1.

setup show – this is useful if you suspect a mis-configuration

2. version verbose – gives you the version, serial number, RAM, flash size, mac addresses,
keys, and loaded plugins
3. ping -s n – Use this to determine if a particular host is reachable. s:continuous, n:limit the
number of pings

ex:Packetshaper# ping -s 172.16.0.1 5 (5 ICMP echo requests are sent to 172.16.0.1)

4. arp show – Helpful if PacketShaper is unable to reach services such as gateway DNS
server, time server, etc. Device malfunctions, replacements, or rewiring may leave
incorrect entries in the ARP table. Use the arp command to display or change entries to
match real network conditions.
5. net nic – Look for the TxErrors and Rx Errors. If they increase each time you run the
command, you should probably hard code the NIC speed. That usually fixes it.
6. host info -sf -n 20 – Displays the top 20 hosts with the most connections. This could be an
indicator that someone is propagating a virus or worm. sf:sort hosts by new flows per
minute n 20:limit list to 20 addresses
7. host show – Displays the top 20 bandwidth users sorted by their usage sr:sort hosts by
current rate. n 20:limit list to 20 addresses

If you suspect an infected host on the network: host info -sp -n 20 This will display the
top 20 hosts that have the most failed flows in the last 1-minute. sp:sort on failed
connections column n 20: limit the display to 20 hosts
8. traffic history find – Find what a particular user has been doing. ex. PacketShaper# tr hi
find 172.17.22.100
9. traffic flow <del>tupla – Another look at what a user has been doing. t:show TCP flows
u:show UDP flows p:show port numbers I:show non-idle flows a:show info for a specific
address. If you see large amounts of unclassified traffic such as when the default bucket
has a high 1 minute average or rapidly increasing class hits, then try this: traffic flow -
tupIxc t:show TCP flows u:show UDP flows p:show port numbers I:show non-idle flows
x:expand show full class names c:only show info for a specific class. This can also be used
to find what type of traffic is currently active. Another good variation:traffic flow -
to t:show TCP traffic o:overview – This gives you an overview of all TCP traffic. If you
suspect a syn attack: *traffic flow -tiI will be helpful. You will see a ton flows of unknown
service type and very few connections that are fully established. If you suspect IP
spoofing or a DDOS attack: traffic active will tell you how many flows current active, what
type they are, and how old they are. If you see a huge amount in a small amount of time
(relative to your normal traffic of course) your network may be under attack.
10. traffic history recent [class] – This lets you find out which users are using an application.
ex: Packetshaper# tr hi re inbound/http
11. net pna – Show network statistics. This is a useful overview to monitor for large-scale
errors or unusual network conditions.
12. sys limits – Make sure you aren’t maxing out your available traffic classes or matching
rules for your unit.