1snoop(1M) System Administration Commands snoop(1M)
2
6 snoop - capture and inspect network packets
7
9 snoop [-aqrCDINPSvV] [-t [r | a | d]] [-c maxcount]
10 [-d device] [-i filename] [-n filename] [-o filename]
11 [-p first [, last]] [-s snaplen] [-x offset [, length]]
12 [expression]
13
16 From a datalink or IP interface, snoop captures packets and displays
17 their contents. If the datalink or IP interface is not specified, snoop
18 will pick a datalink to use, giving priority to datalinks that have
19 been plumbed for IP traffic. snoop uses the pfmod(7M) and bufmod(7M)
20 STREAMS modules to provide efficient capture of packets from the net‐
21 work. Captured packets can be displayed as they are received or saved
22 to a file (which is RFC 1761-compliant) for later inspection.
23 snoop can display packets in a single-line summary form or in verbose
26 multi-line forms. In summary form, with the exception of certain VLAN
27 packets, only the data pertaining to the highest level protocol is dis‐
28 played. If a packet has a VLAN header and its VLAN ID is non-zero, then
29 snoop will show that the packet is VLAN tagged. For example, an NFS
30 packet will have only NFS information displayed. Except for VLAN infor‐
31 mation under the condition just described, the underlying RPC, UDP, IP,
32 and Ethernet frame information is suppressed, but can be displayed if
33 either of the verbose options are chosen.
34 In the absence of a name service, such as LDAP or NIS, snoop displays
37 host names as numeric IP addresses.
38 snoop requires an interactive interface.
41
43 -C
44 List the code generated from the filter expression for either the
46 kernel packet filter, or snoop's own filter.
47 -D
50 Display number of packets dropped during capture on the summary
52 line.
53 -N
56 Create an IP address-to-name file from a capture file. This must be
58 set together with the -i option that names a capture file. The
59 address-to-name file has the same name as the capture file with
60 .names appended. This file records the IP address to hostname map‐
61 ping at the capture site and increases the portability of the cap‐
62 ture file. Generate a .names file if the capture file is to be ana‐
63 lyzed elsewhere. Packets are not displayed when this flag is used.
64 -I interface
67 Capture IP packets from the network using the IP interface speci‐
69 fied by interface, for example, lo0. The ifconfig(1M) command can
70 be used to list available IP interfaces. The -I and -d options are
71 mutually exclusive.
72 -P
75 Capture packets in non-promiscuous mode. Only broadcast, multicast,
77 or packets addressed to the host machine will be seen.
78 -S
81 Display size of the entire link layer frame in bytes on the summary
83 line.
84 -V
87 Verbose summary mode. This is halfway between summary mode and ver‐
89 bose mode in degree of verbosity. Instead of displaying just the
90 summary line for the highest level protocol in a packet, it dis‐
91 plays a summary line for each protocol layer in the packet. For
92 instance, for an NFS packet it will display a line each for the
93 ETHER, IP, UDP, RPC and NFS layers. Verbose summary mode output may
94 be easily piped through grep to extract packets of interest. For
95 example, to view only RPC summary lines, enter the following: exam‐
96 ple# snoop -i rpc.cap -V | grep RPC
97 -a
100 Listen to packets on /dev/audio (warning: can be noisy).
102 -c maxcount
105 Quit after capturing maxcount packets. Otherwise keep capturing
107 until there is no disk space left or until interrupted with Con‐
108 trol-C.
109 -d datalink
112 Capture link-layer packets from the network using the DLPI datalink
114 specified by datalink, for example, bge0 or net0. The dladm(1M)
115 show-link subcommand can be used to list available datalinks. The
116 -d and -I options are mutually exclusive.
117 -i filename
120 Display packets previously captured in filename. Without this
122 option, snoop reads packets from the network interface. If a file‐
123 name.names file is present, it is automatically loaded into the
124 snoop IP address-to-name mapping table (See -N flag).
125 -n filename
128 Use filename as an IP address-to-name mapping table. This file must
130 have the same format as the /etc/hosts file (IP address followed by
131 the hostname).
