Type the following command at the command-line prompt to find the interfaces that are attached to the system.
# netstat -i
snoop normally uses the first non-loopback device (le0).
Use Control-C to halt the process.
# snoop Using device /dev/le (promiscuous mode) maupiti -> atlantic-82 NFS C GETATTR FH=0343 atlantic-82 -> maupiti NFS R GETATTR OK maupiti -> atlantic-82 NFS C GETATTR FH=D360 atlantic-82 -> maupiti NFS R GETATTR OK maupiti -> atlantic-82 NFS C GETATTR FH=1A18 atlantic-82 -> maupiti NFS R GETATTR OK maupiti -> (broadcast) ARP C Who is 22.214.171.124, npmpk17a-82 ?
Interpret the results.
In the example, client maupiti transmits to server atlantic-82 by using NFS file handle 0343. atlantic-82 acknowledges with OK. The conversation continues until maupiti broadcasts an ARP request that asks who is 126.96.36.199?
This example demonstrates the format of snoop. The next step is to filter snoop to capture packets to a file.
Interpret the capture file by using details that are described in RFC 1761.