The snoop command can come very handy to monitor the network traffic to troubleshoot any network related issues like packet drops, high network latency etc. Snoop command can be run to see the real time network traffic or can be saved to a file and can be viewed at a later time.
– If the system is “shared-IP zone”, then you need to get snoop on the physical interface on the global zone.
– If the system is “exclusive-IP zone”, then you need to get snoop on the non-global zone.
– If “Link aggregation” is being used, you should get snoop on the “Link aggregation” interface (aggr1). Also you can get snoop on each physical interface separately if need.
– If “VLAN” interface is used, you should get snoop on the “VLAN” interface.
– traceroute to the destination IP to find out the interface on the source host that needs to be snooped.
The syntax
The syntax of snoop command with most commonly used options is :
# /usr/sbin/snoop -qr -d [device] -o [filename] -s 300
-q --> don't show packet count when capturing packets into file. (Improves the packet capturing performance) -r --> Do not resolve IP to hostname (prevents snoop from generating its own traffic) -d device --> Interface used to run the snoop command on -o filename --> Save the captured packets in the file -s num --> truncate each packet after num bytes
Example 1 :
To capture packets on interface ce0 and save it to a file ce0_snoop.out use :
# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out -s 300
Example 2 : Verify that the file is generated by snoop command
To make sure that the file is generated by snoop command :
# file snoop.out snoop.out: Snoop capture file - version 2
Example 3 : Read from a snoop file
To read from a already generated snoop file :
# snoop -i [filename]
Example 4 : Snoop on a specific port
To find the traffic details only on a specific port (8080) :
# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out -s 300 port 8080
Example 5 : Snoop on a specific IP
To find the traffic details only on a specific IP (192.168.1.20) :
# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out -s 300 192.168.1.1
Here, you can also give a comma separated lust of IPs to find traffic generated for those IPs (to or From).
Example 6 : To snoop between 2 IPs
To find the traffic details between to IPs :
# snoop -i [filename] [IP-address1] [IP-address2]
Example 7 : Snoop for a specific protocol
To find the traffic details only related to a specific protocol , for example ICMP, ARP :
# /usr/sbin/snoop -qr -d ce0 -o ce0_snoop.out icmp,arp
Here, it actually shows the packets for the IPMP protocol, as IPMP in turn uses the ICMP and ARP protocols for its functionality.
Example 8 : Check time when the snoop was taken
To check the time the packets 9 to 13 were take use :
# snoop -i snoop.out -ta -p9,13 Loading name file snoop.out.names 9 18:10:54.71861 webcache -> mizue HTTP (proxy) R port=41579 10 18:10:55.03142 webcache -> mizue HTTP HTTP/1.1 200 OK 11 18:10:55.03168 mizue -> webcache HTTP (proxy) C port=41579 12 18:10:56.37426 webcache -> mizue HTTP (body) 13 18:10:56.47427 mizue -> webcache HTTP (proxy) C port=41579
Example 9 : How to check total time taken for FTP data transfer
Use the -tr and port 20 as filter in the snoop command to find out the total time taken in the FTP data transfer.
# snoop -i ftp.snoop -tr port 20 | tail -1 1393 1.52899 129.158.x.x -> 129.158.x.x FTP-DATA C port=32841
==> 1.52899 sec
Example 10 : To see the contents of a packet
To see the contents of a specific packet (packet number 4) :
# snoop -i snoop.out -p4 -x0 4 0.00377 HostA -> HostB HTTP GET http://patchpro.sun.com/expert/pprodetectors.jar HTTP/1.1 0: 0008 a4d2 5e40 0800 20a0 166a 0800 4500 ....^@.. ..j..E. 16: 00f9 dc05 4000 4006 b0be 0a0e 025f 819e ...@.@......_.. 32: 1f30 8063 1f90 12ed 2f71 0a9d 493a 5018 .0.c..../q..I:P. 48: c1e8 d859 0000 4745 5420 6874 7470 3a2f ...Y..GET http:/ 64: 2f70 6174 6368 7072 6f2e 7375 6e2e 636f /patchpro.sun.co 80: 6d2f 6578 7065 7274 2f70 7072 6f64 6574 m/expert/pprodet 96: 6563 746f 7273 2e6a 6172 2048 5454 502f ectors.jar HTTP/ 112: 312e 310d 0a55 7365 722d 4167 656e 743a 1.1..User-Agent: 128: 204a 6176 612f 312e 342e 315f 3031 610d Java/1.4.1_01a. 144: 0a48 6f73 743a 2070 6174 6368 7072 6f2e .Host: patchpro. 160: 7375 6e2e 636f 6d0d 0a41 6363 6570 743a sun.com..Accept: 176: 2074 6578 742f 6874 6d6c 2c20 696d 6167 text/html, imag 192: 652f 6769 662c 2069 6d61 6765 2f6a 7065 e/gif, image/jpe 208: 672c 202a 3b20 713d 2e32 2c20 2a2f 2a3b g, *; q=.2, */*; 224: 2071 3d2e 320d 0a50 726f 7879 2d43 6f6e q=.2..Proxy-Con 240: 6e65 6374 696f 6e3a 206b 6565 702d 616c nection: keep-al 256: 6976 650d 0a0d 0a ive....