132 -o filename
135 Save captured packets in filename as they are captured. (This file‐
137 name is referred to as the "capture file".) The format of the cap‐
138 ture file is RFC 1761-compliant. During packet capture, a count of
139 the number of packets saved in the file is displayed. If you wish
140 just to count packets without saving to a file, name the file
141 /dev/null.
142 -p first [ , last ]
145 Select one or more packets to be displayed from a capture file. The
147 first packet in the file is packet number 1.
148 -q
151 When capturing network packets into a file, do not display the
153 packet count. This can improve packet capturing performance.
154 -r
157 Do not resolve the IP address to the symbolic name. This prevents
159 snoop from generating network traffic while capturing and display‐
160 ing packets. However, if the -n option is used, and an address is
161 found in the mapping file, its corresponding name will be used.
162 -s snaplen
165 Truncate each packet after snaplen bytes. Usually the whole packet
167 is captured. This option is useful if only certain packet header
168 information is required. The packet truncation is done within the
169 kernel giving better utilization of the streams packet buffer. This
170 means less chance of dropped packets due to buffer overflow during
171 periods of high traffic. It also saves disk space when capturing
172 large traces to a capture file. To capture only IP headers (no
173 options) use a snaplen of 34. For UDP use 42, and for TCP use 54.
174 You can capture RPC headers with a snaplen of 80 bytes. NFS headers
175 can be captured in 120 bytes.
176 -t [ r | a | d ]
179 Time-stamp presentation. Time-stamps are accurate to within 4
181 microseconds. The default is for times to be presented in d (delta)
182 format (the time since receiving the previous packet). Option a
183 (absolute) gives wall-clock time. Option r (relative) gives time
184 relative to the first packet displayed. This can be used with the
185 -p option to display time relative to any selected packet.
186 -v
189 Verbose mode. Print packet headers in lots of detail. This display
191 consumes many lines per packet and should be used only on selected
192 packets.
193 -xoffset [ , length]
196 Display packet data in hexadecimal and ASCII format. The offset and
198 length values select a portion of the packet to be displayed. To
199 display the whole packet, use an offset of 0. If a length value is
200 not provided, the rest of the packet is displayed.
201
204 expression
205 Select packets either from the network or from a capture file. Only
207 packets for which the expression is true will be selected. If no
208 expression is provided it is assumed to be true.
209 Given a filter expression, snoop generates code for either the ker‐
211 nel packet filter or for its own internal filter. If capturing
212 packets with the network interface, code for the kernel packet fil‐
213 ter is generated. This filter is implemented as a streams module,
214 upstream of the buffer module. The buffer module accumulates pack‐
215 ets until it becomes full and passes the packets on to snoop. The
216 kernel packet filter is very efficient, since it rejects unwanted
217 packets in the kernel before they reach the packet buffer or snoop.
218 The kernel packet filter has some limitations in its implementa‐
219 tion; it is possible to construct filter expressions that it cannot
220 handle. In this event, snoop tries to split the filter and do as
221 much filtering in the kernel as possible. The remaining filtering
222 is done by the packet filter for snoop. The -C flag can be used to
223 view generated code for either the packet filter for the kernel or
224 the packet filter for snoop. If packets are read from a capture
225 file using the -i option, only the packet filter for snoop is used.
226 A filter expression consists of a series of one or more boolean
228 primitives that may be combined with boolean operators (AND, OR,
229 and NOT). Normal precedence rules for boolean operators apply.
230 Order of evaluation of these operators may be controlled with
231 parentheses. Since parentheses and other filter expression charac‐
232 ters are known to the shell, it is often necessary to enclose the
233 filter expression in quotes. Refer to for information about set‐
234 ting up more efficient filters.
235 The primitives are:
237 host hostname
239 True if the source or destination address is that of hostname.
241 The hostname argument may be a literal address. The keyword
242 host may be omitted if the name does not conflict with the name
243 of another expression primitive. For example, pinky selects
244 packets transmitted to or received from the host pinky, whereas
245 pinky and dinky selects packets exchanged between hosts pinky
246 AND dinky.
247 The type of address used depends on the primitive which pre‐
249 cedes the host primitive. The possible qualifiers are inet,
250 inet6, ether, or none. These three primitives are discussed
251 below. Having none of the primitives present is equivalent to
252 "inet host hostname or inet6 host hostname". In other words,
253 snoop tries to filter on all IP addresses associated with host‐
254 name.
