snoop
The snoop command is part of the Solaris 2.x software environment. The snoop command must run by root (#) to capture packets in promiscuous mode. To capture packets in non-promiscuous mode, or to analyze packets from a captured file, you do not need to be superuser.
In promiscuous mode, the interface turns off its filter, which enables you to see all packets on the subnet, whether or not they are addressed to your system. You can observe other packets not destined for your system. Promiscuous mode is limited to root.
Using the snoop command turns a Sun system into a network sniffer, which can detect network problems. It also captures a certain number of network packets, enables you to trace the calls from each client to each server, and displays the contents of the packets. You can also save the contents of the packets to a file, which you can inspect later.
The snoop command does the following:
-
Logs or displays packets selectively
-
Provides accurate time stamps for checking network Remote Procedure Call (RPC) response time
-
Formats packets and protocol information in a user-friendly manner
The snoop command can display packets in a single-line summary or in expanded form. In summary form, only the data pertaining to the highest level protocol is displayed. For example, an NFS packet will have only NFS information displayed. The underlying RPC, UDP (User Datagram Protocol), IP (Internet Protocol), and network frame information is suppressed, but can be displayed if you choose either of the verbose (-v or -V) options.
The snoop command uses both the packet filter and buffer modules of the Data Link Provider Interface (DLPI) so the packets can be captured efficiently and transmitted to or received from the network.
To view or capture all traffic between any two systems, run snoop on a third system.
The snoop command is a useful tool if you are considering subnetting, since it is a packet analysis tool. You can use the output of the snoop command to drive scripts that accumulate load statistics. The program is capable of breaking the packet header in order to debug it, and to investigate the source of incompatibility problems.
The following shows some examples of how to use snoop.
Looking at Selected Packets in a Capture File (pkts)
The statistics show which client is making a read request, and the left column shows the time in seconds, with a resolution of about 4 microseconds.
When a read or write request is made, be sure the server doesn't time-out. If it does, the client has to re-send again, and the client's IP code will break up the write block into smaller UDP blocks. The default write time is .07 seconds. The time-out factor is a tunable parameter in the mount command.
Example A-1 Output of the snoop -i pkts -p99, 108 Command
# snoop -i pkts -p99,108 99 0.0027 boutique -> sunroof NFS C GETATTR FH=8E6C 100 0.0046 sunroof -> boutique NFS R GETATTR OK 101 0.0080 boutique -> sunroof NFS C RENAME FH=8E6C MTra00192 to .nfs08 102 0.0102 marmot -> viper NFS C LOOKUP FH=561E screen.r.13.i386 103 0.0072 viper -> marmot NFS R LOOKUP No such file or directory 104 0.0085 bugbomb -> sunroof RLOGIN C PORT=1023 h 105 0.0005 kandinsky -> sparky RSTAT C Get Statistics 106 0.0004 beeblebrox -> sunroof NFS C GETATTR FH=0307 107 0.0021 sparky -> kandinsky RSTAT R 108 0.0073 office -> jeremiah NFS C READ FH=2584 at 40960 for 8192
The following table describes the arguments to the snoop command.
Table A-3 Arguments to the snoop Command|
-i pkts |
Displays packets previously captured in the pkts file |
|
-p99,108 |
Selects packets 99 through 108 to be displayed from a capture file; the first number 99, is the first packet to be captured; the last number, 108, is the last packet to be captured; the first packet in a capture file is packet 1 |
The command snoop -i pkts -v 101 obtains more detailed information on packet 101. Table A-4 describes the command arguments.
Table A-4 Description of Arguments to the snoop -i pkts -v 101 Command|
-i pkts |
Displays packets previously captured in the pkts file |
|
-v |
Verbose mode; prints packet headers in detail for packet 101; use this option only when you need information on selected packets |
# snoop -i pkts rpc nfs and sunroof and boutique 1 0.0000 boutique -> sunroof NFS C GETATTR FH=8E6C 2 0.0046 sunroof -> boutique NFS R GETATTR OK 3 0.0080 boutique -> sunroof NFS C RENAME FH=8E6C MTra00192 to .nfs08
This example gives a view of the NFS packets between the systems sunroof and boutique. Table A-5describes the arguments to the previous snoop command.
Table A-5 Arguments to the snoop -i pkts rpc nfs and sunroof and boutique Command|
-i pkts |
Displays packets previously captured in the pkts file |
|
rpc nfs |
Displays packets for an RPC call or reply packet for the NFS protocol; the option following nfs is the name of an RPC protocol from /etc/rpc or a program number |
|
and |
Performs a logical and operation between two boolean values; for example, sunroof boutique is the same as sunroof and boutique |
Table A-6describes the arguments to the previous snoop command.
Table A-6 Description of Arguments to the snoop -i pkts -o.nfs rpc nfs sunroof boutique Command|
-i pkts |
Displays packets previously captured in the pkts file |
|
-o pkts.nfs |
Saves the displayed packets in the pkts.nfs output file |
|
rpc nfs |
Displays packets for an RPC call or reply packet for the NFS protocol; the option following nfs is the name of an RPC protocol from /etc/rpc or a program number |
See the snoop man page for additional details on options used with the snoop command and additional information about using snoop.
- © 2010, Oracle Corporation and/or its affiliates