Home / Solaris 10 / How to use snoop in Solaris ?

How to use snoop in Solaris ?

Snoop is a inbuilt packet analyzer tool in oracle Solaris operating system.It is used for network troubleshooting and analysis.But normal user do not have permission to run snoop command.Only root user can run it.Snoop command having option to redirect the output to file.This file can be analysed later using snoop command itself or you can use wireshark tool for that.If you want highest level of protocol to display,then you need to use snoop command with -v or -V options.Dropped packets can be monitored using -D command. Solaris provides an option to trace network on  specific interface. 

Here we will see various snoop options and using  the snoop command in real production environment.You can’t run the snoop command in Solaris’s local zones if its configured with shared IP model.In this case,you need to run the snoop on global zone.If you are running snoop on global zone,you have to use  many filters to reduce the unnecessary traffic of other local zones.

The simple snoop command will pick the primary interface automatically when you run the snoop command.Here is sample output of it.
# snoop
Using device e1000g0 (promiscuous mode)
192.168.56.1 -> sfos ICMP Echo request (ID: 1 Sequence number: 15715)
sfos -> 192.168.56.1 ICMP Echo reply (ID: 1 Sequence number: 15715)
192.168.56.1 -> sfos ICMP Echo request (ID: 1 Sequence number: 15716)
sfos -> 192.168.56.1 ICMP Echo reply (ID: 1 Sequence number: 15716)
sfos -> 192.168.56.2 DNS C 1.56.168.192.in-addr.arpa. Internet PTR ?
192.168.56.2 -> sfos DNS R Error: 3(Name Error)
sfos -> 192.168.56.2 DNS C 1.56.168.192.in-addr.arpa. Internet PTR ?
192.168.56.2 -> sfos DNS R Error: 3(Name Error)
sfos -> 192.168.56.1 TCP D=57270 S=22 Push Ack=1013770374 Seq=3278382192 Len=196 Win=49640
192.168.56.1 -> sfos TCP D=22 S=57270 Ack=3278382388 Seq=1013770374 Len=0 Win=16076
sfos -> 192.168.56.1 TCP D=57270 S=22 Push Ack=1013770374 Seq=3278382388 Len=196 Win=49640
sfos -> 192.168.56.2 DNS C 2.56.168.192.in-addr.arpa. Internet PTR ?
192.168.56.1 -> sfos ICMP Echo request (ID: 1 Sequence number: 15717)
sfos -> 192.168.56.1 ICMP Echo reply (ID: 1 Sequence number: 15717)


If you want to monitor the specific interface network traffic,use the below command.

# snoop -d e1000g0
Using device e1000g0 (promiscuous mode)
192.168.56.1 -> sfos TCP D=22 S=57270 Ack=3278389444 Seq=1013770790 Len=0 Win=16339
sfos -> 192.168.56.1 TCP D=57270 S=22 Push Ack=1013770790 Seq=3278389360 Len=84 Win=49640
sfos -> 192.168.56.2 DNS C 1.56.168.192.in-addr.arpa. Internet PTR ?
192.168.56.2 -> sfos DNS R Error: 3(Name Error)
sfos -> 192.168.56.2 DNS C 1.56.168.192.in-addr.arpa. Internet PTR ?
192.168.56.2 -> sfos DNS R Error: 3(Name Error)
sfos -> 192.168.56.1 TCP D=57270 S=22 Push Ack=1013770790 Seq=3278389444 Len=132 Win=49640
sfos -> 192.168.56.1 TCP D=57270 S=22 Push Ack=1013770790 Seq=3278389576 Len=148 Win=49640
192.168.56.1 -> sfos TCP D=22 S=57270 Ack=3278389724 Seq=1013770790 Len=0 Win=16269
192.168.56.1 -> sfos ICMP Echo request (ID: 1 Sequence number: 15722)
sfos -> 192.168.56.1 ICMP Echo reply (ID: 1 Sequence number: 15722)


You can re-direct the snoop command output to file instead of displaying on console using below command.
Note:If you want, you can put & symbol at the end of the command to put the job in background

# snoop -o snoop_output1 -d e1000g0
Using device e1000g0 (promiscuous mode)
43 ^C
bash-3.00# file snoop_output1
snoop_output1: Snoop capture file - version 2


You can read the snoop file using the below command.

