System Administration Commands snoop(1M)
NAME
snoop - capture and inspect network packets
SYNOPSIS
snoop [-aqrCDNPSvV] [ -t [r | a | d] ] [-c maxcount] [-d
device] [-i filename] [-n filename] [-o filename] [ -p first
[ , last]] [-s snaplen] [ -x offset [ , length]] [expres-
sion]
DESCRIPTION
snoop captures packets from the network and displays their
contents. snoop uses both the network packet filter and
streams buffer modules to provide efficient capture of pack-
ets from the network. Captured packets can be displayed as
they are received, or saved to a file (which is RFC 1761-
compliant) for later inspection.
snoop can display packets in a single-line summary form or
in verbose multi-line forms. In summary form, only the data
pertaining to the highest level protocol is displayed. For
example, an NFS packet will have only NFS information
displayed. The underlying RPC, UDP, IP, and ethernet frame
information is suppressed but can be displayed if either of
the verbose options are chosen.
In the absence of a name service, such as LDAP or NIS, snoop
displays host names as numeric IP addresses.
snoop requires an interactive interface.
OPTIONS
-C List the code generated from the
filter expression for either the
kernel packet filter, or snoop's own
filter.
-D Display number of packets dropped
during capture on the summary line.
-N Create an IP address-to-name file
from a capture file. This must be
set together with the -i option that
names a capture file. The address-
to-name file has the same name as
the capture file with .names
appended. This file records the IP
address to hostname mapping at the
capture site and increases the
portability of the capture file.
Generate a .names file if the cap-
ture file is to be analyzed else-
where. Packets are not displayed
when this flag is used.
-P Capture packets in non-promiscuous
mode. Only broadcast, multicast, or
packets addressed to the host
machine will be seen.
-S Display size of the entire link
layer frame in bytes on the summary
line.
-V Verbose summary mode. This is half-
way between summary mode and verbose
mode in degree of verbosity. Instead
of displaying just the summary line
for the highest level protocol in a
packet, it displays a summary line
for each protocol layer in the
packet. For instance, for an NFS
packet it will display a line each
for the ETHER, IP, UDP, RPC and NFS
layers. Verbose summary mode output
may be easily piped through grep to
extract packets of interest. For
example, to view only RPC summary
lines, enter the following: example#
snoop -i rpc.cap -V | grep RPC
-a Listen to packets on /dev/audio
(warning: can be noisy).
-c maxcount Quit after capturing maxcount pack-
ets. Otherwise keep capturing until
there is no disk space left or until
interrupted with Control-C.
-d device Receive packets from the network
using the interface specified by
device, for example, eri0 or hme0.
The program netstat(1M), when
invoked with the -i flag, lists all
the interfaces that a machine has.
Normally, snoop will automatically
choose the first non-loopback inter-
face it finds.
-i filename Display packets previously captured
in filename. Without this option,
snoop reads packets from the network
interface. If a filename.names file
is present, it is automatically
loaded into the snoop IP address-
to-name mapping table (See -N flag).
-n filename Use filename as an IP address-to-
name mapping table. This file must
have the same format as the
/etc/hosts file (IP address followed
by the hostname).
-o filename Save captured packets in filename as
they are captured. (This filename is
referred to as the "capture file".)
The format of the capture file is
RFC 1761-compliant. During packet
capture, a count of the number of
packets saved in the file is
displayed. If you wish just to count
packets without saving to a file,
name the file /dev/null.
-p first [ , last ] Select one or more packets to be
displayed from a capture file. The
first packet in the file is packet
number 1.
-q When capturing network packets into
a file, do not display the packet
count. This can improve packet cap-
turing performance.
-r Do not resolve the IP address to the
symbolic name. This prevents snoop
from generating network traffic
while capturing and displaying pack-
ets. However, if the -n option is
used, and an address is found in the
mapping file, its corresponding name
will be used.
