[ Team LiB ] Previous Section Next Section

Displaying Packet Contents

graphics/new.gif

You can use the snoop(1M) command to capture network packets and display their contents. You can display packets as soon as they are received or save them to a file. When snoop writes to an intermediate file, it is unlikely that you will lose packets under busy trace conditions. You can then use snoop to interpret the file. See the snoop(1M) manual page for more information about using the snoop command.

You must run snoop as root to capture packets to and from the default interface in promiscuous mode. In summary form, only data that pertains to the highest-level protocol is displayed.

Checking All Packets from Your System

Use the following steps to check all packets from your system.

  1. Become superuser.

  2. Type netstat -i and press Return.

    Review the output to determine the interfaces that are attached to the system.

  3. Type snoop and press Return.

    Packet information is displayed.

  4. Press Control-C to halt the process.

The following example traces packets during an FTP file transfer.



mopoke% netstat -i
Name  Mtu  Net/Dest       Address    Ipkts  Ierrs Opkts  Oerrs Collis Queue
lo0   8232 loopback       localhost  11197  0     11197  0     0      0
eri0  1500 mopoke         mopoke     537    0     9      3     0      0

mopoke% su
Password:
# snoop
Using device /dev/eri (promiscuous mode)
      mopoke -> G4           FTP C port=32830 PORT 172,16,8,25,128
          G4 -> mopoke       FTP R port=32830 200 PORT command suc
      mopoke -> G4           FTP C port=32830 STOR examples\r\n
          G4 -> mopoke       FTP-DATA R port=32834
      mopoke -> G4           FTP-DATA C port=32834
          G4 -> mopoke       FTP-DATA R port=32834
          G4 -> mopoke       FTP R port=32830 150 Opening BINARY m
      mopoke -> G4           FTP-DATA C port=32834 mopoke% netstat -i\nN
      mopoke -> G4           FTP-DATA C port=32834
          G4 -> mopoke       FTP-DATA R port=32834
          G4 -> mopoke       FTP-DATA R port=32834
      mopoke -> G4           FTP-DATA C port=32834
      mopoke -> G4           FTP C port=32830
          G4 -> mopoke       FTP R port=32830 226 Transfer complet
      mopoke -> G4           FTP C port=32830
          G4 -> 172.16.8.255 UDP D=631 S=631 LEN=76
          G4 -> 172.16.8.255 UDP D=631 S=631 LEN=118
          G4 -> 172.16.8.255 UDP D=631 S=631 LEN=107
^C#





 Capturing snoop Results to a File


Use the following steps to capture snoop results to a file.






  1. Become superuser.
    

  2. Type snoop -o filename and press Return.
    

    Review the output to determine the interfaces that are attached to the system.
    

  3. To inspect the file, type snoop -i filename and press Return.
    





    


    

    [ Team LiB ]
          Previous Section
          Next Section