# snoop -i snoop_output1 |head
1 0.00000 192.168.56.1 ->sfos TCP D=22 S=57270 Ack=3278397644 Seq=1013776406 Len=0 Win=16157
2 0.00024 sfos ->192.168.56.1 TCP D=57270 S=22 Push Ack=1013776406 Seq=3278397644 Len=52 Win=49640
3 0.20383 192.168.56.1 ->sfos TCP D=22 S=57270 Ack=3278397696 Seq=1013776406 Len=0 Win=16144
4 0.35334 sfos ->192.168.56.2 DNS C sfos.localdomain.localdomain. Internet Addr ?
5 0.03474 192.168.56.2 ->sfos DNS R Error: 3(Name Error)
6 0.00088 sfos ->192.168.56.2 DNS C sfos.localdomain. Internet Addr ?
7 0.42232 sfos ->192.168.56.1 TCP D=57270 S=22 Push Ack=1013776406 Seq=3278397696 Len=52 Win=49640
8 0.00041 sfos ->192.168.56.1 TCP D=57270 S=22 Push Ack=1013776406 Seq=3278397748 Len=68 Win=49640
9 0.00002 192.168.56.1 ->sfos TCP D=22 S=57270 Ack=3278397816 Seq=1013776406 Len=0 Win=16114
10 0.46143 fe80::e4ad:db87:b6ee:e614 -> ff02::1:3 UDP D=5355 S=53302 LEN=30
#


To see the highest level of protocol to display,use the below command.

# snoop -v -d e1000g0
Using device e1000g0 (promiscuous mode)
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 1:02:54.93555
ETHER: Packet size = 122 bytes
ETHER: Destination = 0:50:56:c0:0:8,
ETHER: Source = 0:c:29:5e:76:f5,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced


To see the number of drop packets ,(you can see drops field is added in the output)

# snoop -D
Using device e1000g0 (promiscuous mode)
192.168.56.1 -> sfos drops: 0 TCP D=22 S=57270 Ack=3278600956 Seq=1013786066 Len=0 Win=16200
sfos -> 192.168.56.1 drops: 0 TCP D=57270 S=22 Push Ack=1013786066 Seq=3278600888 Len=68 Win=49640
192.168.56.1 -> (broadcast) drops: 0 ARP C Who is 192.168.56.2, 192.168.56.2 ?
sfos -> 192.168.56.2 drops: 0 DNS C 1.56.168.192.in-addr.arpa. Internet PTR ?
192.168.56.2 -> sfos drops: 0 DNS R Error: 3(Name Error)
sfos -> 192.168.56.2 drops: 0 DNS C 1.56.168.192.in-addr.arpa. Internet PTR ?
192.168.56.2 -> sfos drops: 0 DNS R Error: 3(Name Error)


To see the snoop output with time stamp, (first feild)

# snoop -tr
Using device e1000g0 (promiscuous mode)
0.00000 192.168.56.1 -> (broadcast) ARP C Who is 192.168.56.2, 192.168.56.2 ?
0.99984 sfos -> 192.168.56.2 DNS C 1.56.168.192.in-addr.arpa. Internet PTR ?
1.00077 192.168.56.1 -> (broadcast) ARP C Who is 192.168.56.2, 192.168.56.2 ?
1.00245 192.168.56.2 -> sfos DNS R Error: 3(Name Error)
1.00326 sfos -> 192.168.56.2 DNS C 1.56.168.192.in-addr.arpa. Internet PTR ?
1.00558 192.168.56.2 -> sfos DNS R Error: 3(Name Error)
1.00606 sfos -> 192.168.56.2 DNS C 2.56.168.192.in-addr.arpa. Internet PTR ?
1.00827 192.168.56.2 -> sfos DNS R Error: 3(Name Error)
1.00867 sfos -> 192.168.56.2 DNS C 2.56.168.192.in-addr.arpa. Internet PTR ?
1.01107 192.168.56.2 -> sfos DNS R Error: 3(Name Error)