255 inet or inet6
258 A qualifier that modifies the host primitive that follows. If
260 it is inet, then snoop tries to filter on all IPv4 addresses
261 returned from a name lookup. If it is inet6, snoop tries to
262 filter on all IPv6 addresses returned from a name lookup.
263 ipaddr, atalkaddr, or etheraddr
266 Literal addresses, IP dotted, AppleTalk dotted, and Ethernet
268 colon are recognized. For example,
269 o "172.16.40.13" matches all packets with that IP
271 o "2::9255:a00:20ff:fe73:6e35" matches all packets
273 with that IPv6 address as source or destination;
274 o "65281.13" matches all packets with that AppleTalk
276 address;
277 o "8:0:20:f:b1:51" matches all packets with the Ether‐
279 net address as source or destination.
280 An Ethernet address beginning with a letter is interpreted as a
281 hostname. To avoid this, prepend a zero when specifying the
282 address. For example, if the Ethernet address is
283 aa:0:45:23:52:44, then specify it by add a leading zero to make
284 it 0aa:0:45:23:52:44.
285 from or src
288 A qualifier that modifies the following host, net, ipaddr,
290 atalkaddr, etheraddr, port or rpc primitive to match just the
291 source address, port, or RPC reply.
292 to or dst
295 A qualifier that modifies the following host, net, ipaddr,
297 atalkaddr, etheraddr, port or rpc primitive to match just the
298 destination address, port, or RPC call.
299 ether
302 A qualifier that modifies the following host primitive to
304 resolve a name to an Ethernet address. Normally, IP address
305 matching is performed. This option is not supported on media
306 such as IPoIB (IP over InfiniBand).
307 ethertype number
310 True if the Ethernet type field has value number. If number is
312 not 0x8100 (VLAN) and the packet is VLAN tagged, then the
313 expression will match the encapsulated Ethernet type.
314 ip, ip6, arp, rarp, pppoed, pppoes
317 True if the packet is of the appropriate ethertype.
319 vlan
322 True if the packet has ethertype VLAN and the VLAN ID is not
324 zero.
325 vlan-id id
328 True for packets of ethertype VLAN with the id id.
330 pppoe
333 True if the ethertype of the packet is either pppoed or pppoes.
335 broadcast
338 True if the packet is a broadcast packet. Equivalent to
340 ether[2:4] = 0xffffffff for Ethernet. This option is not sup‐
341 ported on media such as IPoIB (IP over InfiniBand).
342 multicast
345 True if the packet is a multicast packet. Equivalent to
347 "ether[0] & 1 = 1" on Ethernet. This option is not supported on
348 media such as IPoIB (IP over InfiniBand).
349 bootp, dhcp
352 True if the packet is an unfragmented IPv4 UDP packet with
354 either a source port of BOOTPS (67) and a destination port of
355 BOOTPC (68), or a source port of BOOTPC (68) and a destination
356 of BOOTPS (67).
357 dhcp6
360 True if the packet is an unfragmented IPv6 UDP packet with
362 either a source port of DHCPV6-SERVER (547) and a destination
363 port of DHCPV6-CLIENT (546), or a source port of DHCPV6-CLIENT
364 (546) and a destination of DHCPV6-SERVER (547).
365 apple
368 True if the packet is an Apple Ethertalk packet. Equivalent to
370 "ethertype 0x809b or ethertype 0x80f3".
371 decnet
374 True if the packet is a DECNET packet.
376 greater length
379 True if the packet is longer than length.
381 less length
384 True if the packet is shorter than length.
386 udp, tcp, icmp, icmp6, ah, esp
389 True if the IP or IPv6 protocol is of the appropriate type.
391 net net
394 True if either the IP source or destination address has a net‐
396 work number of net. The from or to qualifier may be used to
397 select packets for which the network number occurs only in the
398 source or destination address.
