The syntax of snoop command with most commonly used options is :
# /usr/sbin/snoop -qr -d [device] -o [filename] -s 300
-q --> don't show packet count when capturing packets into file. (Improves the packet capturing performance) -r --> Do not resolve IP to hostname (prevents snoop from generating its own traffic) -d device --> Interface used to run the snoop command on -o filename --> Save the captured packets in the file -s num --> truncate each packet after num bytes
Example 1 :
To capture packets on interface ce0 and save it to a file ce0_snoop.out use :
Example 2 : Verify that the file is generated by snoop command
To make sure that the file is generated by snoop command :
# file snoop.out snoop.out: Snoop capture file - version 2
Example 3 : Read from a snoop file
To read from a already generated snoop file :
# snoop -i [filename]
Example 4 : Snoop on a specific port
To find the traffic details only on a specific port (8080) :
# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out -s 300 port 8080
Example 5 : Snoop on a specific IP
To find the traffic details only on a specific IP (192.168.1.20) :
# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out -s 300 192.168.1.1
Here, you can also give a comma separated lust of IPs to find traffic generated for those IPs (to or From).
Example 6 : To snoop between 2 IPs
To find the traffic details between to IPs :
# snoop -i [filename] [IP-address1] [IP-address2]
Example 7 : Snoop for a specific protocol
To find the traffic details only related to a specific protocol , for example ICMP, ARP :
# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out icmp,arp
Here, it actually shows the packets for the IPMP protocol, as IPMP in turn uses the ICMP and ARP protocols for its functionality.
Example 8 : Check time when the snoop was taken
To check the time the packets 9 to 13 were take use :
# snoop -i snoop.out -ta -p9,13 Loading name file snoop.out.names 9 18:10:54.71861 webcache -> mizue HTTP (proxy) R port=41579 10 18:10:55.03142 webcache -> mizue HTTP HTTP/1.1 200 OK 11 18:10:55.03168 mizue -> webcache HTTP (proxy) C port=41579 12 18:10:56.37426 webcache -> mizue HTTP (body) 13 18:10:56.47427 mizue -> webcache HTTP (proxy) C port=41579
Example 9 : How to check total time taken for FTP data transfer
Use the -tr and port 20 as filter in the snoop command to find out the total time taken in the FTP data transfer.
# snoop -i ftp.snoop -tr port 20 | tail -1 1393 1.52899 129.158.x.x -> 129.158.x.x FTP-DATA C port=32841
==> 1.52899 sec
Example 10 : To see the contents of a packet
To see the contents of a specific packet (packet number 4) :
# snoop -i snoop.out -p4 -x0 4 0.00377 HostA -> HostB HTTP GET http://patchpro.sun.com/expert/pprodetectors.jar HTTP/1.1 0: 0008 a4d2 5e40 0800 20a0 166a 0800 4500 ....^@.. ..j..E. 16: 00f9 dc05 4000 4006 b0be 0a0e 025f 819e ...@.@......_.. 32: 1f30 8063 1f90 12ed 2f71 0a9d 493a 5018 .0.c..../q..I:P. 48: c1e8 d859 0000 4745 5420 6874 7470 3a2f ...Y..GET http:/ 64: 2f70 6174 6368 7072 6f2e 7375 6e2e 636f /patchpro.sun.co 80: 6d2f 6578 7065 7274 2f70 7072 6f64 6574 m/expert/pprodet 96: 6563 746f 7273 2e6a 6172 2048 5454 502f ectors.jar HTTP/ 112: 312e 310d 0a55 7365 722d 4167 656e 743a 1.1..User-Agent: 128: 204a 6176 612f 312e 342e 315f 3031 610d Java/1.4.1_01a. 144: 0a48 6f73 743a 2070 6174 6368 7072 6f2e .Host: patchpro. 160: 7375 6e2e 636f 6d0d 0a41 6363 6570 743a sun.com..Accept: 176: 2074 6578 742f 6874 6d6c 2c20 696d 6167 text/html, imag 192: 652f 6769 662c 2069 6d61 6765 2f6a 7065 e/gif, image/jpe 208: 672c 202a 3b20 713d 2e32 2c20 2a2f 2a3b g, *; q=.2, */*; 224: 2071 3d2e 320d 0a50 726f 7879 2d43 6f6e q=.2..Proxy-Con 240: 6e65 6374 696f 6e3a 206b 6565 702d 616c nection: keep-al 256: 6976 650d 0a0d 0a ive....