Note:You can use the all  options in one command.For an example,you want to save the highest level of protocol network activity in file for interface e1000g0,Use the below command.
# snoop -v -o output_file -d physical_interface

Advanced snoop options to add more filter:

To see the traffic with specific host or IP address,Use the below command.
(IP-192.168.56.2 is remote host ; server IP – 192.168.56.130)

# snoop -r -d e1000g0 host 192.168.56.2
Using device e1000g0 (promiscuous mode)
192.168.56.130 -> 192.168.56.2 DNS C _nfsv4idmapdomain.localdomain. Internet TXT ?
192.168.56.2 -> 192.168.56.130 DNS R Error: 3(Name Error)
192.168.56.130 -> 192.168.56.2 DNS C _nfsv4idmapdomain. Internet TXT ?
192.168.56.2 -> 192.168.56.130 DNS R Error: 2(Server Fail)
192.168.56.130 -> 192.168.56.2 DNS C _nfsv4idmapdomain. Internet TXT ?
192.168.56.2 -> 192.168.56.130 DNS R Error: 2(Server Fail)
^Cbash-3.00# snoop -r -D -d e1000g0 host 192.168.56.2
Using device e1000g0 (promiscuous mode)
192.168.56.130 -> 192.168.56.2 drops: 0 DNS C _nfsv4idmapdomain.localdomain. Internet TXT ?
192.168.56.2 -> 192.168.56.130 drops: 0 DNS R Error: 3(Name Error)
192.168.56.130 -> 192.168.56.2 drops: 0 DNS C _nfsv4idmapdomain. Internet TXT ?
192.168.56.2 -> 192.168.56.130 drops: 0 DNS R Error: 2(Server Fail)
192.168.56.130 -> 192.168.56.2 drops: 0 DNS C _nfsv4idmapdomain. Internet TXT ?
192.168.56.2 -> 192.168.56.130 drops: 0 DNS R Error: 2(Server Fail)


To display the traffic between remote host with specific port,Use the below command,

# snoop -r -D -d e1000g0 host 192.168.56.2 and port 53
Using device e1000g0 (promiscuous mode)
192.168.56.130 -> 192.168.56.2 drops: 0 DNS C _nfsv4idmapdomain.localdomain. Internet TXT ?
192.168.56.2 -> 192.168.56.130 drops: 0 DNS R Error: 3(Name Error)
192.168.56.130 -> 192.168.56.2 drops: 0 DNS C _nfsv4idmapdomain. Internet TXT ?
192.168.56.2 -> 192.168.56.130 drops: 0 DNS R Error: 2(Server Fail)
192.168.56.130 -> 192.168.56.2 drops: 0 DNS C _nfsv4idmapdomain. Internet TXT ?
192.168.56.2 -> 192.168.56.130 drops: 0 DNS R Error: 2(Server Fail)


Use the below command,If the interface is configured with many ip address and you want to see the traffic to specific IP. 

