The syntax of snoop command with most commonly used options is :

# /usr/sbin/snoop -qr -d [device] -o [filename] -s 300
-q --> don't show packet count when capturing packets into file. (Improves the packet capturing performance)
-r --> Do not resolve IP to hostname (prevents snoop from generating its own traffic)
-d device --> Interface used to run the snoop command on
-o filename --> Save the captured packets in the file
-s num --> truncate each packet after num bytes

Example 1 :
To capture packets on interface ce0 and save it to a file ce0_snoop.out use :

# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out -s 300

Example 2 : Verify that the file is generated by snoop command
To make sure that the file is generated by snoop command :

# file snoop.out
snoop.out: Snoop capture file - version 2

Example 3 : Read from a snoop file
To read from a already generated snoop file :

# snoop -i [filename]

Example 4 : Snoop on a specific port
To find the traffic details only on a specific port (8080) :

# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out -s 300 port 8080

Example 5 : Snoop on a specific IP
To find the traffic details only on a specific IP (192.168.1.20) :

# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out -s 300 192.168.1.1

Here, you can also give a comma separated lust of IPs to find traffic generated for those IPs (to or From).

Example 6 : To snoop between 2 IPs
To find the traffic details between to IPs :

# snoop -i [filename] [IP-address1] [IP-address2]

Example 7 : Snoop for a specific protocol
To find the traffic details only related to a specific protocol , for example ICMP, ARP :

# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out icmp,arp

Here, it actually shows the packets for the IPMP protocol, as IPMP in turn uses the ICMP and ARP protocols for its functionality.

Example 8 : Check time when the snoop was taken
To check the time the packets 9 to 13 were take use :

# snoop -i snoop.out -ta -p9,13
Loading name file snoop.out.names
9  18:10:54.71861 webcache -> mizue HTTP (proxy) R port=41579
10 18:10:55.03142 webcache -> mizue HTTP HTTP/1.1 200 OK
11 18:10:55.03168 mizue -> webcache HTTP (proxy) C port=41579
12 18:10:56.37426 webcache -> mizue HTTP (body)
13 18:10:56.47427 mizue -> webcache HTTP (proxy) C port=41579

Example 9 : How to check total time taken for FTP data transfer
Use the -tr and port 20 as filter in the snoop command to find out the total time taken in the FTP data transfer.

# snoop -i ftp.snoop -tr port 20 | tail -1
1393 1.52899 129.158.x.x -> 129.158.x.x FTP-DATA C port=32841

==> 1.52899 sec

Example 10 : To see the contents of a packet
To see the contents of a specific packet (packet number 4) :

# snoop -i snoop.out -p4 -x0

4 0.00377 HostA -> HostB HTTP GET http://patchpro.sun.com/expert/pprodetectors.jar HTTP/1.1

0: 0008 a4d2 5e40 0800 20a0 166a 0800 4500 ....^@.. ..j..E.
16: 00f9 dc05 4000 4006 b0be 0a0e 025f 819e ...@.@......_..
32: 1f30 8063 1f90 12ed 2f71 0a9d 493a 5018 .0.c..../q..I:P.
48: c1e8 d859 0000 4745 5420 6874 7470 3a2f ...Y..GET http:/
64: 2f70 6174 6368 7072 6f2e 7375 6e2e 636f /patchpro.sun.co
80: 6d2f 6578 7065 7274 2f70 7072 6f64 6574 m/expert/pprodet
96: 6563 746f 7273 2e6a 6172 2048 5454 502f ectors.jar HTTP/
112: 312e 310d 0a55 7365 722d 4167 656e 743a 1.1..User-Agent:
128: 204a 6176 612f 312e 342e 315f 3031 610d Java/1.4.1_01a.
144: 0a48 6f73 743a 2070 6174 6368 7072 6f2e .Host: patchpro.
160: 7375 6e2e 636f 6d0d 0a41 6363 6570 743a sun.com..Accept:
176: 2074 6578 742f 6874 6d6c 2c20 696d 6167 text/html, imag
192: 652f 6769 662c 2069 6d61 6765 2f6a 7065 e/gif, image/jpe
208: 672c 202a 3b20 713d 2e32 2c20 2a2f 2a3b g, *; q=.2, */*;
224: 2071 3d2e 320d 0a50 726f 7879 2d43 6f6e q=.2..Proxy-Con
240: 6e65 6374 696f 6e3a 206b 6565 702d 616c nection: keep-al
256: 6976 650d 0a0d 0a ive....

