TCP/IP and Data Communications Administration Guide

How to capture snoop results to a file

  1. As root, type snoop -o filename. Example:


    # snoop -o /tmp/cap
    Using device /dev/le (promiscuous mode)
    30 snoop: 30 packets captured

    This has captured 30 packets in a file /tmp/cap. The file can be anywhere there is enough disk space. The number of packets captured is displayed on the command line, enabling you to press Ctl-C to abort at any time.

    snoop creates a noticeable networking load on the host machine, which can skew the results. To see reality at work, run snoop from a third system, (see the next section).

  2. Type snoop -i filename to inspect the file:


    # snoop -i /tmp/cap
     
    1   0.00000 frmpk17b-082 -> 224.0.0.2    IP  D=224.0.0.2 S=129.146.82.1 LEN=32, ID=0
    2   0.56104        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
    3   0.16742  atlantic-82 -> (broadcast)  ARP C Who is 129.146.82.76, honeybea ?
    4   0.77247        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
    5   0.80532 frmpk17b-082 -> (broadcast)  ARP C Who is 129.146.82.92, holmes ?
    6   0.13462        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
    7   0.94003        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
    8   0.93992        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
    9   0.60887        towel -> (broadcast)  ARP C Who is 129.146.82.35, udmpk17b-82 ?
    10  0.86691  nimpk17a-82 -> 129.146.82.255 RIP R (1 destinations)

    Refer to specific protocol documentation for detailed analysis and recommended parameters for ARP, IP, RIP and so forth. Searching the web is a good place to look at RFCs.