399 port port
402 True if either the source or destination port is port. The port
404 may be either a port number or name from /etc/services. The tcp
405 or udp primitives may be used to select TCP or UDP ports only.
406 The from or to qualifier may be used to select packets for
407 which the port occurs only as the source or destination.
408 rpc prog [ , vers [ , proc ] ]
411 True if the packet is an RPC call or reply packet for the pro‐
413 tocol identified by prog. The prog may be either the name of an
414 RPC protocol from /etc/rpc or a program number. The vers and
415 proc may be used to further qualify the program version and
416 procedure number, for example, rpc nfs,2,0 selects all calls
417 and replies for the NFS null procedure. The to or from quali‐
418 fier may be used to select either call or reply packets only.
419 zone zoneid
422 True if zoneid matches either the source or destination zoneid
424 of a packet received on an ipnet device.
425 ldap
428 True if the packet is an LDAP packet on port 389.
430 gateway host
433 True if the packet used host as a gateway, that is, the Ether‐
435 net source or destination address was for host but not the IP
436 address. Equivalent to "ether host host and not host host".
437 nofrag
440 True if the packet is unfragmented or is the first in a series
442 of IP fragments. Equivalent to ip[6:2] & 0x1fff = 0.
443 expr relop expr
446 True if the relation holds, where relop is one of >, <, >=, <=,
448 =, !=, and expr is an arithmetic expression composed of num‐
449 bers, packet field selectors, the length primitive, and arith‐
450 metic operators +, −, *, &, |, ^, and %. The arithmetic opera‐
451 tors within expr are evaluated before the relational operator
452 and normal precedence rules apply between the arithmetic opera‐
453 tors, such as multiplication before addition. Parentheses may
454 be used to control the order of evaluation. To use the value of
455 a field in the packet use the following syntax:
456 base[expr [: size ] ]
458 where expr evaluates the value of an offset into the packet
461 from a base offset which may be ether, ip, ip6, udp, tcp, or
462 icmp. The size value specifies the size of the field. If not
463 given, 1 is assumed. Other legal values are 2 and 4. For exam‐
464 ple,
465 ether[0] & 1 = 1
467 is equivalent to multicast
469 ether[2:4] = 0xffffffff
471 is equivalent to broadcast.
473 ip[ip[0] & 0xf * 4 : 2] = 2049
475 is equivalent to udp[0:2] = 2049
477 ip[0] & 0xf > 5
479 selects IP packets with options.
481 ip[6:2] & 0x1fff = 0
483 eliminates IP fragments.
485 udp and ip[6:2]&0x1fff = 0 and udp[6:2] != 0
487 finds all packets with UDP checksums.
489 The length primitive may be used to obtain the length of the
491 packet. For instance "length > 60" is equivalent to "greater
492 60", and "ether[length − 1]" obtains the value of the last byte
493 in a packet.
494 and
497 Perform a logical AND operation between two boolean values. The
499 AND operation is implied by the juxtaposition of two boolean
500 expressions, for example "dinky pinky" is the same as "dinky
501 AND pinky".
502 or or ,
505 Perform a logical OR operation between two boolean values. A
507 comma may be used instead, for example, "dinky,pinky" is the
508 same as "dinky OR pinky".
509 not or !
