IT dragons tamed since 2006 (with 750 solutions and growing)

[login]
[join]

your IP[54.162.164.247]




If you thought this solution was helpfull, please login and vote. Not a member? click here

ID763
TitleSolaris Snoop : 9 practical examples
Byjohn
Keywordssnoop capture packet
CategorySolaris
Votes0
Views15
Score15
Date2017-06-22
Body
Solaris Snoop : 9 practical examples

The Snoop command can be run to see the real time network traffic or can be saved to a file and can
be viewed at a later time.
Note : – If the system is “shared-IP zone”, then you need to get snoop on the physical interface on
the global zone. – If the system is “exclusive-IP zone”, then you need to get snoop on the non-global zone. – If “Link aggregation” is being used, you should get snoop on the “Link aggregation”
interface (aggr1). Also you can get snoop on each physical interface separately if need. – If “VLAN” interface is used, you should get snoop on the “VLAN” interface. – traceroute to the destination IP to find out the interface on the source host that needs to be
snooped.
# /usr/sbin/snoop -qr -d [device] -o [filename] -s 300 -q --> don't show packet count when capturing packets into file. (Improves the packet capturing
performance) -r --> Do not resolve IP to hostname (prevents snoop from generating its own traffic) -d device --> Interface used to run the snoop command on -o filename --> Save the captured packets in the file -s num --> truncate each packet after num bytes
Example 1 : =========== To capture packets on interface aggr1 and save it to a file aggr1_snoop.out use :
# /usr/sbin/snoop -qr -d aggr1 -o aggr1_snoop.out -s 300 Using device aggr1 (promiscuous mode) ^C
Example 2 : =========== To make sure that the file is generated by snoop command :
d-drackogz01-hb:/tmp# ls -la aggr1_snoop.out -rw-r--r-- 1 root root 348200 Jun 22 14:28 aggr1_snoop.out d-drackogz01-hb:/tmp# file aggr1_snoop.out aggr1_snoop.out: Snoop capture file - version 2 d-drackogz01-hb:/tmp#
Example 3 : =========== To read from a already generated snoop file :
d-drackogz01-hb:/tmp# snoop -i aggr1_snoop.out |head 1 0.00000 p-rdweb03-har.dracko.org -> d-drackogz01-hb.dracko.org TCP D=22 S=60147 Ack=2171484390
Seq=2735738135 Len=0 Win=4101 2 0.07084 VLAN#43: d-drackoapp04-hb.dracko.org -> 228.0.0.4 UDP D=45564 S=45564 LEN=85 3 0.03988 VLAN#43: d-drackoapp03-hb.dracko.org -> 228.0.0.4 UDP D=45564 S=45564 LEN=85 4 0.01685 VLAN#43: d-drackoapp02-hb.dracko.org -> 228.0.0.4 UDP D=45564 S=45564 LEN=85 5 0.05842 VLAN#43: d-drackoapp01-hb.dracko.org -> 228.0.0.4 UDP D=45564 S=45564 LEN=85 6 0.06129 VLAN#43: d-drackoapp05-hb.dracko.org -> 228.0.0.4 UDP D=45564 S=45564 LEN=85 7 0.00430 ? -> (multicast) ETHER Type=8809 (Unknown), size=124 bytes 8 0.07523 ? -> (multicast) ETHER Type=8809 (Unknown), size=124 bytes 9 0.12199 VLAN#43: d-drackoapp06-hb.dracko.org -> 228.0.0.4 UDP D=45564 S=45564 LEN=85 10 0.12219 VLAN#43: d-drackoapp04-hb.dracko.org -> 228.0.0.4 UDP D=45564 S=45564 LEN=85 d-drackogz01-hb:/tmp#
Example 4 : =========== To find the traffic details only on a specific port (NTP) :
d-drackogz01-hb:/tmp# snoop -qr -d aggr1 -o aggr1_snoop.out -s 300 port 123 Using device aggr1 (promiscuous mode) ^C d-drackogz01-hb:/tmp# snoop -i aggr1_snoop.out 1 0.00000 d-drackogz01-hb.dracko.org -> 10.255.120.192 NTP client [st=3] (2017-06-22
14:40:27.68342) 2 0.00300 10.255.120.192 -> d-drackogz01-hb.dracko.org NTP server [st=2] (2017-06-22
14:40:27.67900) d-drackogz01-hb:/tmp#
Example 5 : =========== To find the traffic details only on a specific IP (10.120.12.103) :
d-drackogz01-hb:/tmp# snoop -qr -d aggr1 -o aggr1_snoop.out -s 300 10.120.12.103 Using device aggr1 (promiscuous mode) ^C d-drackogz01-hb:/tmp# snoop -i aggr1_snoop.out 1 0.00000 d-drackogz01-hb.dracko.org -> d-bl0-1-ph.dracko.org TCP D=7105 S=32774 Push
