Go to main content

Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle® Solaris 11.3

Exit Print View

Updated: March 2019

Monitoring Packets by Using IP Layer Devices

IP layer devices are introduced in Oracle Solaris to enhance IP observability. These devices provide access to all of the packets with addresses that are associated with the system's network interface. The addresses include local addresses as well as addresses that are hosted on non-loopback interfaces or logical interfaces. The observable traffic can be both IPv4 and IPv6 addresses. Thus, you can monitor all traffic that is destined for the system. The traffic can be loopback IP traffic, packets from remote machines, packets that are being sent from the system, or all forwarded traffic.

With IP layer devices, an administrator for an Oracle Solaris global zone can monitor traffic between zones, as well as within a zone. An administrator of a non-global zone can also observe traffic that is sent and received by that zone.

To monitor traffic on the IP layer, use the snoop command with the newer –I. This option specifies that the command use the new IP layer devices instead of the underlying link-layer device to display traffic data.

How to Check Packets on the IP Layer

  1. (Optional) If necessary, print the information about the interfaces that are attached to the system.
    # ipadm show-if
  2. Capture IP traffic on a specific interface.
    # snoop -I interface [-V | -v]

Methods for Checking Packets

All of the following examples are based on this system configuration:

# ipadm show-addr

ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok 
net0/v4           dhcp     ok 
lo0/v6            static   ok           ::1/128
net0/v6           addrconf ok           fe80::214:4fff:2731:b1a9/10
net0/v6           addrconf ok           2001:0db8:212:60bb:214:4fff:2731:b1a9/64
net0/v6           addrconf ok           2001:0db8:56::214:4fff:2731:b1a9/64

    Suppose that two zones, sandbox and toybox, are using the following IP addresses:

  • sandbox198.51.100.3

  • toybox198.51.100.1

You can use the snoop –I command on the different interfaces that are on the system. The packet information that is displayed depends on whether you are an administrator for the global zone or for the non-global zone.

Example 10  Observing Traffic on the Loopback Interface

The following example shows the output of the snoop command for the loopback interface.

# snoop -I lo0
Using device ipnet/lo0 (promiscuous mode)
localhost -> localhost    ICMP Echo request (ID: 5550 Sequence number: 0)
localhost -> localhost    ICMP Echo reply (ID: 5550 Sequence number: 0)

To generate verbose output, use the –v option.

# snoop -v -I lo0
Using device ipnet/lo0 (promiscuous mode)
IPNET:  ----- IPNET Header -----
IPNET:  Packet 1 arrived at 10:40:33.68506
IPNET:  Packet size = 108 bytes
IPNET:  dli_version = 1
IPNET:  dli_type = 4
IPNET:  dli_srczone = 0
IPNET:  dli_dstzone = 0
IP:   ----- IP Header -----
IP:   Version = 4
IP:   Header length = 20 bytes

Support for observing packets on the IP layer introduces a new ipnet header that precedes the packets that are being observed. Both the source and destination IDs are indicated. The 0 ID indicates that the traffic is being generated from the global zone.

Example 11  Observing Packet Flow in the net0 Device Within Local Zones

The following example shows traffic that occurs in the different zones that are within the system. You can see all of the packets that are associated with the net0 IP addresses, including those packets that are locally delivered to other zones. If you generate verbose output, you can also see the zones that are involved in the flow of packets.

# snoop -I net0
Using device ipnet/net0 (promiscuous mode)
toybox -> sandbox TCP D=22 S=62117 Syn Seq=195630514 Len=0 Win=49152 Options=<mss
sandbox -> toybox TCP D=62117 S=22 Syn Ack=195630515 Seq=195794440 Len=0 Win=49152
toybox -> sandbox TCP D=22 S=62117 Ack=195794441 Seq=195630515 Len=0 Win=49152
sandbox -> toybox TCP D=62117 S=22 Push Ack=195630515 Seq=195794441 Len=20 Win=491
# snoop -I net0 -v port 22
IPNET:  ----- IPNET Header -----
IPNET:  Packet 5 arrived at 15:16:50.85262
IPNET:  Packet size = 64 bytes
IPNET:  dli_version = 1
IPNET:  dli_type = 0
IPNET:  dli_srczone = 0
IPNET:  dli_dstzone = 1
IP:   ----- IP Header -----
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 40 bytes
IP:   Identification = 22629
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 64 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = 0000
IP:   Source address =,
IP:   Destination address =,
IP:   No options
TCP:  ----- TCP Header -----
TCP:  Source port = 46919
TCP:  Destination port = 22
TCP:  Sequence number = 3295338550
TCP:  Acknowledgement number = 3295417957
TCP:  Data offset = 20 bytes
TCP:  Flags = 0x10
TCP:        0... .... = No ECN congestion window reduced
TCP:        .0.. .... = No ECN echo
TCP:        ..0. .... = No urgent pointer
TCP:        ...1 .... = Acknowledgement
TCP         .... 0... = No push
TCP         .... .0.. = No reset
TCP:        .... ..0. = No Syn
TCP:        .... ...0 = No Fin
TCP:  Window = 49152
TCP:  Checksum = 0x0014
TCP:  Urgent pointer = 0
TCP:  No options

In the previous output, the ipnet header indicates that the packet is coming from the global zone (ID 0) to sandbox (ID 1).

Example 12  Observing Network Traffic by Identifying a Zone

The following example shows how to observe network traffic by identifying the zone, which is extremely useful on systems that have multiple zones. Currently, you can only identify by zone by using the zone ID. Using the snoop command with zone names is not supported.

# snoop -I hme0 sandboxsnoop -I net0 sandbox
Using device ipnet/hme0 (promiscuous mode)
toybox -> sandbox TCP D=22 S=61658 Syn Seq=374055417 Len=0 Win=49152 Options=<mss
sandbox -> toybox TCP D=61658 S=22 Syn Ack=374055418 Seq=374124525 Len=0 Win=49152
toybox -> sandbox TCP D=22 S=61658 Ack=374124526 Seq=374055418 Len=0 Win=49152