test

TCP/IP and Data Communications Administration Guide

Displaying Packet Contents

You can use snoop to capture network packets and display their contents. Packets can be displayed as soon as they are received, or saved to a file. When snoop writes to an intermediate file, packet loss under busy trace conditions is unlikely. snoop itself is then used to interpret the file. For information about using the snoop command, refer to the snoop(1M) man page.

The snoop command must be run by root (#) to capture packets to and from the default interface in promiscuous mode. In summary form, only the data pertaining to the highest-level protocol is displayed. For example, an NFS packet will have only NFS information displayed. The underlying RPC, UDP, IP, and Ethernet frame information is suppressed but can be displayed if either of the verbose options is chosen.

The snoop capture file format is described in RFC 1761. To access, use your favorite web browser with the URL: http://ds.internic.net/rfc/rfc1761.txt.

snoop server client rpc rstatd collects all RPC traffic between a client and server, and filters it for rstatd.

How to check all packets from your system

  1. Type netstat -i to find the interfaces attached to the system.

    Snoop normally uses the first non-loopback device (le0).

  2. Become root and type snoop

    Use Ctl C to halt the process.


    # snoop
Using device /dev/le (promiscuous mode)
     maupiti -> atlantic-82  NFS C GETATTR FH=0343
 atlantic-82 -> maupiti      NFS R GETATTR OK
     maupiti -> atlantic-82  NFS C GETATTR FH=D360
 atlantic-82 -> maupiti      NFS R GETATTR OK
     maupiti -> atlantic-82  NFS C GETATTR FH=1A18
 atlantic-82 -> maupiti      NFS R GETATTR OK
     maupiti -> (broadcast)  ARP C Who is 129.146.82.36, npmpk17a-82 ?

  3. Interpret results

    In the example, client maupiti transmits to server atlantic-82 using NFS file handle 0343. atlantic-82 acknowledges with OK. The conversation continues until maupiti broadcasts an ARP request asking who is 129.146.82.36?

    This example demonstrates the format of snoop. The next step is to filter snoop to capture packets to a file.

    Interpret the capture file using details described in RFC 1761. To access, use your favorite web browser with the URL: http://ds.internic.net/rfc/rfc1761.txt

How to capture snoop results to a file

  1. As root, type snoop -o filename. Example:


    # snoop -o /tmp/cap
Using device /dev/le (promiscuous mode)
30 snoop: 30 packets captured

    This has captured 30 packets in a file /tmp/cap. The file can be anywhere there is enough disk space. The number of packets captured is displayed on the command line, enabling you to press Ctl-C to abort at any time.

    snoop creates a noticeable networking load on the host machine, which can skew the results. To see reality at work, run snoop from a third system, (see the next section).

  2. Type snoop -i filename to inspect the file:


    # snoop -i /tmp/cap
 
1   0.00000 frmpk17b-082 -> 224.0.0.2    IP  D=224.0.0.2 S=129.146.82.1 LEN=32, ID=0
2   0.56104        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
3   0.16742  atlantic-82 -> (broadcast)  ARP C Who is 129.146.82.76, honeybea ?
4   0.77247        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
5   0.80532 frmpk17b-082 -> (broadcast)  ARP C Who is 129.146.82.92, holmes ?
6   0.13462        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
7   0.94003        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
8   0.93992        scout -> (broadcast)  ARP C Who is 129.146.82.63, grail ?
9   0.60887        towel -> (broadcast)  ARP C Who is 129.146.82.35, udmpk17b-82 ?
10  0.86691  nimpk17a-82 -> 129.146.82.255 RIP R (1 destinations)

    Refer to specific protocol documentation for detailed analysis and recommended parameters for ARP, IP, RIP and so forth. Searching the web is a good place to look at RFCs.

How to check packets between server and client

  1. Establish a snoop system off a hub connected to either the client or server.

    The third system (the snoop system) sees all the intervening traffic, so the snoop trace reflects reality on the wire.

  2. As root, type snoop with options and save to a file.

  3. Inspect and interpret results.

    Look at RFC 1761 for details of the snoop capture file. To access, use your favorite web browser with the URL: http://ds.internic.net/rfc/rfc1761.txt

Use snoop frequently and consistently to get a feel for normal system behavior. For assistance in analyzing packets, look for recent white papers and RFCs, and seek the advice of an expert in a particular area, such as NFS or YP. For complete details on using snoop and its options, refer to the snoop(1M) man page.