Snoop Packet Analyser - OmniOS
Snoop is designed to capture and inspect network packets and is included on OmniOS. Snoop has the ability to display current details of what is happening on the network or to be able to save this data to a file, which can be later analysed, either again from the
snoop command, or the data can also be displayed in a graphical network packet inspection application such as Wireshark.
In this post I am going to go through some introductory
snoop commands to get a basic level of confidence with the tool. As
snoop comes with the base system, since the early days of being included with Solaris from Sun Microsystems. Therefore you do not need to install anything, you just need access to an OmniOS host, or any other illumos based distribution. This can be confirmed as follows:
1pbd@omnios:$ which snoop 2/usr/sbin/snoop
Overview of the Snoop Packet Analyser Command
Printing the help information for Snoop is a good starting place to familarise yourself with the tool.
1pbd@omnios:$ snoop -? 2 3Usage: snoop 4 [ -a ] # Listen to packets on audio 5 [ -d link ] # Listen on named link 6 [ -s snaplen ] # Truncate packets 7 [ -I IP interface ] # Listen on named IP interface 8 [ -c count ] # Quit after count packets 9 [ -P ] # Turn OFF promiscuous mode 10 [ -D ] # Report dropped packets 11 [ -S ] # Report packet size 12 [ -i file ] # Read previously captured packets 13 [ -o file ] # Capture packets in file 14 [ -n file ] # Load addr-to-name table from file 15 [ -N ] # Create addr-to-name table 16 [ -t r|a|d ] # Time: Relative, Absolute or Delta 17 [ -v ] # Verbose packet display 18 [ -V ] # Show all summary lines 19 [ -p first[,last] ] # Select packet(s) to display 20 [ -x offset[,length] ] # Hex dump from offset for length 21 [ -C ] # Print packet filter code 22 [ -q ] # Suppress printing packet count 23 [ -r ] # Do not resolve address to name 24 25 [ filter expression ] 26 27Example: 28 snoop -o saved host fred 29 30 snoop -i saved -tr -v -p19
This should give you a better understanding or the following examples. For much more detailed information, counsult the snoop(1m) man page.
Overview of Snoop Expressions
Snoop expressions allow you to select specific packets, either directly from the datalink device or from a capture file. Only packets for which the expression is true will be selected. If no expression is provided it is assumed to be true. A simple Snoop expression that instructs Snoop to only select udp packtes is as follows:
1pbd@omnios:~# sudo snoop udp
Further, a "filter expression" consists of a series of one or more "boolean primitives" that may be combined with "boolean operators" (AND, OR, and NOT). Normal precedence rules for boolean operators apply. Order of evaluation of these operators may also be controlled with parentheses. Note, you may have to allow for parentheses in your shell with quotations. A Snoop filtered expression would be as follows:
1snoop http https and webserver and client
https, being the protocols, and
client are the host names of the targets that we are interested in.
The list of primitives are too many to detail here, however, common primitives you will encounter are:
- Type: host, net, port
- Direction: src, dst, to, from
- Protocol: tcp, udp, icmp
Delving deeper into expressions, you can gain finer control of Snoop by looiking into the packet headers to define what you will capture. I have given one example of this but it is worth noting here that this is explained more indepth in the snoop(1m) man page.
Snoop Basic Examples
1. Basic Communication on the Network
View what is happening on the network from the default interface.
1pbd@omnios:~# sudo snoop
2. Basic Communication in Non-Promiscuous Mode
Capture packets in non-promiscuous mode. Only broadcast, multicast, or packets addressed to the host machine will be seen.
1pbd@omnios:~# sudo snoop -P
3. Specific Interface
View what is happening on a particular datalink, for example,
net0. The dladm(1M) show-link subcommand can be used to list available datalinks.
1pbd@omnios:~# sudo snoop -d bge0
4. Find Traffic by IP or Hostname
If you are interested in monitoring traffic from a specific host, the following command will display all packets for that host, whether the traffic is the source or the destination.
-r flag will not resolve the IP address to the symbolic name. This prevents snoop from generating network traffic while capturing and displaying packets.
1pbd@omnios:~# sudo snoop -r host 192.168.10.15
Alternatively, the hostname can be used instead of the IP Address.
5. Analysing HEX Output from Captured Packets
To view the contents of the packet, we can call
snoop with the
-x flag. The output will be more similar to what you would see in Wireshark.
1pbd@omnios:~# sudo snoop -c 1 -x 192.168.10.15
6. Capturing Packets either To or From a Specific Host
As opposed to Example 4, the following will just capture packets that are either to/dst or from/src a specific host.
1pbd@omnios:~# sudo snoop to 192.168.10.15 2pbd@omnios:~# sudo snoop dst 192.168.10.15 3pbd@omnios:~# sudo snoop from 192.168.10.15 4pbd@omnios:~# sudo snoop src 192.168.10.15
7. Capturing Packets To or From a Specific Network
If you are interested in just a paticular network, you can apply the
net primitive as in the following example.
1pbd@omnios:~# sudo snoop -d e1000g1 net 184.108.40.206
I have added a specific interface on this command. Furthermore, additional
snoop primitives, if applied would allow more filtering of the packet capture.
8. Capture Packets Bound for a Specific Port
snoop captures packets for all traffic destined to port 80 from a specific IP Address:
1pbd@omnios:~# sudo snoop src 192.168.10.100 port 80
9. Capture Packets that Belong to a Specific Protocol
For instance, if you are just interested in the Internet Message Control Protocol (IMCP), you can filter the packet capture as follows:
1pbd@omnios:~# sudo snoop icmp
snoop primitives allow you to filter on other protocols such as tcp & udp etc.
10. Capturing Packets for a Range of Ports
You may want to define a certain range of ports to capture. For instance, if you are interested in BitTorrent data, you could use the following to capture all packets related to the BitTorrent service.
1pbd@omnios:~# sudo snoop 'tcp[0:2] >=6881 and tcp[0:2] <=6889'
tcp[0:2] reads the Destination Port field in the TCP Header. This is further explained in the snoop(1m) man page under "expr relop expr".
11. Capturing Packets Determined by Size
If you are trying to track down packets that are a certain size, these can be captured by adding the
1pbd@omnios:~# sudo snoop less 16 2pbd@omnios:~# sudo snoop greater 128
12. Capturing Packets to a File
Saving packet captures to a file can be usefule in so many circumstances. These can be analysed by a graphical application such as Wireshark or maybe useful as input for a script that you have custom written. Use the
-o flag to direct the output to the named file.
1pbd@omnios:~# sudo snoop -o ping.pcap icmp from 192.168.10.100 greater 128
13. Reading Packets from a Snoop File
Reading Snoop files with the
-i flag can be combined with other flags such as
-x to display Hex data or with the
-p flag to display a specific or range of packets as in the following example:
1pbd@omnios:~# snoop -i ping.pcap -xp 2,4
You can also define further flags, depending on your needs.
14. Converting a Snoop capture file to a TCP-Dump file
While not a
snoop command, this is handy should you need to share your capture file with someone who only has access to
tcpdump. You will need Wireshark installed.
1pbd@fedora:~$ tshark -r snoop.pcap -w snoop.dump
For resolving network problems or problems with applications that send data over the network, Snoop is a tool that you want to investigate. If you have not already done so, check out the snoop(1m) man page for a more detailed look into Snoop.