logdump Extensions

logdump is an extension of the standard snoop packet monitoring tool provided with the Solaris operating system. In general, any expertise in the use of snoop is directly applicable to use of logdump.

The facilities of logdump that are common to snoop are not detailed here; refer to the ssadm-logdump(1m) man page.

logdump has been extended to provide for the special additional needs of the SunScreen system. These extensions are summarized as:

• Extensions to the format of network packets logged: inclusion of the interface on which logged packets arrive inclusion of the reason (why) packets are logged

• Provisions for SUMMARY logging (wherein only a size-limited packet preamble is logged)

• Logging of network packets on routing mode (ROUTING) interfaces removes the MAC-layer header

• Addition of session- and extended-log events (previously described)

• Enforcement and synthesis of unique timestamps

• True filter (pipeable) processing (standard snoop can process a captured packet stream, or produce a captured packet stream, but not both -- logdump allows both)

• Addition of filtering operators for selection of various log event types (loglvl), event severity (logsev), logging program component (logapp), packet log interface (logiface), and packet log reason (logwhy)

• Addition of range operands for IP addresses and port numbers to mirror the semantics of SunScreen address objects

• Display of SKIP packet encapsulations

• Display of all extensions listed above

logdump is also fundamentally different from snoop in the respect that it is not involved in decisions as to what is logged by SunScreen (rules and variables previously described provide this control). Rather logdump serves as a means to post-process log file content only. (snoop is often used to filter network input during the process of capture or direct display.)

SunScreen logs and snoop capture files are not interoperable.