pcap
Action
pcap(mblk, protocol);
The pcap
action collates the packet data in a contiguous buffer and displays it in a manner similar to the trace
action. However if freeopen
() specifies a capture file, it writes to the capture file by using the libpcap
() function, pcap_dump
().
mblk
is a pointer to mblk_t
. The mblk_t
is the main data structure used by the Oracle Solaris networking stack to represent packet data. DTrace collects data from b_rptr
, the read pointer, which marks where the data begins. The b_rptr
pointer collates information from additional buffers into a contiguous block of memory. It also writes to a capture file in the pcap
format, which can be then later read using tshark
or wireshark
. By default, DTrace collects a maximum of 2048 bytes of data. You can customize the memory block size by using the pcapsize
or the DTRACEOPT_PCAPSIZE
option. For example:
# dtrace -x pcapsize=5000 # dtrace -x DTRACEOPT_PCAPSIZE=5000
You can also specify a #pragma
option in your D script to set the size. For example:
#pragma option pcapsize 7000
protocol
specifies the protocol and can have the following values:
PCAP_ETHER
PCAP_WIFI
PCAP_PPP
Note:
PPP was removed in the Oracle Solaris 11.4 SRU 24 release.PCAP_IP
PCAP_IPNET
PCAP_IPOIB
The following command captures sent IP traffic in per-process capture files.
# dtrace -qwn 'ip:::send { freopen("/tmp/cap.%d", pid); pcap(args[0]->pkt_addr, PCAP_IP); freopen("");}'
The following command captures traffic dropped by IP on inbound or outbound path in separate cap.drop-in
or cap.drop-out
files.
# dtrace -qwn 'ip:::drop-in,ip:::drop-out { freopen("/tmp/cap.%s", probename); pcap(args[0]->pkt_addr, PCAP_IP); freopen("");}'