12 essential Packetshaper commands
Packeteer • PacketShaper • PacketShaper 7500 • PacketShaper 10000 • PacketShaper 3500 • Packetshaper 1400 • PacketShaper 1700
Packetshaper has a good GUI, but some things are just better done at the command line. Here are 12 Packetshaper commands to get you started.
First, gain access to the command line prompt. There are now three ways to access the Packetshaper command line:
- Remote Login Utility – Use any that works with your OS. You can use Telnet or SSH. You might like SecureCRT for Windows, OpenSSH for Unix or use Terminal on OS X.
- Console Connection – Use a null-modem cable to hook directly to the shaper. Start your terminal emulation program (like Hyperterm). Configure Hyperterm for 9600 bps, 8 data bits, 1 stop bit, no parity, hardware flow control. Power on the shaper and then enter your password.
- Browser Interface (believe it or not) – Type in the shaper’s IP address in the browser address field followed by /cli.htm. The Command Interpreter will appear. This has limitations. You can’t use interactive commands that require user input or confirmation. You shouldn’t issue a command before the previous command has finished processing. The shaper will explode. (Not really)
You can get a complete list of commands at PacketGuide”. Here are some of the most useful:
setup show– this is useful if you suspect a mis-configurationversion verbose– gives you the version, serial number, RAM, flash size, mac addresses, keys, and loaded pluginsping -s n– Use this to determine if a particular host is reachable. s:continuous, n:limit the number of pings
ex:Packetshaper# ping -s 172.16.0.1 5(5 ICMP echo requests are sent to 172.16.0.1)arp show– Helpful if PacketShaper is unable to reach services such as gateway DNS server, time server, etc. Device malfunctions, replacements, or rewiring may leave incorrect entries in the ARP table. Use the arp command to display or change entries to match real network conditions.net nic– Look for the TxErrors and Rx Errors. If they increase each time you run the command, you should probably hard code the NIC speed. That usually fixes it.host info -sf -n 20– Displays the top 20 hosts with the most connections. This could be an indicator that someone is propagating a virus or worm. sf:sort hosts by new flows per minute n 20:limit list to 20 addresseshost show– Displays the top 20 bandwidth users sorted by their usage sr:sort hosts by current rate. n 20:limit list to 20 addresses
If you suspect an infected host on the network: host info -sp -n 20 This will display the top 20 hosts that have the most failed flows in the last 1-minute. sp:sort on failed connections column n 20: limit the display to 20 hoststraffic history find– Find what a particular user has been doing. ex. PacketShaper# tr hi find 172.17.22.100traffic flow <del>tupla– Another look at what a user has been doing. t:show TCP flows u:show UDP flows p:show port numbers I:show non-idle flows a:show info for a specific address. If you see large amounts of unclassified traffic such as when the default bucket has a high 1 minute average or rapidly increasing class hits, then try this:traffic flow -tupIxct:show TCP flows u:show UDP flows p:show port numbers I:show non-idle flows x:expand show full class names c:only show info for a specific class. This can also be used to find what type of traffic is currently active. Another good variation:traffic flow -tot:show TCP traffic o:overview – This gives you an overview of all TCP traffic. If you suspect a syn attack: *traffic flow -tiI will be helpful. You will see a ton flows of unknown service type and very few connections that are fully established. If you suspect IP spoofing or a DDOS attack: traffic active will tell you how many flows current active, what type they are, and how old they are. If you see a huge amount in a small amount of time (relative to your normal traffic of course) your network may be under attack.traffic history recent [class]– This lets you find out which users are using an application. ex: Packetshaper# tr hi re inbound/httpnet pna– Show network statistics. This is a useful overview to monitor for large-scale errors or unusual network conditions.sys limits– Make sure you aren’t maxing out your available traffic classes or matching rules for your unit.
