System Administration Guide: IP Services

ProcedureHow to Capture snoop Output Into a File

  1. On the local host, assume the Network Management role or become superuser.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Capture a snoop session into a file.


    # snoop -o filename
    

    For example:


    # snoop -o /tmp/cap
    Using device /dev/eri (promiscuous mode)
    30 snoop: 30 packets captured

    In the example, 30 packets have been captured in a file named /tmp/cap. The file can be in any directory with enough disk space. The number of packets that are captured is displayed on the command line, enabling you to press Control-C to abort at any time.

    snoop creates a noticeable networking load on the host machine, which can distort the results. To see the actual results, run snoop from a third system.

  3. Inspect the snoop output captures file.


    # snoop -i filename
    

Example 7–20 Contents of a snoop Output Captures File

The following output shows a variety of captures such as you might receive as output from the snoop -i command.


# snoop -i /tmp/cap
1   0.00000 fe80::a00:20ff:fee9:2d27 -> fe80::a00:20ff:fecd:4375 
    ICMPv6 Neighbor advertisement
2   0.16198 farhost.com   -> myhost     RLOGIN C port=985 
3   0.00008 myhost -> farhost.com       RLOGIN R port=985 
10  0.91493    10.0.0.40 -> (broadcast)  ARP C Who is 10.0.0.40, 10.0.0.40 ?
34  0.43690 nearserver.here.com  -> 224.0.1.1  IP  D=224.0.1.1 S=10.0.0.40 LEN=28, 
      ID=47453, TO =0x0, TTL=1
35  0.00034  10.0.0.40 -> 224.0.1.1    IP  D=224.0.1.1 S=10.0.0.40 LEN=28, ID=57376, 
     TOS=0x0, TTL=47