IP layer devices are introduced in Oracle Solaris to enhance IP observability. These devices provide access to all of the packets with addresses that are associated with the system's network interface. The addresses include local addresses as well as addresses that are hosted on non-loopback interfaces or logical interfaces. The observable traffic can be both IPv4 and IPv6 addresses. Thus, you can monitor all traffic that is destined for the system. The traffic can be loopback IP traffic, packets from remote machines, packets that are being sent from the system, or all forwarded traffic.
With IP layer devices, an administrator for an Oracle Solaris global zone can monitor traffic between zones, as well as within a zone. An administrator of a non-global zone can also observe traffic that is sent and received by that zone.
To monitor traffic on the IP layer, use the snoop command with the newer –I. This option specifies that the command use the new IP layer devices instead of the underlying link-layer device to display traffic data.
# ipadm show-if
# snoop -I interface [-V | -v]
All of the following examples are based on this system configuration:
# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 net0/v4 dhcp ok 203.0.113.5/27 lo0/v6 static ok ::1/128 net0/v6 addrconf ok fe80::214:4fff:2731:b1a9/10 net0/v6 addrconf ok 2001:0db8:212:60bb:214:4fff:2731:b1a9/64 net0/v6 addrconf ok 2001:0db8:56::214:4fff:2731:b1a9/64
Suppose that two zones, sandbox and toybox, are using the following IP addresses:
sandbox – 198.51.100.3
toybox – 198.51.100.1
You can use the snoop –I command on the different interfaces that are on the system. The packet information that is displayed depends on whether you are an administrator for the global zone or for the non-global zone.
Example 10 Observing Traffic on the Loopback InterfaceThe following example shows the output of the snoop command for the loopback interface.
# snoop -I lo0 Using device ipnet/lo0 (promiscuous mode) localhost -> localhost ICMP Echo request (ID: 5550 Sequence number: 0) localhost -> localhost ICMP Echo reply (ID: 5550 Sequence number: 0)
To generate verbose output, use the –v option.
# snoop -v -I lo0 Using device ipnet/lo0 (promiscuous mode) IPNET: ----- IPNET Header ----- IPNET: IPNET: Packet 1 arrived at 10:40:33.68506 IPNET: Packet size = 108 bytes IPNET: dli_version = 1 IPNET: dli_type = 4 IPNET: dli_srczone = 0 IPNET: dli_dstzone = 0 IPNET: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes ...
Support for observing packets on the IP layer introduces a new ipnet header that precedes the packets that are being observed. Both the source and destination IDs are indicated. The 0 ID indicates that the traffic is being generated from the global zone.
Example 11 Observing Packet Flow in the net0 Device Within Local ZonesThe following example shows traffic that occurs in the different zones that are within the system. You can see all of the packets that are associated with the net0 IP addresses, including those packets that are locally delivered to other zones. If you generate verbose output, you can also see the zones that are involved in the flow of packets.
# snoop -I net0 Using device ipnet/net0 (promiscuous mode) toybox -> sandbox TCP D=22 S=62117 Syn Seq=195630514 Len=0 Win=49152 Options=<mss sandbox -> toybox TCP D=62117 S=22 Syn Ack=195630515 Seq=195794440 Len=0 Win=49152 toybox -> sandbox TCP D=22 S=62117 Ack=195794441 Seq=195630515 Len=0 Win=49152 sandbox -> toybox TCP D=62117 S=22 Push Ack=195630515 Seq=195794441 Len=20 Win=491
# snoop -I net0 -v port 22 IPNET: ----- IPNET Header ----- IPNET: IPNET: Packet 5 arrived at 15:16:50.85262 IPNET: Packet size = 64 bytes IPNET: dli_version = 1 IPNET: dli_type = 0 IPNET: dli_srczone = 0 IPNET: dli_dstzone = 1 IPNET: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: .... ..0. = not ECN capable transport IP: .... ...0 = no ECN congestion experienced IP: Total length = 40 bytes IP: Identification = 22629 IP: Flags = 0x4 IP: .1.. .... = do not fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 64 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = 0000 IP: Source address = 198.51.100.1, 198.51.100.1 IP: Destination address = 198.51.100.3, 198.51.100.3 IP: No options IP: TCP: ----- TCP Header ----- TCP: TCP: Source port = 46919 TCP: Destination port = 22 TCP: Sequence number = 3295338550 TCP: Acknowledgement number = 3295417957 TCP: Data offset = 20 bytes TCP: Flags = 0x10 TCP: 0... .... = No ECN congestion window reduced TCP: .0.. .... = No ECN echo TCP: ..0. .... = No urgent pointer TCP: ...1 .... = Acknowledgement TCP .... 0... = No push TCP .... .0.. = No reset TCP: .... ..0. = No Syn TCP: .... ...0 = No Fin TCP: Window = 49152 TCP: Checksum = 0x0014 TCP: Urgent pointer = 0 TCP: No options TCP:
In the previous output, the ipnet header indicates that the packet is coming from the global zone (ID 0) to sandbox (ID 1).
Example 12 Observing Network Traffic by Identifying a ZoneThe following example shows how to observe network traffic by identifying the zone, which is extremely useful on systems that have multiple zones. Currently, you can only identify by zone by using the zone ID. Using the snoop command with zone names is not supported.
# snoop -I hme0 sandboxsnoop -I net0 sandbox Using device ipnet/hme0 (promiscuous mode) toybox -> sandbox TCP D=22 S=61658 Syn Seq=374055417 Len=0 Win=49152 Options=<mss sandbox -> toybox TCP D=61658 S=22 Syn Ack=374055418 Seq=374124525 Len=0 Win=49152 toybox -> sandbox TCP D=22 S=61658 Ack=374124526 Seq=374055418 Len=0 Win=49152