Ack=3792874881 Seq=1096311616 Len=168 Win=49640 2 0.00000 d-drackogz01-hb.dracko.org -> d-bl0-1-ph.dracko.org TCP D=7105 S=32771 Push
Ack=3792658435 Seq=1095998406 Len=168 Win=49640 3 0.00039 d-bl0-1-ph.dracko.org -> d-drackogz01-hb.dracko.org TCP D=32771 S=7105 Push
Ack=1095998574 Seq=3792658435 Len=168 Win=49640 4 0.00000 d-bl0-1-ph.dracko.org -> d-drackogz01-hb.dracko.org TCP D=32774 S=7105 Push
Ack=1096311784 Seq=3792874881 Len=168 Win=49640 5 0.06726 d-drackogz01-hb.dracko.org -> d-bl0-1-ph.dracko.org TCP D=7105 S=32771 Ack=3792658603
Seq=1095998574 Len=0 Win=49640 6 0.05003 d-drackogz01-hb.dracko.org -> d-bl0-1-ph.dracko.org TCP D=7105 S=32774 Ack=3792875049
Seq=1096311784 Len=0 Win=49640 7 29.88632 d-drackogz01-hb.dracko.org -> d-bl0-1-ph.dracko.org TCP D=7105 S=32774 Push
Ack=3792875049 Seq=1096311784 Len=168 Win=49640 8 0.00038 d-bl0-1-ph.dracko.org -> d-drackogz01-hb.dracko.org TCP D=32774 S=7105 Push
Ack=1096311952 Seq=3792875049 Len=168 Win=49640 9 0.00010 d-drackogz01-hb.dracko.org -> d-bl0-1-ph.dracko.org TCP D=7105 S=32771 Push
Ack=3792658603 Seq=1095998574 Len=168 Win=49640 10 0.00042 d-bl0-1-ph.dracko.org -> d-drackogz01-hb.dracko.org TCP D=32771 S=7105 Push
Ack=1095998742 Seq=3792658603 Len=168 Win=49640 11 0.06272 d-drackogz01-hb.dracko.org -> d-bl0-1-ph.dracko.org TCP D=7105 S=32771 Ack=3792658771
Seq=1095998742 Len=0 Win=49640 12 0.05003 d-drackogz01-hb.dracko.org -> d-bl0-1-ph.dracko.org TCP D=7105 S=32774 Ack=3792875217
Seq=1096311952 Len=0 Win=49640 d-drackogz01-hb:/tmp#
Example 6 : =========== To find the traffic details between to IPs in your snoop output file:
d-drackogz01-hb:/tmp# snoop -i aggr1_snoop.out 10.120.203.10 10.120.12.103|head -5 1 0.00000 d-drackogz01-hb.dracko.org -> d-bl0-1-ph.dracko.org TCP D=7105 S=32774 Push
Ack=3792874881 Seq=1096311616 Len=168 Win=49640 2 0.00000 d-drackogz01-hb.dracko.org -> d-bl0-1-ph.dracko.org TCP D=7105 S=32771 Push
Ack=3792658435 Seq=1095998406 Len=168 Win=49640 3 0.00039 d-bl0-1-ph.dracko.org -> d-drackogz01-hb.dracko.org TCP D=32771 S=7105 Push
Ack=1095998574 Seq=3792658435 Len=168 Win=49640 4 0.00000 d-bl0-1-ph.dracko.org -> d-drackogz01-hb.dracko.org TCP D=32774 S=7105 Push
Ack=1096311784 Seq=3792874881 Len=168 Win=49640 5 0.06726 d-drackogz01-hb.dracko.org -> d-bl0-1-ph.dracko.org TCP D=7105 S=32771 Ack=3792658603
Seq=1095998574 Len=0 Win=49640 d-drackogz01-hb:/tmp#
Example 7 : =========== To find the traffic details only related to a specific protocol , for example ICMP, ARP :
d-drackogz01-hb:/tmp# snoop -qr -d aggr1 -o aggr1_snoop.out icmp,arp Using device aggr1 (promiscuous mode) ^C d-drackogz01-hb:/tmp# snoop -i aggr1_snoop.out 1 0.00000 d-drackogz02-hb.dracko.org -> (broadcast) ARP C Who is 10.120.203.11,
d-drackogz02-hb.dracko.org ? 2 10.74996 VLAN#46: d-drackorpt02-hb.dracko.org -> (broadcast) ARP C Who is 10.120.46.17,
d-drackorpt02-hb.dracko.org ? d-drackogz01-hb:/tmp#
Example 8 : =========== To see the contents of a specific packet (packet number 1) :
d-drackogz02-hb:/tmp# snoop -qr -d aggr1 -o aggr1_snoop.out port 123 Using device aggr1 (promiscuous mode) ^C d-drackogz02-hb:/tmp# snoop -i aggr1_snoop.out 1 0.00000 d-drackogz02-hb.dracko.org -> 10.255.120.192 NTP client [st=3] (2017-06-22
15:06:55.78082) 2 0.00133 10.255.120.192 -> d-drackogz02-hb.dracko.org NTP server [st=2] (2017-06-22
15:06:55.77873) 3 250.99713 d-drackogz02-hb.dracko.org -> 10.255.120.193 NTP client [st=3] (2017-06-22
15:11:06.77928) 4 0.00120 10.255.120.193 -> d-drackogz02-hb.dracko.org NTP server [st=2] (2017-06-22
15:11:06.78225) 5 773.00358 d-drackogz02-hb.dracko.org -> 10.255.120.192 NTP client [st=3] (2017-06-22
