UNIX System Administration Handbook - Evi Nemeth [377]
With no arguments, snoop collects packets from the first interface it finds, which is usually also the first interface listed by netstat -i (excluding the loopback). To specify a particular interface, use the -d device flag, where device is the name of the interface as reported by netstat -i (often hme0 for the first Ethernet interface). Using the -V flag gives you a little more information, and the -v flag gives you several lines of detail on each packet.
snoop’s command-line language is quite sophisticated, and it is well documented in the snoop man page. Expressions can be created with primitives such as host, port, tcp, udp, and ip. Simple expressions can be combined with primitives such as and, or, and not. Let’s look at a couple of examples.
Below is the output of a snoop session that might be useful for debugging mail between the hosts evolve and xor.com. We overspecified the filters to snoop to give a better example:
# snoop host chimchim and host evolve and tcp port 25
evolve.xor.com -> xor.com SMTP C
xor.com -> evolve.xor.com SMTP R 220 xor.com ESMTP Se
evolve.xor.com -> xor.com SMTP C
evolve.xor.com -> xor.com SMTP C EHLO evolve.xor.com\r
xor.com -> evolve.xor.com R 250- xor.com Hello ev
evolve.xor.com -> xor.com SMTP C MAIL FROM: xor.com -> evolve.xor.com SMTP R 250 xor.com -> evolve.xor.com SMTP R 250 evolve.xor.com -> xor.com SMTP C DATA\r\n xor.com -> evolve.xor.com SMTP R 354 Enter mail, end You should read the command and arguments above like this: “Capture all packets between the hosts chimchim and evolve which involve TCP port 25.” This example shows one line for each packet that was collected. The packet’s source is written first, and the destination appears in the second column. The remainder of the line contains information from the highest layer of the packet, such as protocol, port, and the first few bytes of the packet’s data (we cut out a few columns from this example to save space). If you telnet to a host and run snoop there, you must filter out the traffic from your telnet session. Otherwise, output to your terminal will get caught in loop as it is displayed on the virtual terminal, sent across the telnet session, and captured again. To ignore all traffic to or from the host evolve, you would use a command such as: # snoop not host evolve If we were investigating a failing DNS server named mrhat, we might use the following command line: #snoop host mrhat | grep DNS This command incorporates a grep to further limit the packets that are displayed. nettl: HP-UX’s packet sniffer nettl is actually very powerful and can keep up with a fast network, but configuring it is such a hassle that it is rarely useful for short-term network debugging. If you plan on doing network debugging from an HP-UX host, we recommend that you install tcpdump. nettl is part of HP-UX’s Network Tracing and Logging package. By default, nettl logging is started at boot time. Unless you want to use nettl to collect data indefinitely, it is wise to disable it until you need it. Edit the /etc/rc.config.d/nettl file and set the NETTL variable to 0. nettl reads its configuration information from /etc/nettlgen.conf. tcpdump: king of sniffers By default, tcpdump tunes in on the first network interface that it comes across. If it chooses the wrong interface, you can force an interface with the -i flag. If DNS is broken or you just don’t want tcpdump doing name lookups, use the -n option. This option is important because slow
HP-UX is bundled with a sick joke of a packet sniffer called nettl.6
tcpdump, yet another amazing network tool by Van Jacobson, is distributed with Red Hat Linux and FreeBSD. It is also available in source form for HP-UX, Solaris, and most other operating systems. tcpdump behaves much like snoop and has long been the industry-standard sniffer.