-s snaplen Truncate each packet after snaplen
bytes. Usually the whole packet is
captured. This option is useful if
only certain packet header informa-
tion is required. The packet trunca-
tion is done within the kernel giv-
ing better utilization of the
streams packet buffer. This means
less chance of dropped packets due
to buffer overflow during periods of
high traffic. It also saves disk
space when capturing large traces to
a capture file. To capture only IP
headers (no options) use a snaplen
of 34. For UDP use 42, and for TCP
use 54. You can capture RPC headers
with a snaplen of 80 bytes. NFS
headers can be captured in 120
bytes.
-t [ r | a | d ] Time-stamp presentation. Time-stamps
are accurate to within 4
microseconds. The default is for
times to be presented in d (delta)
format (the time since receiving the
previous packet). Option a (abso-
lute) gives wall-clock time. Option
r (relative) gives time relative to
the first packet displayed. This can
be used with the -p option to
display time relative to any
selected packet.
-v Verbose mode. Print packet headers
in lots of detail. This display con-
sumes many lines per packet and
should be used only on selected
packets.
-xoffset [ , length] Display packet data in hexadecimal
and ASCII format. The offset and
length values select a portion of
the packet to be displayed. To
display the whole packet, use an
offset of 0. If a length value is
not provided, the rest of the packet
is displayed.
OPERANDS
expression
Select packets either from the network or from a capture
file. Only packets for which the expression is true will
be selected. If no expression is provided it is assumed
to be true.
Given a filter expression, snoop generates code for
either the kernel packet filter or for its own internal
filter. If capturing packets with the network interface,
code for the kernel packet filter is generated. This
filter is implemented as a streams module, upstream of
the buffer module. The buffer module accumulates packets
until it becomes full and passes the packets on to
snoop. The kernel packet filter is very efficient, since
it rejects unwanted packets in the kernel before they
reach the packet buffer or snoop. The kernel packet
filter has some limitations in its implementation; it is
possible to construct filter expressions that it cannot
handle. In this event, snoop tries to split the filter
and do as much filtering in the kernel as possible. The
remaining filtering is done by the packet filter for
snoop. The -C flag can be used to view generated code
for either the packet filter for the kernel or the
packet filter for snoop. If packets are read from a cap-
ture file using the -i option, only the packet filter
for snoop is used.
A filter expression consists of a series of one or more
boolean primitives that may be combined with boolean
operators (AND, OR, and NOT). Normal precedence rules
for boolean operators apply. Order of evaluation of
these operators may be controlled with parentheses.
Since parentheses and other filter expression characters
are known to the shell, it is often necessary to enclose
the filter expression in quotes. Refer to Setting Up A
More Efficient Filter for information about setting up
more efficient filters.
The primitives are:
host hostname
True if the source or destination address is that of
hostname. The hostname argument may be a literal
address. The keyword host may be omitted if the name
does not conflict with the name of another expres-
sion primitive. For example, "pinky" selects packets
transmitted to or received from the host pinky,
whereas "pinky and dinky" selects packets exchanged
between hosts pinky AND dinky.
The type of address used depends on the primitive
which precedes the host primitive. The possible
qualifiers are "inet", "inet6", "ether", or none.
These three primitives are discussed below. Having
none of the primitives present is equivalent to
"inet host hostname or inet6 host hostname". In
other words, snoop tries to filter on all IP
addresses associated with hostname.
inet or inet6
A qualifier that modifies the host primitive that
follows. If it is inet, then snoop tries to filter
on all IPv4 addresses returned from a name lookup.
If it is inet6, snoop tries to filter on all IPv6
addresses returned from a name lookup.
ipaddr, atalkaddr, or etheraddr
Literal addresses, IP dotted, AppleTalk dotted, and
ethernet colon are recognized. For example,
o "172.16.40.13" matches all packets with that IP
;
o "2::9255:a00:20ff:fe73:6e35" matches all pack-
ets with that IPv6 address as source or desti-
nation;
o "65281.13" matches all packets with that
AppleTalk address;
o "8:0:20:f:b1:51" matches all packets with the
ethernet address as source or destination.
