The snoop command can come very handy to monitor the network traffic to troubleshoot any network related issues like packet drops, high network latency etc. Snoop command can be run to see the real time network traffic or can be saved to a file and can be viewed at a later time.

The syntax of snoop command with most commonly used options is :

# /usr/sbin/snoop -qr -d [device] -o [filename] -s 300
-q --> don't show packet count when capturing packets into file. (Improves the packet capturing performance)
-r --> Do not resolve IP to hostname (prevents snoop from generating its own traffic)
-d device --> Interface used to run the snoop command on
-o filename --> Save the captured packets in the file
-s num --> truncate each packet after num bytes

 

Example 1 :
To capture packets on interface ce0 and save it to a file ce0_snoop.out use :

# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out -s 300

Example 2 : Verify that the file is generated by snoop command
To make sure that the file is generated by snoop command :

# file snoop.out
snoop.out: Snoop capture file - version 2

Example 3 : Read from a snoop file
To read from a already generated snoop file :

# snoop -i [filename]

Example 4 : Snoop on a specific port
To find the traffic details only on a specific port (8080) :

# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out -s 300 port 8080

Example 5 : Snoop on a specific IP
To find the traffic details only on a specific IP (192.168.1.20) :

# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out -s 300 192.168.1.1

Here, you can also give a comma separated lust of IPs to find traffic generated for those IPs (to or From).

Example 6 : To snoop between 2 IPs
To find the traffic details between to IPs :

# snoop -i [filename] [IP-address1] [IP-address2]

Example 7 : Snoop for a specific protocol
To find the traffic details only related to a specific protocol , for example ICMP, ARP :

# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out icmp,arp

Here, it actually shows the packets for the IPMP protocol, as IPMP in turn uses the ICMP and ARP protocols for its functionality.

Example 8 : Check time when the snoop was taken
To check the time the packets 9 to 13 were take use :

# snoop -i snoop.out -ta -p9,13
Loading name file snoop.out.names
9  18:10:54.71861 webcache -> mizue HTTP (proxy) R port=41579
10 18:10:55.03142 webcache -> mizue HTTP HTTP/1.1 200 OK
11 18:10:55.03168 mizue -> webcache HTTP (proxy) C port=41579
12 18:10:56.37426 webcache -> mizue HTTP (body)
13 18:10:56.47427 mizue -> webcache HTTP (proxy) C port=41579

Example 9 : How to check total time taken for FTP data transfer
Use the -tr and port 20 as filter in the snoop command to find out the total time taken in the FTP data transfer.

# snoop -i ftp.snoop -tr port 20 | tail -1
1393 1.3425 110.148.x.x -> 139.124.x.x FTP-DATA C port=29567

==> 1.3425 sec

Example 10 : To see the contents of a packet
To see the contents of a specific packet (packet number 4) :

# snoop -i snoop.out -p4 -x0

4 0.00377 HostA -> HostB HTTP GET http://patchpro.sun.com/expert/pprodetectors.jar HTTP/1.1

0: 0008 a4d2 5e40 0800 20a0 166a 0800 4500 ....^@.. ..j..E.
16: 00f9 dc05 4000 4006 b0be 0a0e 025f 819e [email protected]@......_..
32: 1f30 8063 1f90 12ed 2f71 0a9d 493a 5018 .0.c..../q..I:P.
48: c1e8 d859 0000 4745 5420 6874 7470 3a2f ...Y..GET http:/
64: 2f70 6174 6368 7072 6f2e 7375 6e2e 636f /patchpro.sun.co
80: 6d2f 6578 7065 7274 2f70 7072 6f64 6574 m/expert/pprodet
96: 6563 746f 7273 2e6a 6172 2048 5454 502f ectors.jar HTTP/
112: 312e 310d 0a55 7365 722d 4167 656e 743a 1.1..User-Agent:
128: 204a 6176 612f 312e 342e 315f 3031 610d Java/1.4.1_01a.
144: 0a48 6f73 743a 2070 6174 6368 7072 6f2e .Host: patchpro.
160: 7375 6e2e 636f 6d0d 0a41 6363 6570 743a sun.com..Accept:
176: 2074 6578 742f 6874 6d6c 2c20 696d 6167 text/html, imag
192: 652f 6769 662c 2069 6d61 6765 2f6a 7065 e/gif, image/jpe
208: 672c 202a 3b20 713d 2e32 2c20 2a2f 2a3b g, *; q=.2, */*;
224: 2071 3d2e 320d 0a50 726f 7879 2d43 6f6e q=.2..Proxy-Con
240: 6e65 6374 696f 6e3a 206b 6565 702d 616c nection: keep-al
256: 6976 650d 0a0d 0a ive....

