logdump Extensions

logdump is an extension of the standard snoop packet monitoring tool provided with the Solaris operating environment. Any expertise in the use of snoop is directly applicable to use of logdump.

The facilities of logdump that are common to snoop are detailed in the ssadm-logdump(1m) man page.

logdump has been extended to provide for the special additional needs of SunScreen. These extensions are summarized as:

• Extensions to the format of network packets logged: inclusion of the interface on which logged packets arrive and inclusion of the reason packets are logged (whycodes)

• Provisions for SUMMARY logging (wherein only a size-limited packet preamble is logged)

• Logging of network packets on routing mode (ROUTING) interfaces removes the MAC-layer header

• Addition of session- and extended-log events (previously described)

• Enforcement and synthesis of unique timestamps

• True filter (pipeable) processing. Standard snoop can process a captured packet stream, or produce a captured packet stream, but not both; logdump allows both.

• Addition of filtering operators for selection of various log event types (loglvl), event severity (logsev), logging program component (logapp), packet log interface (logiface), and packet log reason (logwhy)

• Addition of range operands for IP addresses and port numbers to mirror the semantics of SunScreen address and service objects

• Display of SKIP packet encapsulations

• Display of all extensions listed above

logdump is also fundamentally different from snoop in that it is not involved in decisions as to what SunScreen logs. (Rules and variables previously described provide this control.) snoop is often used to filter network input during the process of capture or direct display. logdump serves as a means to postprocess log file content only.

SunScreen logs and snoop-captured files are not interoperable.