Example 11 : Snoop to troubleshoot Jumpstart
Snoop can be very well used to troubleshoot the jumpstart issues. In case of Jumpstart, we can use the MAC address as the filter :
# snoop -i [filename] xx:xx:xx:xx:xx:xx
Example 12 : To check whether snoop dropped packets
Sometimes the snoop command itself drops packets (mostly in case of Gigabit network). To find out the dropped packets use the -D flag :
# snoop -i snoop.out -D | grep TCP Loading name file snoop.out 7865 0.00000 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714484080 Len=1460 Win=16060 7866 0.00012 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714485540 Len=1460 Win=16060 7867 0.00013 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714487000 Len=1460 Win=16060 7868 0.00015 bbb -> aaa drops: 0 TCP D=20 S=35215 Ack=3714484080 Seq=2442259384 Len=0 Win=33580 7869 0.00049 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714488460 Len=1460 Win=16060 7870 0.01848 aaa -> bbb drops: 0 TCP D=35215 S=20 Ack=2442259384 Seq=3714551240 Len=1460 Win=16060 7871 0.00011 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714552700 Len=1460 Win=16060 7872 0.00013 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714554160 Len=1460 Win=16060 7873 0.00011 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714555620 Len=1460 Win=16060 7874 0.00012 aaa -> bbb drops: 47 TCP D=35215 S=20 Ack=2442259384 Seq=3714557080 Len=1460 Win=16060 7875 0.00007 bbb -> aaa drops: 47 TCP D=20 S=35215 Ack=3714554160 Seq=2442259384 Len=0 Win=33580
Example 13 : Extract specific packets from a snoop file to another snoop file
If we use -i and -o options together, we can extract specific packets from a snoop file and save it to another snoop file :
# snoop -i snoop.out -o snoop.telnet.out port 23
Example 14 : To see protocol information
Use the options “-v” or “-V” with snoop to find out the protocol information.
# snoop -i nfs.snoop -p23 -V Loading name file nfs.snoop.names ________________________________ 23 0.00000 HostA -> HostB ETHER Type=0800 (IP), size = 206 bytes 23 0.00000 HostA -> HostB IP D=192.168.x.x S=192.168.55.106 LEN=192, ID=45661, TOS=0x0, TTL=64 23 0.00000 HostA -> HostB TCP D=2049 S=698 Push Ack=390460868 Seq=222184947 Len=152 Win=24820 23 0.00000 HostA -> HostB RPC C XID=1096378150 PROG=100003 (NFS) VERS=3 PROC=19 23 0.00000 HostA -> HostB NFS C FSINFO3 FH=0222
# snoop -i nfs.snoop -p23 -v Loading name file nfs.snoop.names ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 23 arrived at 23:35:7.36 ETHER: Packet size = 206 bytes ETHER: Destination = 0:0:c:7:ac:27, Cisco ETHER: Source = 8:0:20:b5:fa:8, Sun ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: .... ..0. = not ECN capable transport IP: .... ...0 = no ECN congestion experienced IP: Total length = 192 bytes IP: Identification = 45661 IP: Flags = 0x4 IP: .1.. .... = do not fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 64 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = 2175 IP: Source address = 192.168.x.x, HostA IP: Destination address = 192.168.x.x, HostB IP: No options IP: [output truncated for brevity]
Example 15 : Check a specific ping packet
ping(ICMP Echo reply) packets have the “ID” number and you can filter by the “ID” number.
# snoop -i snoop.out "icmp[4:2] = 16005" 172 0.66838 10.20.220.120 -> 10.20.220.121 ICMP Echo request (ID: 16005 Sequence number: 0) 173 0.00021 10.20.220.121 -> 10.20.220.120 ICMP Echo reply (ID: 16005 Sequence number: 0)