Example 11 : Snoop to troubleshoot Jumpstart
Snoop can be very well used to troubleshoot the jumpstart issues. In case of Jumpstart, we can use the MAC address as the filter :
# snoop -i [filename] xx:xx:xx:xx:xx:xx
Example 12 : To check whether snoop dropped packets
Sometimes the snoop command itself drops packets (mostly in case of Gigabit network). To find out the dropped packets use the -D flag :
# snoop -i snoop.out -D | grep TCP Loading name file snoop.out 7865 0.00000 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714484080 Len=1460 Win=16060 7866 0.00012 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714485540 Len=1460 Win=16060 7867 0.00013 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714487000 Len=1460 Win=16060 7868 0.00015 bbb -> aaa drops: 0 TCP D=20 S=35215 Ack=3714484080 Seq=2442259384 Len=0 Win=33580 7869 0.00049 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714488460 Len=1460 Win=16060 7870 0.01848 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714551240 Len=1460 Win=16060 7871 0.00011 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714552700 Len=1460 Win=16060 7872 0.00013 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714554160 Len=1460 Win=16060 7873 0.00011 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714555620 Len=1460 Win=16060 7874 0.00012 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714557080 Len=1460 Win=16060 7875 0.00007 bbb -> aaa drops: 47 TCP D=20 S=35215 Ack=3714554160 Seq=2442259384 Len=0 Win=33580
Example 13 : Extract specific packets from a snoop file to another snoop file
If we use -i and -o options together, we can extract specific packets from a snoop file and save it to another snoop file :
# snoop -i snoop.out -o snoop.telnet.out port 23
Example 14 : To see protocol information
Use the options “-v” or “-V” with snoop to find out the protocol information.
# snoop -i nfs.snoop -p23 -V Loading name file nfs.snoop.names ________________________________ 23 0.00000 HostA -> HostB ETHER Type=0800 (IP), size = 206 bytes 23 0.00000 HostA -> HostB IP D=192.168.x.x S=192.168.55.106 LEN=192, ID=45661, TOS=0x0, TTL=64 23 0.00000 HostA -> HostB TCP D=2049 S=698 Push Ack=390460868 Seq=222184947 Len=152 Win=24820 23 0.00000 HostA -> HostB RPC C XID=1096378150 PROG=100003 (NFS) VERS=3 PROC=19 23 0.00000 HostA -> HostB NFS C FSINFO3 FH=0222
# snoop -i nfs.snoop -p23 -v Loading name file nfs.snoop.names ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 23 arrived at 23:35:7.36 ETHER: Packet size = 206 bytes ETHER: Destination = 0:0:c:7:ac:27, Cisco ETHER: Source = 8:0:20:b5:fa:8, Sun ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: .... ..0. = not ECN capable transport IP: .... ...0 = no ECN congestion experienced IP: Total length = 192 bytes IP: Identification = 45661 IP: Flags = 0x4 IP: .1.. .... = do not fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 64 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = 2175 IP: Source address = 192.168.x.x, HostA IP: Destination address = 192.168.x.x, HostB IP: No options IP: [output truncated for brevity]
Example 15 : Check a specific ping packet
ping(ICMP Echo reply) packets have the “ID” number and you can filter by the “ID” number.
# snoop -i snoop.out "icmp[4:2] = 16005" 172 0.66838 10.20.220.120 -> 10.20.220.121 ICMP Echo request (ID: 16005 Sequence number: 0) 173 0.00021 10.20.220.121 -> 10.20.220.120 ICMP Echo reply (ID: 16005 Sequence number: 0) Source
0 Comments