An ethernet address beginning with a letter is
interpreted as a hostname. To avoid this, prepend a
zero when specifying the address. For example, if
the ethernet address is "aa:0:45:23:52:44", then
specify it by add a leading zero to make it
"0aa:0:45:23:52:44".
from or src
A qualifier that modifies the following host, net,
ipaddr, atalkaddr, etheraddr, port or rpc primitive
to match just the source address, port, or RPC
reply.
to or dst
A qualifier that modifies the following host, net,
ipaddr, atalkaddr, etheraddr, port or rpc primitive
to match just the destination address, port, or RPC
call.
ether
A qualifier that modifies the following host primi-
tive to resolve a name to an ethernet address. Nor-
mally, IP address matching is performed. This option
is not supported on media such as IPoIB (IP over
InfiniBand).
ethertype number
True if the ethernet type field has value number.
Equivalent to "ether[12:2] = number".
ip, ip6, arp, rarp, pppoed, pppoes
True if the packet is of the appropriate ethertype.
pppoe
True if the ethertype of the packet is either pppoed
or pppoes.
broadcast
True if the packet is a broadcast packet. Equivalent
to "ether[2:4] = 0xffffffff" for ethernet. This
option is not supported on media such as IPoIB (IP
over InfiniBand).
multicast
True if the packet is a multicast packet. Equivalent
to "ether[0] & 1 = 1" on ethernet. This option is
not supported on media such as IPoIB (IP over
InfiniBand).
bootp, dhcp
True if the packet is an unfragmented UDP packet
with either a source port of BOOTPS (67) and a des-
tination port of BOOTPC (68), or a source port of
BOOTPC (68) and a destination of BOOTPS (67).
apple
True if the packet is an Apple Ethertalk packet.
Equivalent to "ethertype 0x809b or ethertype
0x80f3".
decnet
True if the packet is a DECNET packet.
greater length
True if the packet is longer than length.
less length
True if the packet is shorter than length.
udp, tcp, icmp, icmp6, ah, esp
True if the IP or IPv6 protocol is of the appropri-
ate type.
net net
True if either the IP source or destination address
has a network number of net. The from or to qualif-
ier may be used to select packets for which the net-
work number occurs only in the source or destination
address.
port port
True if either the source or destination port is
port. The port may be either a port number or name
from /etc/services. The tcp or udp primitives may be
used to select TCP or UDP ports only. The from or to
qualifier may be used to select packets for which
the port occurs only as the source or destination.
rpc prog [ , vers [ , proc ] ]
True if the packet is an RPC call or reply packet
for the protocol identified by prog. The prog may
be either the name of an RPC protocol from /etc/rpc
or a program number. The vers and proc may be used
to further qualify the program version and procedure
number, for example, "rpc nfs,2,0" selects all calls
and replies for the NFS null procedure. The to or
from qualifier may be used to select either call or
reply packets only.
ldap
True if the packet is an LDAP packet on port 389.
gateway host
True if the packet used host as a gateway, that is,
the ethernet source or destination address was for
host but not the IP address. Equivalent to "ether
host host and not host host".
nofrag
True if the packet is unfragmented or is the first
in a series of IP fragments. Equivalent to "ip[6:2]
& 0x1fff = 0".
expr relop expr
True if the relation holds, where relop is one of >,
<, >=, <=, =, !=, and expr is an arithmetic expres-
sion composed of numbers, packet field selectors,
the length primitive, and arithmetic operators +, -,
*, &, |, ^, and %. The arithmetic operators within
expr are evaluated before the relational operator
and normal precedence rules apply between the arith-
metic operators, such as multiplication before addi-
tion. Parentheses may be used to control the order
of evaluation. To use the value of a field in the
packet use the following syntax:
base[expr [: size ] ]
where expr evaluates the value of an offset into the
packet from a base offset which may be ether, ip,
ip6, udp, tcp, or icmp. The size value specifies the
size of the field. If not given, 1 is assumed. Other
legal values are 2 and 4. For example,
ether[0] & 1 = 1
is equivalent to multicast
ether[2:4] = 0xffffffff
is equivalent to broadcast.
ip[ip[0] & 0xf * 4 : 2] = 2049
is equivalent to udp[0:2] = 2049
ip[0] & 0xf > 5
selects IP packets with options.
ip[6:2] & 0x1fff = 0
eliminates IP fragments.
udp and ip[6:2]&0x1fff = 0 and udp[6:2] != 0
finds all packets with UDP checksums.