15:23:59.78407) 6 0.00156 10.255.120.192 -> d-drackogz02-hb.dracko.org NTP server [st=2] (2017-06-22
15:23:59.78372) 7 250.99687 d-drackogz02-hb.dracko.org -> 10.255.120.193 NTP client [st=3] (2017-06-22
15:28:10.78252) 8 0.00140 10.255.120.193 -> d-drackogz02-hb.dracko.org NTP server [st=2] (2017-06-22
15:28:10.79202) d-drackogz02-hb:/tmp# snoop -i aggr1_snoop.out -p1 -x0 1 0.00000 d-drackogz02-hb.dracko.org -> 10.255.120.192 NTP client [st=3] (2017-06-22
15:06:55.78082) 0: 0000 0c9f f0cb b8ca 3a6c f828 0800 4500 ........:l.(..E. 16: 004c 53ac 4000 ff11 0000 0a78 cb0b 0aff .LS.@......x.... 32: 78c0 007b 007b 0038 598c 1b03 0af0 0000 x..{.{.8Y....... 48: 0b45 0000 098f 0aff 78c1 dcf6 90ca c851 .E......x......Q 64: 8000 dcf6 8fcf c6d4 0659 dcf6 8fcf c8f1 .........Y...... 80: d000 dcf6 93cf c7e3 4000 ........@. d-drackogz02-hb:/tmp#
Example 9 : =========== To see protocol information Use the options “-v” or “-V” with snoop to find out the protocol information.
d-drackogz02-hb:/tmp# snoop -i aggr1_snoop.out -p1 -v ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 1 arrived at 15:06:55.78083 ETHER: Packet size = 90 bytes ETHER: Destination = 0:0:c:9f:f0:cb, Cisco ETHER: Source = b8:ca:3a:6c:f8:28, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: .... ..0. = not ECN capable transport IP: .... ...0 = no ECN congestion experienced IP: Total length = 76 bytes IP: Identification = 21420 IP: Flags = 0x4 IP: .1.. .... = do not fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 255 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = 0000 IP: Source address = 10.120.203.11, d-drackogz02-hb.dracko.org IP: Destination address = 10.255.120.192, 10.255.120.192 IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 123 UDP: Destination port = 123 (NTP) UDP: Length = 56 UDP: Checksum = 598C UDP: NTP: ----- Network Time Protocol ----- NTP: NTP: Leap = 0x0 (OK) NTP: Version = 3 NTP: Mode = 3 (client) NTP: Stratum = 3 (secondary reference) NTP: Poll = 10 NTP: Precision = 240 seconds NTP: Synchronizing distance = 0x0000.0b45 (0.044022) NTP: Synchronizing dispersion = 0x0000.098f (0.037338) NTP: Reference clock = 10.255.120.193 (10.255.120.193) NTP: Reference time = 0xdcf690ca.c8518000 (2017-06-22 14:54:02.78250) NTP: Originate time = 0xdcf68fcf.c6d40659 (2017-06-22 14:49:51.77668) NTP: Receive time = 0xdcf68fcf.c8f1d000 (2017-06-22 14:49:51.78495) NTP: Transmit time = 0xdcf693cf.c7e34000 (2017-06-22 15:06:55.78082) d-drackogz02-hb:/tmp#
SharediggDigg this solutiondel.icio.usPost to del.icio.usSlashdotSlashdot it!email to a friend
PrintPrint This Solution Print
If you thought this solution was helpfull, please login and vote. Not a member? click here


Latest News

Thanks to Dave for hosting this site!

Registered User Area

[login]
[new user]


Paying the Rent



Advanced Search:

Choose body, keywords, title, or all to include in search 
words to include in search 
and(+)

Choose body, keywords, title, or all to include in search 
additional words to include in search 
not(-)

Choose body, keywords, title, or all to exclude in search 
words to exclude from search 


catagory
order by






diggDigg Dracko
del.icio.usPost to del.icio.us
SlashdotSlashdot us!




Don't forget to vote!
Powered by John Core
Bye!

Dracko by John Core

me

View John Core's profile on LinkedIn


Certifications
security logo saber ccsa logo ccna-logo hbss veritas

Technologies
oracle_logo
solaris_logo linux-logo openstack_logo vbox_logo splunk storagetek_logo sun_logo oraclevm_logo brocade_logo bsd_logo

Languages
c-logo bash-logo php-logo

Employers
PlanetPayment Medecision AWi PennStateHershey DISA DLA cim Sun

Consulting
KMBS PNC FBI CCS PTD Sentinel