Ex:
e1000g0:1 has configured with 192.168.56.132
e1000g0:2 has confgiured with 192.168.56.134
e1000g0:3 has configured with 192.168.56.130
To see the traffic to 192.168.56.130,

# snoop -d e1000g0 src ip 192.168.56.130
Using device e1000g0 (promiscuous mode)
sfos -> 192.168.56.1 ICMP Echo reply (ID: 1 Sequence number: 15798)
sfos -> 192.168.56.2 DNS C 1.56.168.192.in-addr.arpa. Internet PTR ?
sfos -> 192.168.56.2 DNS C 1.56.168.192.in-addr.arpa. Internet PTR ?
sfos -> 192.168.56.1 ICMP Echo reply (ID: 1 Sequence number: 15799)
sfos -> 192.168.56.1 TCP D=57270 S=22 Push Ack=1013801450 Seq=3278676908 Len=116 Win=49640
sfos -> 192.168.56.2 DNS C 2.56.168.192.in-addr.arpa. Internet PTR ?
sfos -> 192.168.56.2 DNS C 2.56.168.192.in-addr.arpa. Internet PTR ?

You can specify the destination port using the below command
# snoop -d e1000g0 src ip 192.168.56.130 dst port 53
Using device e1000g0 (promiscuous mode)
sfos -> 192.168.56.2 DNS C _nfsv4idmapdomain.localdomain. Internet TXT ?
sfos -> 192.168.56.2 DNS C _nfsv4idmapdomain. Internet TXT ?
sfos -> 192.168.56.2 DNS C _nfsv4idmapdomain. Internet TXT ?
sfos -> 192.168.56.2 DNS C 2.56.168.192.in-addr.arpa. Internet PTR ?
sfos -> 192.168.56.2 DNS C 2.56.168.192.in-addr.arpa. Internet PTR ?


To specify remote host and server source address in one command,

# snoop -d e1000g0 host 192.168.56.1 src ip 192.168.56.130 dst port 53
Using device e1000g0 (promiscuous mode)
^Cbash-3.00# snoop -d e1000g0 host 192.168.56.1 src ip 192.168.56.130
Using device e1000g0 (promiscuous mode)
sfos -> 192.168.56.1 TCP D=57270 S=22 Push Ack=1013806338 Seq=3278684208 Len=84 Win=49640
sfos -> 192.168.56.1 ICMP Echo reply (ID: 1 Sequence number: 15827)
sfos -> 192.168.56.1 TCP D=57270 S=22 Push Ack=1013806338 Seq=3278684292 Len=148 Win=49640
sfos -> 192.168.56.1 TCP D=57270 S=22 Push Ack=1013806338 Seq=3278684440 Len=116 Win=49640
sfos -> 192.168.56.1 ICMP Echo reply (ID: 1 Sequence number: 15828)
sfos -> 192.168.56.1 TCP D=57270 S=22 Push Ack=1013806338 Seq=3278684556 Len=244 Win=49640
sfos -> 192.168.56.1 TCP D=57270 S=22 Push Ack=1013806338 Seq=3278684800 Len=116 Win=49640
sfos -> 192.168.56.1 ICMP Echo reply (ID: 1 Sequence number: 15829)

^Cbash-3.00# snoop -d e1000g0 host 192.168.56.1 src ip 192.168.56.130 dst port 53
Using device e1000g0 (promiscuous mode)

^Cbash-3.00# snoop -d e1000g0 host 192.168.56.2 src ip 192.168.56.130 dst port 53
Using device e1000g0 (promiscuous mode)
sfos -> 192.168.56.2 DNS C sfos.localdomain.localdomain. Internet Addr ?
sfos -> 192.168.56.2 DNS C 2.56.168.192.in-addr.arpa. Internet PTR ?
sfos -> 192.168.56.2 DNS C 2.56.168.192.in-addr.arpa. Internet PTR ?


To terminate the snoop command ,just use control+c . If its running in background,you can use “pgrep snoop ” and kill the process .

Hope you have learned some new things about snoop command.Thank you reading this article.Please leave a comment if you have any doubt .I will get back to you .

VMTURBO-CLOUD-CAPACITY

2 comments

  1. Thank you much.. All were well explained and examples were very clear…
    May God Bless you….

Leave a Reply

Your email address will not be published. Required fields are marked *