Managing NFS and NIS, 2nd Edition - Mike Eisler [197]
# snoop -o /tmp/capture -c 100
Using device /dev/hme (promiscuous mode)
100 100 packets captured
The -o option instructs snoop to save the captured packets in the /tmp/capture file. The capture file mode bits are set using root 's file mode creation mask. Non-privileged users may be able to invoke snoop and process the captured file if given read access to the capture file. The -c option instructs snoop to capture only 100 packets. Alternatively, you can interrupt snoop when you believe you have captured enough packets.
The captured packets can then be analyzed as many times as necessary under different filters, each presenting a different view of data. Use the -i option to instruct snoop where to read the captured packets from:
# snoop -i /tmp/capture -c 5
1 0.00000 caramba -> mickey PORTMAP C GETPORT prog=100003 (NFS)
vers=3 proto=UDP
2 0.00072 mickey -> caramba PORTMAP R GETPORT port=2049
3 0.00077 caramba -> mickey NFS C NULL3
4 0.00041 mickey -> caramba NFS R NULL3
5 0.00195 caramba -> mickey PORTMAP C GETPORT prog=100003 (NFS)
vers=3 proto=UDP
5 packets captured
The -i option instructs snoop to read the packets from the /tmp/capture capture file instead of capturing new packets from the network device. Note that two new columns are added to the display. The first column displays the packet number, and the second column displays the time delta between one packet and the next in seconds. For example, the second packet's time delta indicates that the host caramba received a reply to its original portmap request 720 microseconds after the request was first sent.
By default, snoop displays summary information for the top-most protocol in the network stack for every packet. Use the -V option to instruct snoop to display information about every level in the network stack. You can also specify packets or a range of them with the -p option:
# snoop -i /tmp/capture -V -p 3,4
_______________________________ _
3 0.00000 caramba -> mickey ETHER Type=0800 (IP), size = 82 bytes
3 0.00000 caramba -> mickey IP D=131.40.52.27 S=131.40.52.223 LEN=68,
ID=35462
3 0.00000 caramba -> mickey UDP D=2049 S=55559 LEN=48
3 0.00000 caramba -> mickey RPC C XID=969440111 PROG=100003 (NFS)
VERS=3 PROC=0
3 0.00000 caramba -> mickey NFS C NULL3
_______________________________ _
4 0.00041 mickey -> caramba ETHER Type=0800 (IP), size = 66 bytes
4 0.00041 mickey -> caramba IP D=131.40.52.223 S=131.40.52.27 LEN=52,
ID=26344
4 0.00041 mickey -> caramba UDP D=55559 S=2049 LEN=32
4 0.00041 mickey -> caramba RPC R (#3) XID=969440111 Success
4 0.00041 mickey -> caramba NFS R NULL3
The -V option instructs snoop to display a summary line for each protocol layer in the packet. In the previous example, packet 3 shows the Ethernet, IP, UDP, and RPC summary information, in addition to the NFS NULL request. The -p option is used to specify what packets are to be displayed, in this case snoop displays packets 3 and 4.
Every layer of the network stack contains a wealth of information that is not displayed with the -V option. Use the -v option when you're interested in analyzing the full details of any of the network layers:
# snoop -i /tmp/capture -v -p 3
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 3 arrived at 15:08:43.35
ETHER: Packet size = 82 bytes
ETHER: Destination = 0:0:c:7:ac:56, Cisco
ETHER: Source = 8:0:20:b9:2b:f6, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 68 bytes
IP: Identification = 35462
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 17 (UDP)