You can use the snoop command to monitor the state of data transfers. snoop captures network packets and displays their contents in the format that you specify. Packets can be displayed as soon as they are received, or saved to a file. When snoop writes to an intermediate file, packet loss under busy trace conditions is unlikely. snoop itself is then used to interpret the file.
To capture packets to and from the default interface in promiscuous mode, you must assume the Network Management role or become superuser. In summary form, snoop displays only the data that pertains to the highest-level protocol. For example, an NFS packet only displays NFS information. The underlying RPC, UDP, IP, and Ethernet frame information is suppressed but can be displayed if either of the verbose options is chosen.
Use snoop frequently and consistently to become familiar with normal system behavior. For assistance in analyzing packets, look for a recent white paper and RFC, and seek the advice of an expert in a particular area, such as NFS or NIS. For details on using snoop and its options, refer to the snoop(1M) man page.
On the local host, assume the Network Management role or become superuser.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Print information about the interfaces that are attached to the system.
# ifconfig -a |
The snoop command normally uses the first non-loopback device, typically the primary network interface.
Begin packet capture by typing snoop without arguments, as shown in Example 7–19.
Use Control-C to halt the process.
The basic snoop command returns output that resembles the following, for a dual-stack host.
% snoop Using device /dev/hme (promiscuous mode) farhost.remote.com -> myhost RLOGIN C port=993 myhost -> farhost.remote.com RLOGIN R port=993 Using device /dev/hme router5.local.com -> router5.local.com ARP R 10.0.0.13, router5.local.com is 0:10:7b:31:37:80 router5.local.com -> BROADCAST TFTP Read "network-confg" (octet) myhost -> DNSserver.local.com DNS C 192.168.10.10.in-addr.arpa. Internet PTR ? DNSserver.local.com myhost DNS R 192.168.10.10.in-addr.arpa. Internet PTR niserve2. . . farhost.remote.com-> myhost RLOGIN C port=993 myhost -> farhost.remote.com RLOGIN R port=993 fe80::a00:20ff:febb: . fe80::a00:20ff:febb:e09 -> ff02::9 RIPng R (5 destinations) |
The packets that are captured in this output show a remote login section, including lookups to the NIS and DNS servers for address resolution. Also included are periodic ARP packets from the local router and advertisements of the IPv6 link-local address to in.ripngd.
On the local host, assume the Network Management role or become superuser.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Capture a snoop session into a file.
# snoop -o filename |
For example:
# snoop -o /tmp/cap Using device /dev/eri (promiscuous mode) 30 snoop: 30 packets captured |
In the example, 30 packets have been captured in a file named /tmp/cap. The file can be in any directory with enough disk space. The number of packets that are captured is displayed on the command line, enabling you to press Control-C to abort at any time.
snoop creates a noticeable networking load on the host machine, which can distort the results. To see the actual results, run snoop from a third system.
Inspect the snoop output captures file.
# snoop -i filename |
The following output shows a variety of captures such as you might receive as output from the snoop -i command.
# snoop -i /tmp/cap 1 0.00000 fe80::a00:20ff:fee9:2d27 -> fe80::a00:20ff:fecd:4375 ICMPv6 Neighbor advertisement 2 0.16198 farhost.com -> myhost RLOGIN C port=985 3 0.00008 myhost -> farhost.com RLOGIN R port=985 10 0.91493 10.0.0.40 -> (broadcast) ARP C Who is 10.0.0.40, 10.0.0.40 ? 34 0.43690 nearserver.here.com -> 224.0.1.1 IP D=224.0.1.1 S=10.0.0.40 LEN=28, ID=47453, TO =0x0, TTL=1 35 0.00034 10.0.0.40 -> 224.0.1.1 IP D=224.0.1.1 S=10.0.0.40 LEN=28, ID=57376, TOS=0x0, TTL=47 |
Establish a snoop system off a hub that is connected to either the client or the server.
The third system (the snoop system) checks all the intervening traffic, so the snoop trace reflects what is actually happening on the wire.
On the snoop system, assume the Network Management role or become superuser.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Type snoop with options and save the output to a file.
Inspect and interpret the output.
Refer to RFC 1761, Snoop Version 2 Packet Capture File Format for details of the snoop capture file.
You can use the snoop command to display only IPv6 packets.
On the local node, assume the Network Management role or become superuser.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Capture IPv6 packets.
# snoop ip6 |
For more information on the snoop command, see the snoop(1M) man page.
The following example shows typical output such as you might receive from running the snoop ip6 command on a node.
# snoop ip6 fe80::a00:20ff:fecd:4374 -> ff02::1:ffe9:2d27 ICMPv6 Neighbor solicitation fe80::a00:20ff:fee9:2d27 -> fe80::a00:20ff:fecd:4375 ICMPv6 Neighbor solicitation fe80::a00:20ff:fee9:2d27 -> fe80::a00:20ff:fecd:4375 ICMPv6 Neighbor solicitation fe80::a00:20ff:febb:e09 -> ff02::9 RIPng R (11 destinations) fe80::a00:20ff:fee9:2d27 -> ff02::1:ffcd:4375 ICMPv6 Neighbor solicitation |
IP layer devices are introduced in the Solaris OS to enhance IP observability. These devices provide access to all packets with addresses that are associated with the system's network interface. The addresses include local addresses as well as addresses that are hosted on non-loopback interfaces or logical interfaces. The observable traffic can be both IPv4 and IPv6 addresses. Thus, you can monitor all traffic that is destined to the system. The traffic can be loopback IP traffic, packets from remote machines, packets that are being sent from the system, or all forwarded traffic.
