1. Oracle Solaris 11.4 DTrace (Dynamic Tracing) Guide
  2. DTrace Actions and Subroutines
  3. DTrace Data Recording Actions
  4. pcap Action

pcap Action 

pcap(mblk, protocol);

The pcap action collates the packet data in a contiguous buffer and displays it in a manner similar to the trace action. However if freeopen() specifies a capture file, it writes to the capture file by using the libpcap() function, pcap_dump().

mblk is a pointer to mblk_t. The mblk_t is the main data structure used by the Oracle Solaris networking stack to represent packet data. DTrace collects data from b_rptr, the read pointer, which marks where the data begins. The b_rptr pointer collates information from additional buffers into a contiguous block of memory. It also writes to a capture file in the pcap format, which can be then later read using tshark or wireshark. By default, DTrace collects a maximum of 2048 bytes of data. You can customize the memory block size by using the pcapsize or the DTRACEOPT_PCAPSIZE option. For example: 

# dtrace -x pcapsize=5000
# dtrace -x DTRACEOPT_PCAPSIZE=5000

You can also specify a #pragma option in your D script to set the size. For example: 

#pragma option pcapsize 7000

protocol specifies the protocol and can have the following values: 

  • PCAP_ETHER
  • PCAP_WIFI
  • PCAP_PPP

    Note:

    PPP was removed in the Oracle Solaris 11.4 SRU 24 release. 
  • PCAP_IP
  • PCAP_IPNET
  • PCAP_IPOIB

The following command captures sent IP traffic in per-process capture files.

# dtrace -qwn 'ip:::send { freopen("/tmp/cap.%d", pid); pcap(args[0]->pkt_addr, PCAP_IP); freopen("");}'

The following command captures traffic dropped by IP on inbound or outbound path in separate cap.drop-in or cap.drop-out files. 

# dtrace -qwn 'ip:::drop-in,ip:::drop-out { freopen("/tmp/cap.%s", probename); pcap(args[0]->pkt_addr, PCAP_IP); freopen("");}'