How to use Netconsole

From Linux - Help
Jump to navigation Jump to search

How to use Netconsole

On the server you want to monitor the parameters are as followed:

 netconsole=[src-port]@[src-ip]/[dev],[tgt-port]@<tgt-ip>/[tgt-macaddr] (string)
 |6666               =>  server free source port |
 |       =>  server source IP        |
 |eth1               =>  server source intf      |
 |30000              =>  Target PC listening port|
 |       =>  Target PC IP adres      |
 |50:7B:9D:AF:20:0A  =>  Target PC intf MAC      |

Make sure netconsole isn't already running!

 lsmod |grep netconsole 

if it is:

 modprobe -r netconsole 

or (although it is not recommended)

 rmmod netconsole && dmesg |tail
 [0.000000] netconsole: local port 6666
 [0.000000] netconsole: local IP
 [0.000000] netconsole: interface 'eth1'
 [0.000000] netconsole: remote port 30000
 [0.000000] netconsole: remote IP
 [0.000000] netconsole: remote ethernet address 50:7b:9d:af:20:0a
 [0.000000] console [netcon0] enabled
 [0.000000] netconsole: network logging started
# modprobe netconsole netconsole="6666@,30000@"
  • Tcpdump on the netconsole machine will not work, netconsole also runs in kernel-space before iptables!
  • When using netconsole over internet:
  1. use the default gateway MAC-address of the server box as the target MAC (e.g. The Belgacom or Telenet modem - arptable)
  2. use port forwarding to point the connection from our server box to your machine, note that it is UDP traffic

To find the MAC address of the modem (here as example if the IP is not NATed):

  |ifconfig IE_Device             =>  server Internet Device              |
  |ipcalc -n  =>  server ISP IP en subnet             |
  |ping GATEWAY_IP                =>  ex.:                    |
  |arp -a | grep  =>  To find the MAC addres of the MODEM |

Target Device


sudo tcpdump -nli eth0 udp and port 30000 -s0 -w servername.pcap


On your local/target machine start listen for a connection with netcat: Depending on GNU-netcat or BSD-netcat:


netcat -l -u -p 30000 | tee servername.log


netcat -l -u 30000 | tee servername.log


Reminder: TCPduump on the netconsole machine will not work! To test if it works, on the server box type:

echo h > /proc/sysrq-trigger

You should receive a Help message from the server box, something like:

SysRq : HELP : loglevel(0-9) reBoot Crash terminate-all-tasks(E) memory-full-oom-kill(F) kill-all-tasks(I) thaw-filesystems(J)
 saK show-backtrace-all-active-cpus(L) show-memory-usage(M) nice-all-RT-tasks(N) powerOff show-registers(P)
 show-all-timers(Q) unRaw Sync show-task-states(T) Unmount show-blocked-tasks(W)

Using dmesg you can change your output levels (on the server box): dmesg -n #

The priority value is calculated using the following formula:
Priority = Facility * 8 + Level

The list of severity Levels:

0       Emergency: system is unusable
1       Alert: action must be taken immediately
2       Critical: critical conditions
3       Error: error conditions
4       Warning: warning conditions
5       Notice: normal but significant condition
6       Informational: informational messages
7       Debug: debug-level messages