System Administration Guide: Network Interfaces and Network Virtualization

Observing Traffic on Virtual Networks

Use the standard snoop command to observe and analyze the status of the virtual network. snoop gathers packets and displays their output, enabling you to observe and analyze their content. You can use snoop output to verify the connectivity by observing the “conversation” among the VNICs on a virtual network. For full details on snoop usage, refer to the snoop(1M) man page.

ProcedureHow to Verify Virtual Network Connectivity by Using the snoop Command

The following task observes traffic on the private network configured in Example 11–7. However, you can use snoop to observe traffic over a publicly-accessible virtual network, as well.

  1. On the system where you create the private virtual network, become superuser or assume the equivalent root role in the global zone.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

  2. Gather information about network traffic on the private virtual network.

    # snoop -d etherstub0

    By “snooping” on the private network's etherstub, you can obtain information about activities on all the VNICs configured over that etherstub. You can also snoop the individual VNICs.

  3. Check the snoop output to verify connectivity among the VNICs of the etherstub.

    Using device etherstub0 (promiscuous mode) -> RIP R (10 destinations) -> RIP R (10 destinations) ->    ICMP Router advertisement 
    (Lifetime 1800s [1]: { 0}) -> RIP R (10 destinations) -> RIP R (10 destinations) -> (broadcast)  ARP C Who is, ?> (broadcast)  ARP C Who is, ? -> (broadcast)  ARP C Who is, ? -> ARP R, is 2:8:20:45:8f:c9 -> ICMP Echo request (ID: 20291 Sequence number: 0) -> (broadcast)  ARP C Who is, ? -> ARP R, is 2:8:20:c2:39:38 -> ICMP Echo reply (ID: 20291 Sequence number: 0) -> RIP R (10 destinations)

    This output shows the contents of packets that are exchanged among the three VNICs in Figure 10–2 as they contact each other.

    • etherstub0, over vnic0 (IP address sends out RIP routing protocol packets to vnic1 (

    • vnic2 ( sends out an ARP broadcast message (“Who is”), to vnic0 ( Then, vnic0 sends out an ARP request to vnic1: -> (broadcast)  ARP C Who is, ? -> (broadcast)  ARP C Who is, ?
    • vnic1 ( sends out an ARP broadcast message (“Who is”) to vnic2 (

    • Eventually vnic1 responds to the vnic2's “Who is” broadcast by sending its MAC address, as follows: -> 
      ARP R, is 2:8:20:45:8f:c9

      This response proves that the two VNICs of the virtual network, vnic1 and vnic2, can send packet traffic to each other.

    • Then vnic0 responds to vnic1's ARP request with its MAC address: ->
       ARP R, is 2:8:20:c2:39:38

      This response proves that etherstub0 on vnic0 and vnic1 on the virtual network can send traffic to each other.

    The previous output is but a sample of the many ways to use snoop for diagnostic purposes. For more information, refer to the snoop(1M) man page.