TCP/IP and Data Communications Administration Guide

How to check all packets from your system

Type netstat -i to find the interfaces attached to the system.

Snoop normally uses the first non-loopback device (le0).

Become root and type snoop

Use Ctl C to halt the process.

# snoop
Using device /dev/le (promiscuous mode)
     maupiti -> atlantic-82  NFS C GETATTR FH=0343
 atlantic-82 -> maupiti      NFS R GETATTR OK
     maupiti -> atlantic-82  NFS C GETATTR FH=D360
 atlantic-82 -> maupiti      NFS R GETATTR OK
     maupiti -> atlantic-82  NFS C GETATTR FH=1A18
 atlantic-82 -> maupiti      NFS R GETATTR OK
     maupiti -> (broadcast)  ARP C Who is 129.146.82.36, npmpk17a-82 ?

Interpret results

In the example, client maupiti transmits to server atlantic-82 using NFS file handle 0343. atlantic-82 acknowledges with OK. The conversation continues until maupiti broadcasts an ARP request asking who is 129.146.82.36?

This example demonstrates the format of snoop. The next step is to filter snoop to capture packets to a file.

Interpret the capture file using details described in RFC 1761. To access, use your favorite web browser with the URL: http://ds.internic.net/rfc/rfc1761.txt