With IP layer devices, an administrator for a global zone can monitor traffic between zones as well as within a zone. An administrator of a non-global zone can also observe traffic that is sent and received by that zone.
To monitor traffic on the IP layer, a new option, -I, is added to the snoop command. This option specifies for the command to use the new IP layer devices instead of the underlying link-layer device to display traffic data.
To understand the distinctions between layers, see Data Encapsulation and the TCP/IP Protocol Stack
On the local node, assume the Network Management role or become superuser.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
If necessary, print the information about the interfaces that are attached to the system.
# ifconfig -a |
Capture IP traffic on a specific interface.
# snoop -I interface [-V | -v] |
All the examples are based on the following system configuration:
# ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 zone sandbox inet 127.0.0.1 netmask ff000000 lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 zone toybox inet 127.0.0.1 netmask ff000000 hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 129.156.211.94 netmask fffff800 broadcast 129.156.215.255 ether 8:0:20:f7:d5:79 hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 zone sandbox inet 172.0.0.3 netmask ffff0000 broadcast 172.0.255.255 hme0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 zone toybox inet 172.0.0.1 netmask ffff0000 broadcast 172.0.255.255 # |
The output shows three interfaces in the system:
Interfaces |
Address |
Zone |
---|---|---|
lo0 |
127.0.0.1 |
Global |
lo0:1 |
127.0.0.1 |
Zone 1 (sandbox) |
lo0:2 |
127.0.0.1 |
Zone 2 (toybox) |
hme0 |
129.156.211.94 |
Global |
hme0:1 |
172.0.0.3 |
Zone 1 (sandbox) |
hme0:2 |
172.0.0.1 |
Zone 2 (toybox) |
You can issue the snoop -I command on the different interfaces on the system. The packet information that is displayed depends on whether you are an administrator for the global zone or for the non-global zone.
# snoop -I lo0 Using device ipnet/lo0 (promiscuous mode) localhost -> localhost ICMP Echo request (ID: 5550 Sequence number: 0) localhost -> localhost ICMP Echo reply (ID: 5550 Sequence number: 0) |
To generate a verbose output, use the -v option.
# snoop -v -I lo0 Using device ipnet/lo0 (promiscuous mode) IPNET: ----- IPNET Header ----- IPNET: IPNET: Packet 1 arrived at 10:40:33.68506 IPNET: Packet size = 108 bytes IPNET: dli_version = 1 IPNET: dli_type = 4 IPNET: dli_srczone = 0 IPNET: dli_dstzone = 0 IPNET: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes ... |
This support for observing packets on the IP layer introduces a new ipnet header that precedes the packets that are being observed. Both the source and destination IDs are indicated. The '0' ID indicates that the traffic is being generated from the global zone.
# snoop -I hme0 Using device ipnet/hme0 (promiscuous mode) toybox -> sandbox TCP D=22 S=62117 Syn Seq=195630514 Len=0 Win=49152 Options=<mss sandbox -> toybox TCP D=62117 S=22 Syn Ack=195630515 Seq=195794440 Len=0 Win=49152 toybox -> sandbox TCP D=22 S=62117 Ack=195794441 Seq=195630515 Len=0 Win=49152 sandbox -> toybox TCP D=62117 S=22 Push Ack=195630515 Seq=195794441 Len=20 Win=491 |
The output shows traffic that occurs in the different zones within the system. You can see all packets that are associated with the hme0 IP addresses, including packets that are locally delivered to other zones. If you generate a verbose output, you can see the zones that are involved in the flow of packets.
# snoop -I hme0 -v port 22 IPNET: ----- IPNET Header ----- IPNET: IPNET: Packet 5 arrived at 15:16:50.85262 IPNET: Packet size = 64 bytes IPNET: dli_version = 1 IPNET: dli_type = 0 IPNET: dli_srczone = 0 IPNET: dli_dstzone = 1 IPNET: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: .... ..0. = not ECN capable transport IP: .... ...0 = no ECN congestion experienced IP: Total length = 40 bytes IP: Identification = 22629 IP: Flags = 0x4 IP: .1.. .... = do not fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 64 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = 0000 IP: Source address = 172.0.0.1, 172.0.0.1 IP: Destination address = 172.0.0.3, 172.0.0.3 IP: No options IP: TCP: ----- TCP Header ----- TCP: TCP: Source port = 46919 TCP: Destination port = 22 TCP: Sequence number = 3295338550 TCP: Acknowledgement number = 3295417957 TCP: Data offset = 20 bytes TCP: Flags = 0x10 TCP: 0... .... = No ECN congestion window reduced TCP: .0.. .... = No ECN echo TCP: ..0. .... = No urgent pointer TCP: ...1 .... = Acknowledgement TCP .... 0... = No push TCP .... .0.. = No reset TCP: .... ..0. = No Syn TCP: .... ...0 = No Fin TCP: Window = 49152 TCP: Checksum = 0x0014 TCP: Urgent pointer = 0 TCP: No options TCP: |
The ipnet header indicates that the packet is coming from the global zone (ID 0) to Sandbox (ID 1).
# snoop -I hme0 zone 1 Using device ipnet/hme0 (promiscuous mode) toybox -> sandbox TCP D=22 S=61658 Syn Seq=374055417 Len=0 Win=49152 Options=<mss sandbox -> toybox TCP D=61658 S=22 Syn Ack=374055418 Seq=374124525 Len=0 Win=49152 toybox -> sandbox TCP D=22 S=61658 Ack=374124526 Seq=374055418 Len=0 Win=49152 # |
The ability to observe packets by identifying zone is useful in systems that have multiple zones. Currently, you can only identify zone by using the zone ID. Using snoop with zone names is not supported.