Managing NFS and NIS, 2nd Edition - Mike Eisler [199]
Note that the host keyword is not required when the specified hostname does not conflict with the name of another snoop primitive.The previous snoop from host caramba command could have been invoked without the host keyword and it would have generated the same output:
# snoop from caramba
Using device /dev/hme (promiscuous mode)
caramba -> schooner NFS C GETATTR3 FH=B083
caramba -> schooner TCP D=2049 S=1023 Ack=3647527137 Seq=2611841034 Len=0 Win=24820
For clarity, we use the host keyword throughout this book. Two or more filters can be combined by using the logical operators and and or :
# snoop -o /tmp/capture -c 20 from host caramba and rpc nfs 3
Using device /dev/hme (promiscuous mode)
20 20 packets captured
Snoop captures all NFS Version 3 packets originating at the host caramba. Here, snoop is invoked with the -c and -o options to save 20 filtered packets into the /tmp/capture file. We can later apply other filters during display time to further analyze the captured information. For example, you may want to narrow the previous search even further by only listing TCP traffic by using the proto filter:
# snoop -i /tmp/capture proto tcp
Using device /dev/hme (promiscuous mode)
1 0.00000 caramba -> schooner NFS C GETATTR3 FH=B083
2 2.91969 caramba -> schooner NFS C GETATTR3 FH=0CAE
9 0.37944 caramba -> rea NFS C FSINFO3 FH=0156
10 0.00430 caramba -> rea NFS C GETATTR3 FH=0156
11 0.00365 caramba -> rea NFS C ACCESS3 FH=0156 (lookup)
14 0.00256 caramba -> rea NFS C LOOKUP3 FH=F244 libc.so.1
15 0.00411 caramba -> rea NFS C ACCESS3 FH=772D (lookup)
Snoop reads the previously filtered data from /tmp/capture, and applies the new filter to only display TCP traffic. The resulting output is NFS traffic originating at the host caramba over the TCP protocol. We can apply a UDP filter to the same NFS traffic in the /tmp/capture file and obtain the NFS Version 3 traffic over UDP from host caramba without affecting the information in the /tmp/capture file:
# snoop -i /tmp/capture proto udp
Using device /dev/hme (promiscuous mode)
1 0.00000 caramba -> rea NFS C NULL3
So far, we've presented filters that let you specify the information you are interested in. Use the not operator to specify the criteria of packets that you wish to have excluded during capture. For example, you can use the not operator to capture all network traffic, except that generated by the remote shell:
# snoop not port login
Using device /dev/hme (promiscuous mode)
rt-086 -> BROADCAST RIP R (25 destinations)
rt-086 -> BROADCAST RIP R (10 destinations)
caramba -> schooner NFS C GETATTR3 FH=B083
schooner -> caramba NFS R GETATTR3 OK
caramba -> donald NFS C GETATTR3 FH=00BD
jamboree -> donald NFS R GETATTR3 OK
caramba -> donald TCP D=2049 S=657 Ack=3855205229 Seq=2331839250 Len=0 Win=24820
caramba -> schooner TCP D=2049 S=1023 Ack=3647569565 Seq=2612134974 Len=0 Win=24820
narwhal -> 224.2.127.254 UDP D=9875 S=32825 LEN=368
On multihomed hosts (systems with more than one network interface device), use the -d option to specify the particular network interface to snoop on:
snoop -d hme2
You can snoop on multiple network interfaces concurrently by invoking separate instances of snoop on each device. This is particularly useful when you don't know what interface the host will use to generate or receive the requests. The -d option can be used in conjunction with any of the other options and filters previously described:
# snoop -o /tmp/capture-hme0 -d hme0 not port login &
# snoop -o /tmp/capture-hme1 -d hme1 not port login &
Filters help refine the search for relevant packets. Once the packets of interest have been found, use the -V or -v options to display the packets in more detail. You will see how this top-down technique is used to debug NFS-related problems in Chapter 14. Often you can use more than one filter to achieve the same result. Refer to the documentation shipped with your OS for a complete list of available filters.
ethereal / tethereal
ethereal is an open source free network analyzer