snoop & tcpdump belongs to the class of tools known as packet sniffers. If you had worked on troubleshooting IT systems, and you can't quite figure out if the issue lies at the application or network, you can use these packet sniffers to help narrow down on where the problem lies.
Solaris includes the packet sniffer: snoop.
To setup, you need to know on which interface (device) you want to run the snoop command. Use ifconfig -a to find out.
# snoop -d device -o filename
Example:
# snoop -d bge0 -o /var/tmp/snoop_activity_name.cap
If there are no interfaces specified, snoop collects packets from the first interface it finds. This is determined from netstat -i (excluding the loopback)
More specific captures can be set up using expressions such as host, port, tcp, udp, ip. These expressions can be combined with primitives such as and, or, and not.
Here are some examples
# snoop host sarah and host connor and tcp port 25
# snoop -d bge0 port 9048
To filter out traffic from your telnet session:
# snoop not host sarah
Linux and FreeBSD platform includes the packet sniffer: tcpdump
To setup, you need to know on which interface (device) you want to run the tcpdump command. Use ifconfig -a to find out.
# tcpdump -i interface -s snaplen -w file
Example:
# tcpdump -i wm0 -s 0 -w /data/SMTP.cap
-i wm0 specifies that interface wm0 should be traced
-s 0 store the complete packet regardless of length
-w /data/SMTP.cap store the output in file SMTP.cap in directory /data
Like the snoop command, similar expressions such as host, port, tcp, udp, ip can be combined with primitives such as and, or, and not.
Here are some examples
# tcpdump host john and host connor and tcp port 25
# tcpdump -i wm0 -s 0 -w /data/radius.cap port 1812
To filter out traffic from your telnet session:
# tcpdump not host john
When you have stored the .cap file(s), use Wireshark to view the file contents.
Post a Comment