# snoop -o /tmp/cap Using device /dev/eri (promiscuous mode) 30 snoop: 30 packets captured
In the previous example, 30 packets have been captured in a file named /tmp/cap. The file can be in any directory that has enough disk space. The number of packets that are captured is displayed on the command line, enabling you to press Control-C to abort at any time.
The snoop command creates a noticeable network load on the host system, which can distort the results. To see the actual results, run the snoop command from a third system.
# snoop -i filename
The following output shows a capture that you might receive as output from the snoop –i command.
# snoop -i /tmp/cap 1 0.00000 fe80::a00:20ff:fee9:2d27 -> fe80::a00:20ff:fecd:4375 ICMPv6 Neighbor advertisement ... 10 0.91493 203.0.113.40 -> (broadcast) ARP C Who is 203.0.113.40, 203.0.113.40 ? 34 0.43690 nearserver.example.com -> 22.214.171.124 IP D=126.96.36.199 S=203.0.113.40 LEN=28, ID=47453, TO =0x0, TTL=1 35 0.00034 203.0.113.40 -> 188.8.131.52 IP D=184.108.40.206 S=203.0.113.40 LEN=28, ID=57376, TOS=0x0, TTL=47