512 Perform a logical NOT operation on the following boolean value.
514 This operator is evaluated before AND or OR.
515 slp
518 True if the packet is an SLP packet.
520 sctp
523 True if the packet is an SCTP packet.
525 ospf
528 True if the packet is an OSPF packet.
530
534 Example 1 Using the snoop Command
535 Capture all packets and display them as they are received:
538 example# snoop
541 Capture packets with host funky as either the source or destination and
546 display them as they are received:
547 example# snoop funky
550 Capture packets between funky and pinky and save them to a file. Then
555 inspect the packets using times (in seconds) relative to the first cap‐
556 tured packet:
557 example# snoop -o cap funky pinky
560 example# snoop -i cap -t r | more
561 To look at selected packets in another capture file:
566 example# snoop -i pkts -p 99,108
569 99 0.0027 boutique -> sunroof NFS C GETATTR FH=8E6
570 100 0.0046 sunroof -> boutique NFS R GETATTR OK
571 101 0.0080 boutique -> sunroof NFS C RENAME FH=8E6C MTra00192 to .nfs08
572 102 0.0102 marmot -> viper NFS C LOOKUP FH=561E screen.r.13.i386
573 103 0.0072 viper -> marmot NFS R LOOKUP No such file or directory
574 104 0.0085 bugbomb -> sunroof RLOGIN C PORT=1023 h
575 105 0.0005 kandinsky -> sparky RSTAT C Get Statistics
576 106 0.0004 beeblebrox -> sunroof NFS C GETATTR FH=0307
577 107 0.0021 sparky -> kandinsky RSTAT R
578 108 0.0073 office -> jeremiah NFS C READ FH=2584 at 40960 for 8192
579 To look at packet 101 in more detail:
584 example# snoop -i pkts -v -p101
587 ETHER: ----- Ether Header -----
588 ETHER:
589 ETHER: Packet 101 arrived at 16:09:53.59
590 ETHER: Packet size = 210 bytes
591 ETHER: Destination = 8:0:20:1:3d:94, Sun
592 ETHER: Source = 8:0:69:1:5f:e, Silicon Graphics
593 ETHER: Ethertype = 0800 (IP)
594 ETHER:
595 IP: ----- IP Header -----
596 IP:
597 IP: Version = 4, header length = 20 bytes
598 IP: Type of service = 00
599 IP: ..0. .... = routine
600 IP: ...0 .... = normal delay
601 IP: .... 0... = normal throughput
602 IP: .... .0.. = normal reliability
603 IP: Total length = 196 bytes
604 IP: Identification 19846
605 IP: Flags = 0X
606 IP: .0.. .... = may fragment
607 IP: ..0. .... = more fragments
608 IP: Fragment offset = 0 bytes
609 IP: Time to live = 255 seconds/hops
610 IP: Protocol = 17 (UDP)
611 IP: Header checksum = 18DC
612 IP: Source address = 172.16.40.222, boutique
613 IP: Destination address = 172.16.40.200, sunroof
614 IP:
615 UDP: ----- UDP Header -----
616 UDP:
617 UDP: Source port = 1023
618 UDP: Destination port = 2049 (Sun RPC)
619 UDP: Length = 176
620 UDP: Checksum = 0
621 UDP:
622 RPC: ----- SUN RPC Header -----
623 RPC:
624 RPC: Transaction id = 665905
625 RPC: Type = 0 (Call)
626 RPC: RPC version = 2
627 RPC: Program = 100003 (NFS), version = 2, procedure = 1
628 RPC: Credentials: Flavor = 1 (Unix), len = 32 bytes
629 RPC: Time = 06-Mar-90 07:26:58
630 RPC: Hostname = boutique
631 RPC: Uid = 0, Gid = 1
632 RPC: Groups = 1
633 RPC: Verifier : Flavor = 0 (None), len = 0 bytes
634 RPC:
635 NFS: ----- SUN NFS -----
636 NFS:
637 NFS: Proc = 11 (Rename)
638 NFS: File handle = 000016430000000100080000305A1C47
639 NFS: 597A0000000800002046314AFC450000
640 NFS: File name = MTra00192
641 NFS: File handle = 000016430000000100080000305A1C47
642 NFS: 597A0000000800002046314AFC450000
643 NFS: File name = .nfs08
644 NFS:
645 To view just the NFS packets between sunroof and boutique:
650 example# snoop -i pkts rpc nfs and sunroof and boutique
653 1 0.0000 boutique -> sunroof NFS C GETATTR FH=8E6C
654 2 0.0046 sunroof -> boutique NFS R GETATTR OK
655 3 0.0080 boutique -> sunroof NFS C RENAME FH=8E6C MTra00192 to .nfs08
656 To save these packets to a new capture file:
661 example# snoop -i pkts -o pkts.nfs rpc nfs sunroof boutique
664 To view encapsulated packets, there will be an indicator of encapsula‐
669 tion:
670 example# snoop ip-in-ip
673 sunroof -> boutique ICMP Echo request (1 encap)
674 If -V is used on an encapsulated packet:
679 example# snoop -V ip-in-ip
682 sunroof -> boutique ETHER Type=0800 (IP), size = 118 bytes
683 sunroof -> boutique IP D=172.16.40.222 S=172.16.40.200 LEN=104, ID=27497
684 sunroof -> boutique IP D=10.1.1.2 S=10.1.1.1 LEN=84, ID=27497
685 sunroof -> boutique ICMP Echo request
686 Example 2 Setting Up A More Efficient Filter
690 To set up a more efficient filter, the following filters should be used
693 toward the end of the expression, so that the first part of the expres‐
694 sion can be set up in the kernel: greater, less, port, rpc, nofrag, and
695 relop. The presence of OR makes it difficult to split the filtering
696 when using these primitives that cannot be set in the kernel. Instead,
697 use parentheses to enforce the primitives that should be OR'd.
