Displaying Packet Contents

You can use snoop to capture network packets and display their contents. Packets can be displayed as soon as they are received, or saved to a file. When snoop writes to an intermediate file, packet loss under busy trace conditions is unlikely. snoop itself is then used to interpret the file. For information about using the snoop command, refer to the snoop(1M) man page.

The snoop command must be run by root (#) to capture packets to and from the default interface in promiscuous mode. In summary form, only the data that pertains to the highest-level protocol is displayed. For example, an NFS packet only displays NFS information. The underlying RPC, UDP, IP, and Ethernet frame information is suppressed but can be displayed if either of the verbose options is chosen.

The snoop capture file format is described in RFC 1761.

snoop server client rpc rstatd collects all RPC traffic between a client and server, and filters the traffic for rstatd.

Displaying Packet Contents Task Map

Table 4-9 Displaying Packet Contents Task Map

How to Check All Packets From Your System

1. Become superuser.

2. Type the following command at the command-line prompt to find the interfaces that are attached to the system.

   # netstat -i

   
   

   snoop normally uses the first non-loopback device (le0).

3. Type snoop.

   Use Control-C to halt the process.

   # snoop Using device /dev/le (promiscuous mode) maupiti -> atlantic-82 NFS C GETATTR FH=0343 atlantic-82 -> maupiti NFS R GETATTR OK maupiti -> atlantic-82 NFS C GETATTR FH=D360 atlantic-82 -> maupiti NFS R GETATTR OK maupiti -> atlantic-82 NFS C GETATTR FH=1A18 atlantic-82 -> maupiti NFS R GETATTR OK maupiti -> (broadcast) ARP C Who is 120.146.82.36, npmpk17a-82 ?

   
   

4. Interpret the results.

   In the example, client maupiti transmits to server atlantic-82 by using NFS file handle 0343. atlantic-82 acknowledges with OK. The conversation continues until maupiti broadcasts an ARP request that asks who is 120.146.82.36?

   This example demonstrates the format of snoop. The next step is to filter snoop to capture packets to a file.

   Interpret the capture file by using details that are described in RFC 1761.

How to Capture snoop Results to a File

1. Become superuser.

2. On the command line, type the following command.

   # snoop -o filename

   
   

   For example:

   # snoop -o /tmp/cap Using device /dev/le (promiscuous mode) 30 snoop: 30 packets captured

   
   

   By using this command, you have captured 30 packets in a file /tmp/cap. The file can be anywhere with enough disk space. The number of packets that are captured is displayed on the command line, enabling you to press Control-C to abort at any time.

   snoop creates a noticeable networking load on the host machine, which can distort the results. To see the actual results, run snoop from a third system (see the next section).

3. On the command line, type the following command to inspect the file.

   # snoop -i filename

   
   

   For example:

   # snoop -i /tmp/cap 1 0.00000 frmpk17b-082 -> 224.0.0.2 IP D=224.0.0.2 S=129.146.82.1 LEN=32, ID=0 2 0.56104 scout -> (broadcast) ARP C Who is 129.146.82.63, grail ? 3 0.16742 atlantic-82 -> (broadcast) ARP C Who is 129.146.82.76, honeybea ? 4 0.77247 scout -> (broadcast) ARP C Who is 129.146.82.63, grail ? 5 0.80532 frmpk17b-082 -> (broadcast) ARP C Who is 129.146.82.92, holmes ? 6 0.13462 scout -> (broadcast) ARP C Who is 129.146.82.63, grail ? 7 0.94003 scout -> (broadcast) ARP C Who is 129.146.82.63, grail ? 8 0.93992 scout -> (broadcast) ARP C Who is 129.146.82.63, grail ? 9 0.60887 towel -> (broadcast) ARP C Who is 129.146.82.35, udmpk17b-82 ? 10 0.86691 nimpk17a-82 -> 129.146.82.255 RIP R (1 destinations)

   
   

   Refer to specific protocol documentation for detailed analysis and recommended parameters for ARP, IP, RIP and so forth. The Web contains a number of requests for comments.

How to Check Packets Between Server and Client

1. Establish a snoop system off a hub that is connected to either the client or server.

   The third system (the snoop system) checks all the intervening traffic, so the snoop trace reflects what is actually happening on the wire.

2. Become superuser.

3. On the command line, type snoop with options and save to a file.

4. Inspect and interpret results.

   Look at RFC 1761 for details of the snoop capture file.

Use snoop frequently and consistently to become familiar with normal system behavior. For assistance in analyzing packets, look for a recent white paper and RFC, and seek the advice of an expert in a particular area, such as NFS or YP. For details on using snoop and its options, refer to the snoop(1M) man page.

Displaying Routing Information

Use the traceroute utility to trace the route an IP packet follows to some Internet host. The traceroute utility utilizes the IP protocol (time-to-live) ttl field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path. This utility also attempts to elicit the response PORT_UNREACHABLE (or ECHO_REPLY) from the destination host. The traceroute utility sends probes with a ttl of one and increases by one until the intended host is found or has incremented beyond the maximum number of intermediate hosts.

The traceroute utility is especially useful for determining routing misconfiguration and routing path failures. If a particular host is unreachable, you can use the traceroute utility to see what path the packet follows to the intended host and where possible failures might occur.

The traceroute utility also displays the round trip time for each gateway along the path to the target host. This information can be useful for analyzing where traffic is slow between the two hosts.

How to Run the Traceroute Utility

• On the command line, type the following command.

  % traceroute destination-hostname

  
  

For details of the traceroute utility, see the traceroute(1M) man page.