The length primitive may be used to obtain the
length of the packet. For instance "length > 60" is
equivalent to "greater 60", and "ether[length - 1]"
obtains the value of the last byte in a packet.
and
Perform a logical AND operation between two boolean
values. The AND operation is implied by the juxtapo-
sition of two boolean expressions, for example
"dinky pinky" is the same as "dinky AND pinky".
or or ,
Perform a logical OR operation between two boolean
values. A comma may be used instead, for example,
"dinky,pinky" is the same as "dinky OR pinky".
not or !
Perform a logical NOT operation on the following
boolean value. This operator is evaluated before AND
or OR.
slp
True if the packet is an SLP packet.
sctp
True if the packet is an SCTP packet.
ospf
True if the packet is an OSPF packet.
EXAMPLES
Example 1: Using the snoop Command
Capture all packets and display them as they are received:
example# snoop
Capture packets with host funky as either the source or des-
tination and display them as they are received:
example# snoop funky
Capture packets between funky and pinky and save them to a
file. Then inspect the packets using times (in seconds)
relative to the first captured packet:
example# snoop -o cap funky pinky
example# snoop -i cap -t r | more
To look at selected packets in another capture file:
example# snoop -i pkts -p 99,108
99 0.0027 boutique -> sunroof NFS C GETATTR FH=8E6
100 0.0046 sunroof -> boutique NFS R GETATTR OK
101 0.0080 boutique -> sunroof NFS C RENAME FH=8E6C MTra00192 to .nfs08
102 0.0102 marmot -> viper NFS C LOOKUP FH=561E screen.r.13.i386
103 0.0072 viper -> marmot NFS R LOOKUP No such file or directory
104 0.0085 bugbomb -> sunroof RLOGIN C PORT=1023 h
105 0.0005 kandinsky -> sparky RSTAT C Get Statistics
106 0.0004 beeblebrox -> sunroof NFS C GETATTR FH=0307
SunOS 5.10 Last change: 15 Apr 2004 12
System Administration Commands snoop(1M)
107 0.0021 sparky -> kandinsky RSTAT R
108 0.0073 office -> jeremiah NFS C READ FH=2584 at 40960 for 8192
To look at packet 101 in more detail:
example# snoop -i pkts -v -p101
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 101 arrived at 16:09:53.59
ETHER: Packet size = 210 bytes
ETHER: Destination = 8:0:20:1:3d:94, Sun
ETHER: Source = 8:0:69:1:5f:e, Silicon Graphics
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: ..0. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 196 bytes
IP: Identification 19846
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = more fragments
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 18DC
IP: Source address = 172.16.40.222, boutique
IP: Destination address = 172.16.40.200, sunroof
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 1023
UDP: Destination port = 2049 (Sun RPC)
UDP: Length = 176
UDP: Checksum = 0
UDP:
RPC: ----- SUN RPC Header -----
RPC:
RPC: Transaction id = 665905
RPC: Type = 0 (Call)
RPC: RPC version = 2
RPC: Program = 100003 (NFS), version = 2, procedure = 1
RPC: Credentials: Flavor = 1 (Unix), len = 32 bytes
RPC: Time = 06-Mar-90 07:26:58
RPC: Hostname = boutique
RPC: Uid = 0, Gid = 1
RPC: Groups = 1
SunOS 5.10 Last change: 15 Apr 2004 13
System Administration Commands snoop(1M)
RPC: Verifier : Flavor = 0 (None), len = 0 bytes
RPC:
NFS: ----- SUN NFS -----
NFS:
NFS: Proc = 11 (Rename)
NFS: File handle = 000016430000000100080000305A1C47
NFS: 597A0000000800002046314AFC450000
NFS: File name = MTra00192
NFS: File handle = 000016430000000100080000305A1C47
NFS: 597A0000000800002046314AFC450000
NFS: File name = .nfs08
NFS:
To view just the NFS packets between sunroof and boutique:
example# snoop -i pkts rpc nfs and sunroof and boutique
1 0.0000 boutique -> sunroof NFS C GETATTR FH=8E6C
2 0.0046 sunroof -> boutique NFS R GETATTR OK
3 0.0080 boutique -> sunroof NFS C RENAME FH=8E6C MTra00192 to .nfs08