Example 11 : Snoop to troubleshoot Jumpstart
Snoop can be very well used to troubleshoot the jumpstart issues. In case of Jumpstart, we can use the MAC address as the filter :

# snoop -i [filename] xx:xx:xx:xx:xx:xx

Example 12 : To check whether snoop dropped packets
Sometimes the snoop command itself drops packets (mostly in case of Gigabit network). To find out the dropped packets use the -D flag :

# snoop -i snoop.out -D | grep TCP
Loading name file snoop.out
7865 0.00000 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714484080 Len=1460 Win=16060
7866 0.00012 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714485540 Len=1460 Win=16060
7867 0.00013 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714487000 Len=1460 Win=16060
7868 0.00015 bbb -> aaa drops: 0 TCP D=20 S=35215 Ack=3714484080 Seq=2442259384 Len=0 Win=33580
7869 0.00049 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714488460 Len=1460 Win=16060
7870 0.01848 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714551240 Len=1460 Win=16060
7871 0.00011 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714552700 Len=1460 Win=16060
7872 0.00013 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714554160 Len=1460 Win=16060
7873 0.00011 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714555620 Len=1460 Win=16060
7874 0.00012 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714557080 Len=1460 Win=16060
7875 0.00007 bbb -> aaa drops: 47 TCP D=20 S=35215 Ack=3714554160 Seq=2442259384 Len=0 Win=33580

Example 13 : Extract specific packets from a snoop file to another snoop file
If we use -i and -o options together, we can extract specific packets from a snoop file and save it to another snoop file :

# snoop -i snoop.out -o snoop.telnet.out port 23

Example 14 : To see protocol information
Use the options “-v” or “-V” with snoop to find out the protocol information.

# snoop -i nfs.snoop -p23 -V
Loading name file nfs.snoop.names
________________________________
23 0.00000 HostA -> HostB ETHER Type=0800 (IP), size = 206 bytes
23 0.00000 HostA -> HostB IP D=192.168.x.x S=192.168.55.106 LEN=192, ID=45661, TOS=0x0, TTL=64
23 0.00000 HostA -> HostB TCP D=2049 S=698 Push Ack=390460868 Seq=222184947 Len=152 Win=24820
23 0.00000 HostA -> HostB RPC C XID=1096378150 PROG=100003 (NFS) VERS=3 PROC=19
23 0.00000 HostA -> HostB NFS C FSINFO3 FH=0222
# snoop -i nfs.snoop -p23 -v
Loading name file nfs.snoop.names
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 23 arrived at 23:35:7.36
ETHER: Packet size = 206 bytes
ETHER: Destination = 0:0:c:7:ac:27, Cisco
ETHER: Source = 8:0:20:b5:fa:8, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 192 bytes
IP: Identification = 45661
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 64 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = 2175
IP: Source address = 192.168.x.x, HostA
IP: Destination address = 192.168.x.x, HostB
IP: No options
IP:
[output truncated for brevity]

Example 15 : Check a specific ping packet
ping(ICMP Echo reply) packets have the “ID” number and you can filter by the “ID” number.

# snoop -i snoop.out "icmp[4:2] = 16005"
172 0.66838 10.20.220.120 -> 10.20.220.121 ICMP Echo request (ID: 16005 Sequence number: 0)
173 0.00021 10.20.220.121 -> 10.20.220.120 ICMP Echo reply (ID: 16005 Sequence number: 0)


Source

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

two × 1 =