Example 11 : Snoop to troubleshoot Jumpstart
Snoop can be very well used to troubleshoot the jumpstart issues. In case of Jumpstart, we can use the MAC address as the filter :

# snoop -i [filename] xx:xx:xx:xx:xx:xx

Example 12 : To check whether snoop dropped packets
Sometimes the snoop command itself drops packets (mostly in case of Gigabit network). To find out the dropped packets use the -D flag :

# snoop -i snoop.out -D | grep TCP
Loading name file snoop.out
7865 0.00000 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714484080 Len=1460 Win=16060
7866 0.00012 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714485540 Len=1460 Win=16060
7867 0.00013 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714487000 Len=1460 Win=16060
7868 0.00015 bbb -> aaa drops: 0 TCP D=20 S=35215 Ack=3714484080 Seq=2442259384 Len=0 Win=33580
7869 0.00049 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714488460 Len=1460 Win=16060
7870 0.01848 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714551240 Len=1460 Win=16060
7871 0.00011 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714552700 Len=1460 Win=16060
7872 0.00013 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714554160 Len=1460 Win=16060
7873 0.00011 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714555620 Len=1460 Win=16060
7874 0.00012 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714557080 Len=1460 Win=16060
7875 0.00007 bbb -> aaa drops: 47 TCP D=20 S=35215 Ack=3714554160 Seq=2442259384 Len=0 Win=33580

Example 13 : Extract specific packets from a snoop file to another snoop file
If we use -i and -o options together, we can extract specific packets from a snoop file and save it to another snoop file :

# snoop -i snoop.out -o snoop.telnet.out port 23

Example 14 : To see protocol information
Use the options “-v” or “-V” with snoop to find out the protocol information.

# snoop -i nfs.snoop -p23 -V
Loading name file nfs.snoop.names
________________________________
23 0.00000 HostA -> HostB ETHER Type=0800 (IP), size = 206 bytes
23 0.00000 HostA -> HostB IP D=192.168.x.x S=192.168.55.106 LEN=192, ID=45661, TOS=0x0, TTL=64
23 0.00000 HostA -> HostB TCP D=2049 S=698 Push Ack=390460868 Seq=222184947 Len=152 Win=24820
23 0.00000 HostA -> HostB RPC C XID=1096378150 PROG=100003 (NFS) VERS=3 PROC=19
23 0.00000 HostA -> HostB NFS C FSINFO3 FH=0222
# snoop -i nfs.snoop -p23 -v
Loading name file nfs.snoop.names
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 23 arrived at 23:35:7.36
ETHER: Packet size = 206 bytes
ETHER: Destination = 0:0:c:7:ac:27, Cisco
ETHER: Source = 8:0:20:b5:fa:8, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 192 bytes
IP: Identification = 45661
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 64 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = 2175
IP: Source address = 192.168.x.x, HostA
IP: Destination address = 192.168.x.x, HostB
IP: No options
IP:
[output truncated for brevity]

Example 15 : Check a specific ping packet
ping(ICMP Echo reply) packets have the “ID” number and you can filter by the “ID” number.

# snoop -i snoop.out "icmp[4:2] = 16005"
172 0.66838 10.20.220.120 -> 10.20.220.121 ICMP Echo request (ID: 16005 Sequence number: 0)
173 0.00021 10.20.220.121 -> 10.20.220.120 ICMP Echo reply (ID: 16005 Sequence number: 0)

Leave a Reply

Your email address will not be published. Required fields are marked *

1 × five =

Related Posts

Solaris

How to Find and Remove Old or Inactive Files

How to Find and Remove Old or Inactive Files Become an administrator. Find files that have not been accessed for a specified number of days and list them in a file. # find directory -type Read more…

Oracle

How to Collect a Snapshot on SPARC M series servers Mx000 and M10-x systems

Running snapshot The syntax varies slightly from the Mx000 to the M10-x .The M10 requires a “-a” option to collect logs from all chassis. The two most common usages are described below. The first example Read more…

Oracle

Verifying HBA card connectivity in Solaris

1. Use the “luxadm -e port” command to verify HBA has established communication with a node. # luxadm -e port /devices/[email protected]/[email protected]/[email protected]/[email protected]/SUNW,[email protected]/[email protected],0:devctl CONNECTED /devices/[email protected]/[email protected]/[email protected]/[email protected]/SUNW,[email protected],1/[email protected],0:devctl CONNECTED CONNECTED : HBA has established connection with either target or initiator. Read more…