To save these packets to a new capture file:
example# snoop -i pkts -o pkts.nfs rpc nfs sunroof boutique
To view encapsulated packets, there will be an indicator of
encapsulation:
example# snoop ip-in-ip
sunroof -> boutique ICMP Echo request (1 encap)
If -V is used on an encapsulated packet:
example# snoop -V ip-in-ip
sunroof -> boutique ETHER Type=0800 (IP), size = 118 bytes
sunroof -> boutique IP D=172.16.40.222 S=172.16.40.200 LEN=104, ID=27497
sunroof -> boutique IP D=10.1.1.2 S=10.1.1.1 LEN=84, ID=27497
sunroof -> boutique ICMP Echo request
Example 2: Setting Up A More Efficient Filter
To set up a more efficient filter, the following filters
should be used toward the end of the expression, so that the
first part of the expression can be set up in the kernel:
greater, less, port, rpc, nofrag, and relop. The presence of
OR makes it difficult to split the filtering when using
these primitives that cannot be set in the kernel. Instead,
use parentheses to enforce the primitives that should be
OR'd.
To capture packets between funky and pinky of type tcp or
udp on port 80:
example# snoop funky and pinky and port 80 and tcp or udp
Since the primitive port cannot be handled by the kernel
filter, and there is also an OR in the expression, a more
efficient way to filter is to move the OR to the end of the
expression and to use parentheses to enforce the OR between
tcp and udp:
example# snoop funky and pinky and (tcp or udp) and port 80
EXIT STATUS
0 Successful completion.
1 An error occurred.
FILES
/dev/audio Symbolic link to the system's pri-
mary audio device.
/dev/null The null file.
/etc/hosts Host name database.
/etc/rpc RPC program number data base.
/etc/services Internet services and aliases.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWrcmdc |
|_____________________________|_____________________________|
SEE ALSO
netstat(1M), hosts(4), rpc(4), services(4), attributes(5),
audio(7I), bufmod(7M), dlpi(7P), pfmod(7M), tun(7M)
Callaghan, B. and Gilligan, R. RFC 1761, Snoop Version 2
Packet Capture File Format. Network Working Group. February
1995.
WARNINGS
The processing overhead is much higher for realtime packet
interpretation. Consequently, the packet drop count may be
higher. For more reliable capture, output raw packets to a
file using the -o option and analyze the packets off-line.
Unfiltered packet capture imposes a heavy processing load on
the host computer, particularly if the captured packets are
interpreted realtime. This processing load further increases
if verbose options are used. Since heavy use of snoop may
deny computing resources to other processes, it should not
be used on production servers. Heavy use of snoop should be
restricted to a dedicated computer.
snoop does not reassemble IP fragments. Interpretation of
higher level protocol halts at the end of the first IP frag-
ment.
snoop may generate extra packets as a side-effect of its
use. For example it may use a network name service (NIS or
NIS+) to convert IP addresses to host names for display.
Capturing into a file for later display can be used to post-
pone the address-to-name mapping until after the capture
session is complete. Capturing into an NFS-mounted file may
also generate extra packets.
Setting the snaplen (-s option) to small values may remove
header information that is needed to interpret higher level
protocols. The exact cutoff value depends on the network and
protocols being used. For NFS Version 2 traffic using UDP on
10 Mb/s ethernet, do not set snaplen less than 150 bytes.
For NFS Version 3 traffic using TCP on 100 Mb/s ethernet,
snaplen should be 250 bytes or more.
snoop requires information from an RPC request to fully
interpret an RPC reply. If an RPC reply in a capture file or
packet range does not have a request preceding it, then only
the RPC reply header will be displayed.
|
|