698 To capture packets between funky and pinky of type tcp or udp on port
702 80:
703 example# snoop funky and pinky and port 80 and tcp or udp
706 Since the primitive port cannot be handled by the kernel filter, and
711 there is also an OR in the expression, a more efficient way to filter
712 is to move the OR to the end of the expression and to use parentheses
713 to enforce the OR between tcp and udp:
714 example# snoop funky and pinky and (tcp or udp) and port 80
717
721 0 Successful completion.
722 1 An error occurred.
725
728 /dev/audio Symbolic link to the system's primary audio device.
729 /dev/null The null file.
732 /etc/hosts Host name database.
735 /etc/rpc RPC program number data base.
738 /etc/services Internet services and aliases.
741
744 See attributes(5) for descriptions of the following attributes:
745 ┌─────────────────────────────┬─────────────────────────────┐
750 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
751 ├─────────────────────────────┼─────────────────────────────┤
752 │Availability │SUNWrcmdc │
753 └─────────────────────────────┴─────────────────────────────┘
754
756 dladm(1M), ifconfig(1M), netstat(1M), hosts(4), rpc(4), services(4),
757 attributes(5), audio(7I), ipnet(7D), bufmod(7M), dlpi(7P), pfmod(7M)
758 Callaghan, B. and Gilligan, R. RFC 1761, Snoop Version 2 Packet Capture
761 File Format. Network Working Group. February 1995.
762
764 The processing overhead is much higher for real-time packet interpreta‐
765 tion. Consequently, the packet drop count may be higher. For more reli‐
766 able capture, output raw packets to a file using the -o option and ana‐
767 lyze the packets offline.
768 Unfiltered packet capture imposes a heavy processing load on the host
771 computer, particularly if the captured packets are interpreted real-
772 time. This processing load further increases if verbose options are
773 used. Since heavy use of snoop may deny computing resources to other
774 processes, it should not be used on production servers. Heavy use of
775 snoop should be restricted to a dedicated computer.
776 snoop does not reassemble IP fragments. Interpretation of higher level
779 protocol halts at the end of the first IP fragment.
780 snoop may generate extra packets as a side-effect of its use. For exam‐
783 ple it may use a network name service (NIS or NIS+) to convert IP
784 addresses to host names for display. Capturing into a file for later
785 display can be used to postpone the address-to-name mapping until after
786 the capture session is complete. Capturing into an NFS-mounted file may
787 also generate extra packets.
788 Setting the snaplen (-s option) to small values may remove header
791 information that is needed to interpret higher level protocols. The
792 exact cutoff value depends on the network and protocols being used. For
793 NFS Version 2 traffic using UDP on 10 Mb/s Ethernet, do not set snaplen
794 less than 150 bytes. For NFS Version 3 traffic using TCP on 100 Mb/s
795 Ethernet, snaplen should be 250 bytes or more.
796 snoop requires information from an RPC request to fully interpret an
799 RPC reply. If an RPC reply in a capture file or packet range does not
800 have a request preceding it, then only the RPC reply header will be
801 displayed.
802SunOS 5.11 18 Feb 2009 snoop(1M)