Find it

Tuesday, July 14, 2009

INTERESTING STUFF ON IBM AIX

1. Do you know how PVID generated by AIX?

ANS: PVID is combination of the machine’s serial number (from the systems EPROMs) and the date the PVID was generated. This combination ensures the extremely low chance of PVIDs being duplicated.

2. How to change MTU (Maximum Transmission Unit) in AIX?

ANS: chdev -l en1 -a mtu= - by default MTU is always 1500 bytes.

3. RECOVERING REMOVED FILES AND DIRECTORIES IN A FILESYSTEM

ANS: I tried this however because of poor maths I failed to do it... Little bit maths requires here as we have to somewhere get binary to hex or hex to binary to decimal numbers.

If a file is Deleted from the system, the filesytem blocks composing that file still exist, but are no longer allocated. As long as no newfiles are created or existing files extended within the same filesystem, the blocks will remain untouched. It is possible to reallocate the blocks to the previous file using the "fsdb" command (filesystem debugger).
MAKE A BACKUP OF THE ENTIRE FILESYSTEM BEFORE PERFORMING THESE STEPS!!! ELSE ( BANG !!!!! ).
Steps to recover a deleted file-------------------------------
1) "ls -id {dir}" (where dir is directory where file resided) Record INODE number for next step.
2) Unmount the filesystem.
3) "fsdb /{Mountpoint}" or "fsdb /dev/{LVname}" (where Mountpoint is the filesystem mount point, and LVname is the logical volume name of the filesystem)
4) "{INODE}i" (where INODE is the inode number recorded in step 1) This will display the inode information for the directory. The field a0 contains the block number of the directory. The following steps assume only field a0 is used. If a value appears in a1, etc, it may be necessary to repeat steps #5 and #6 for each block until the file to be recovered is found.
5) "a0b" (moves to block pointed to by field "a0" of this inode)
6) "p128c" (prints 128 bytes of directory in character format) Look for missing filename. If not seen, repeat this step until filename is found. Record address where filename begins. Also record address where PRIOR filename begins. If filename does not appear, return to step #5, and selecting a1b, a2b, etc.
Note that the address of the first field is shown to the far left. Increment the address by one for each position to the right, counting in octal.
7) "a0b" (moves to block pointed to by field "a0" of this inode) If the filename was found in block 1, use a1b instead, etc.
8) "p128e" (prints first 128 bytes in decimal word format) Find the address of the file to recover (as recorded in step 6) in the far left column. If address is not shown, repeat until found.
9) Record the address of the file which appeared immediately PRIOR to the file you want to recover.
10) Find the ADDRESS of the record LENGTH field for the file in step #9 assuming the following format:
{ADDRESS}: x x x x x x x x x x ... -------- filename ------ inode # --+----+ +-- filename length record LENGTH --+
Note that the inode number may begin at any position on the line. Note also that each number represents two bytes, so the address of the LENGTH field will be `{ADDRESS} + (#hops * 2) + 1'
11) Starting with the first word of the inode number, count in OCTAL until you reach the inode number of the file to be restored, assuming each word is 2 bytes.
12) "0{ADDRESS}B={BYTES}" (where ADDRESS is the address of the record LENGTH field found in step #10, and BYTES is the number of bytes [octal] counted in step #11)
13) If the value found in the LENGTH field in step #10 is greater than 255, also type the following:
"0{ADDRESS-1}B=0" (where ADDRESS-1 is one less than the ADDRESS recorded in step #10) This is necessary to clear out the first byte of the word.
14) "q" (quit fsdb)
15) "fsck {Mountpoint}" or "fsck /dev/{LVname}" This command will return errors for each recovered file asking if you wish to REMOVE the file. Answer "n" to all questions. For each file that is listed, record the associated INODE number.
16) "fsdb /{Mountpoint}" or "fsdb /dev/{LVname}"
17) {BLOCK}i.ln=1 (where BLOCK is the block number recoded in step #15) This will change the link count for the inode associated with the recovered file. Repeat this step for each file listed in step #15.
18) "q" (quit fsdb)
19) "fsck {Mountpoint}" or "fsck /dev/{LVname}" The REMOVE prompts should no longer appear. Answer "y" to all questions pertaining to fixing the block map, inode map, and/or superblock.


If someone get success upon this procedure please do let me know - As all of us how difficult it is to recover deleted files on UNIX!!!

No comments:

Post a Comment