKTSCAN current activity screen.  From here you can type F1 (or 1) to learn how to customize PKTSCAN.  Below is a quick overview of what you can do:
  F1 - Help
  F2 - Start or stop a packet trace.  You can also configure PKTSCAN to automatically begin tracing when it is loaded (see F7).
  F3 - View a packet trace.  Packets can be viewed in 3 modes - Summary decode, Full decode, and Raw decode.  Typing ENTER and ESCAPE will toggle between the different modes.
  F4 - Save a packet trace as a .CAP file.  PKTSCAN will save the .CAP file to SYS:RDB\OUTBOX\<filename>.  This makes it easy to retrieve the file using RDB.
  F5 - Select LAN Adapters.
  F6 - Configure/select capture profiles.  Profiles can be created to customize the following PKTSCAN options:
     1) Profile Name: The name to associate with a given profile.
     2) Size: The capture memory buffer size (Minimum 1 MB, Maximum 128 MB, default 8 MB).  When PKTSCAN loads, it if is unable to acquire the configured amount of memory, it will acquire as much memory as it can.
     3) State: Specify what PKTSCAN should do when the memory buffer is full; stop tracing or wrap the buffer (overwrite the oldest  packets).
     4) Slice: Specify how much of each packet should be saved in the trace.  The default 0, means save the entire packet.
     5) Filters: <under development>
  F7 - Configure general settings.  The following general PKTSCAN options can be customized:
     1) Ask before overwriting trace buffer.  When set to TRUE, PKTSCAN will warn you when a trace buffer is about to be discarded.
     2) Begin tracing when loaded.  When set to TRUE, PKTSCAN will begin capturing packets as soon as it loads.
     3) Expand DLC Header. When set to TRUE, full DLC headers will be displayed when viewing packets.
     4) Expand IP Header - When set to TRUE, full IP headers will be displayed when viewing packets.
     5) Expand TCP Header - When set to TRUE, full TCP headers will be displayed when viewing packets.
     6) Expand UDP Header - When set to TRUE, full UDP headers will be displayed when viewing packets.
     7) Expand ARP Header - When set to TRUE, full ARP headers will be displayed when viewing packets.
     8) Expand Raw Data - When set to TRUE, the raw data will be displayed when viewing packets (only applies to the HTML interface).
     9) Must Be Logged In - When set to TRUE, you must be logged in to access the HTML interface to PKTSCAN.
    10) Must Be Supervisor Or Console Operator - When set to TRUE, you must be connected as either the supervisor or the console operator to access the HTML interface to PKTSCAN.
    11) Must Use SSL - When set to TRUE, you must use a secure (SSL) connection to access the HTML interface to PKTSCAN.  Note: Earlier versions of HTTPSTK (like the ones on Excelerator boxes) do not consistently set the SSL bit when using SSL.  The result is that setting this option to TRUE will cause the box to only be accessible through  portal.  Please contact one of the HTTPSTK developers for an updated version that corrects this problem.

How do I access the HTML interface to PKTSCAN.NLM?
To use the HTML interface to PKTSCAN, you must have HTTPSTK.NLM loaded.  If HTTPSTK is not loaded, you can only access PKTSCAN through the console interface.  When HTTPSTK is loaded, you can access PKTSCAN's HTML interface by opening the following link:

    http://<YOUR NETWARE SERVER ADDRESS>:8008/PacketScan

To configure HTTPSTK to accept SSL connections, use the following load syntax:
    load httpstk /ssl /keyfile:"<key name>"
    example (Excelerator box): load httpstk /ssl /keyfile:"ICS_Key"
    example (NetWare box): load httpstk /ssl /keyfile:"SSL CertificateIP"
Note: The default SSL port used by HTTPSTK it 8009.

In addition, when PORTAL.NLM (NORM) is loaded, you can access the PKTSCAN HTML interface from PORTAL's main menu.

The PKTSCAN HTML interface provides all of the same options as the console interface.  In addition, you can configure the following HTML interface specific options:
    1) Active Refresh Rate:  How often the PKTSCAN activity screen is updated when packet capturing is in progress (active).
    2) InActive Refresh Rate:  How often the PKTSCAN activity screen is updated when packet capturing is not active.
    3) Summary Decode Lines per Page:  How many packets to display per page.

Where is PKTSCAN.NLM's configuration saved?
PKTSCAN saves the current configuration in: SYS:SYSTEM\PKTSCAN.INI.  Edit it at your own risk!

Formerly known as TID# 10088296