How to Capture Network Packets in Solaris

How to Capture Network Packets in Solaris  

# snoop -h

snoop: illegal option -- h

Usage:  snoop

        [ -a ]                  # Listen to packets on audio

        [ -d device ]           # Listen on interface named device

        [ -s snaplen ]          # Truncate packets

        [ -c count ]            # Quit after count packets

        [ -P ]                  # Turn OFF promiscuous mode

        [ -D ]                  # Report dropped packets

        [ -S ]                  # Report packet size

        [ -i file ]             # Read previously captured packets

        [ -o file ]             # Capture packets in file

        [ -n file ]             # Load addr-to-name table from file

        [ -N ]                  # Create addr-to-name table

        [ -t  r|a|d ]           # Time: Relative, Absolute or Delta

        [ -v ]                  # Verbose packet display

        [ -V ]                  # Show all summary lines

        [ -p first[,last] ]     # Select packet(s) to display

        [ -x offset[,length] ]  # Hex dump from offset for length

        [ -C ]                  # Print packet filter code

        [ -q ]                  # Suppress printing packet count

        [ -r ]                  # Do not resolve address to name

        [ filter expression ]

Example:

        snoop -o saved  host fred

        snoop -i saved -tr -v -p19

Show DHCP packets :

# snoop |grep -i dhcp

Using device igb0 (promiscuous mode)

   50.17.0.1 -> NTU-HQ-GLOBAL DHCP/BOOTP DHCPDISCOVER

NTU-HQ-GLOBAL -> 50.17.0.1    DHCP/BOOTP DHCPOFFER

   50.17.0.1 -> NTU-HQ-GLOBAL DHCP/BOOTP DHCPDISCOVER

Show UDP packets :

# snoop |grep -i udp

Using device igb0 (promiscuous mode)

  172.16.0.1 -> 50.200.0.229 UDP D=1728 S=37628 LEN=32

  172.16.0.1 -> 50.17.0.41   UDP D=1728 S=37628 LEN=32

  172.16.0.1 -> 50.210.0.214 UDP D=1728 S=37628 LEN=32

Verbose packet display:

# snoop -v

ETHER:  ----- Ether Header -----

ETHER:

ETHER:  Packet 182 arrived at 15:37:15.74365

ETHER:  Packet size = 66 bytes

ETHER:  Destination = 0:0:5e:0:1:64, U.S. Department of Defense (IANA)

ETHER:  Source      = 0:21:28:d2:88:8c,

ETHER:  Ethertype = 0800 (IP)

^CETHER:

IP:   ----- IP Header -----

IP:

IP:   Version = 4

IP:   Header length = 20 bytes

IP:   Type of service = 0x00

IP:         xxx. .... = 0 (precedence)

IP:         ...0 .... = normal delay

IP:         .... 0... = normal throughput

IP:         .... .0.. = normal reliability

IP:         .... ..0. = not ECN capable transport

IP:         .... ...0 = no ECN congestion experienced

IP:   Total length = 52 bytes

IP:   Identification = 36051

IP:   Flags = 0x4

IP:         .1.. .... = do not fragment

IP:         ..0. .... = last fragment

IP:   Fragment offset = 0 bytes

IP:   Time to live = 255 seconds/hops

IP:   Protocol = 17 (UDP)

IP:   Header checksum = 0000

IP:   Source address = 172.16.0.1, 172.16.0.1

IP:   Destination address = 50.78.0.6, 50.78.0.6

IP:   No options

IP:

UDP:  ----- UDP Header -----

UDP:

UDP:  Source port = 37628

UDP:  Destination port = 1728

UDP:  Length = 32

UDP:  Checksum = DE96

UDP:

Display information on host 172.16.0.1 using summary verbose mode:

# snoop -V 172.16.0.1

To enable data captures from the snoop output without losing packets (while writing to the screen)by sending the snoop output to a file (snooper) :

# snoop -o/tmp/snooper -V 172.16.0.1

Show broadcast packets:

# snoop -d igb0 broadcast

Using device igb0 (promiscuous mode)

50.17.0.1   -> (broadcast)  ARP C Who is 172.16.0.8, sys13 ?