Snoop Packet Analyser - OmniOS

Share on:

Snoop is designed to capture and inspect network packets and is included on OmniOS. Snoop has the ability to display current details of what is happening on the network or to be able to save this data to a file, which can be later analysed, either again from the snoop command, or the data can also be displayed in a graphical network packet inspection application such as Wireshark.

In this post I am going to go through some introductory snoop commands to get a basic level of confidence with the tool. As snoop comes with the base system, since the early days of being included with Solaris from Sun Microsystems. Therefore you do not need to install anything, you just need access to an OmniOS host, or any other illumos based distribution. This can be confirmed as follows:

1pbd@omnios:$ which snoop        

Overview of the Snoop Packet Analyser Command

Printing the help information for Snoop is a good starting place to familarise yourself with the tool.

 1pbd@omnios:$ snoop -?
 3Usage:  snoop                                                            
 4        [ -a ]                       # Listen to packets on audio        
 5        [ -d link ]                  # Listen on named link              
 6        [ -s snaplen ]               # Truncate packets                  
 7        [ -I IP interface ]          # Listen on named IP interface      
 8        [ -c count ]                 # Quit after count packets          
 9        [ -P ]                       # Turn OFF promiscuous mode         
10        [ -D ]                       # Report dropped packets            
11        [ -S ]                       # Report packet size                
12        [ -i file ]                  # Read previously captured packets  
13        [ -o file ]                  # Capture packets in file           
14        [ -n file ]                  # Load addr-to-name table from file 
15        [ -N ]                       # Create addr-to-name table         
16        [ -t  r|a|d ]                # Time: Relative, Absolute or Delta 
17        [ -v ]                       # Verbose packet display            
18        [ -V ]                       # Show all summary lines            
19        [ -p first[,last] ]          # Select packet(s) to display       
20        [ -x offset[,length] ]       # Hex dump from offset for length   
21        [ -C ]                       # Print packet filter code          
22        [ -q ]                       # Suppress printing packet count    
23        [ -r ]                       # Do not resolve address to name    
25        [ filter expression ]                                            
28        snoop -o saved  host fred                                        
30        snoop -i saved -tr -v -p19                                       

This should give you a better understanding or the following examples. For much more detailed information, counsult the snoop(1m) man page.

Overview of Snoop Expressions

Snoop expressions allow you to select specific packets, either directly from the datalink device or from a capture file. Only packets for which the expression is true will be selected. If no expression is provided it is assumed to be true. A simple Snoop expression that instructs Snoop to only select udp packtes is as follows:

1pbd@omnios:~# sudo snoop udp

Further, a "filter expression" consists of a series of one or more "boolean primitives" that may be combined with "boolean operators" (AND, OR, and NOT). Normal precedence rules for boolean operators apply. Order of evaluation of these operators may also be controlled with parentheses. Note, you may have to allow for parentheses in your shell with quotations. A Snoop filtered expression would be as follows:

1snoop http https and webserver and client

Where http & https, being the protocols, and webserver & client are the host names of the targets that we are interested in.

The list of primitives are too many to detail here, however, common primitives you will encounter are:

  • Type: host, net, port
  • Direction: src, dst, to, from
  • Protocol: tcp, udp, icmp

Delving deeper into expressions, you can gain finer control of Snoop by looiking into the packet headers to define what you will capture. I have given one example of this but it is worth noting here that this is explained more indepth in the snoop(1m) man page.

Snoop Basic Examples

1. Basic Communication on the Network

View what is happening on the network from the default interface.

1pbd@omnios:~# sudo snoop

2. Basic Communication in Non-Promiscuous Mode

Capture packets in non-promiscuous mode. Only broadcast, multicast, or packets addressed to the host machine will be seen.

1pbd@omnios:~# sudo snoop -P 

3. Specific Interface

View what is happening on a particular datalink, for example, bge0 or net0. The dladm(1M) show-link subcommand can be used to list available datalinks.

1pbd@omnios:~# sudo snoop -d bge0

4. Find Traffic by IP or Hostname

If you are interested in monitoring traffic from a specific host, the following command will display all packets for that host, whether the traffic is the source or the destination.

Using the -r flag will not resolve the IP address to the symbolic name. This prevents snoop from generating network traffic while capturing and displaying packets.

1pbd@omnios:~# sudo snoop -r host

Alternatively, the hostname can be used instead of the IP Address.

5. Analysing HEX Output from Captured Packets

To view the contents of the packet, we can call snoop with the -x flag. The output will be more similar to what you would see in Wireshark.

1pbd@omnios:~# sudo snoop -c 1 -x

6. Capturing Packets either To or From a Specific Host

As opposed to Example 4, the following will just capture packets that are either to/dst or from/src a specific host.

1pbd@omnios:~# sudo snoop to
2pbd@omnios:~# sudo snoop dst
3pbd@omnios:~# sudo snoop from
4pbd@omnios:~# sudo snoop src

7. Capturing Packets To or From a Specific Network

If you are interested in just a paticular network, you can apply the net primitive as in the following example.

1pbd@omnios:~# sudo snoop -d e1000g1 net

I have added a specific interface on this command. Furthermore, additional snoop primitives, if applied would allow more filtering of the packet capture.

8. Capture Packets Bound for a Specific Port

Below, snoop captures packets for all traffic destined to port 80 from a specific IP Address:

1pbd@omnios:~# sudo snoop src port 80

9. Capture Packets that Belong to a Specific Protocol

For instance, if you are just interested in the Internet Message Control Protocol (IMCP), you can filter the packet capture as follows:

1pbd@omnios:~# sudo snoop icmp

Other snoop primitives allow you to filter on other protocols such as tcp & udp etc.

10. Capturing Packets for a Range of Ports

You may want to define a certain range of ports to capture. For instance, if you are interested in BitTorrent data, you could use the following to capture all packets related to the BitTorrent service.

1pbd@omnios:~# sudo snoop 'tcp[0:2] >=6881 and tcp[0:2] <=6889'

The expression tcp[0:2] reads the Destination Port field in the TCP Header. This is further explained in the snoop(1m) man page under "expr relop expr".

11. Capturing Packets Determined by Size

If you are trying to track down packets that are a certain size, these can be captured by adding the less and/or greater primitives.

1pbd@omnios:~# sudo snoop less 16
2pbd@omnios:~# sudo snoop greater 128

12. Capturing Packets to a File

Saving packet captures to a file can be usefule in so many circumstances. These can be analysed by a graphical application such as Wireshark or maybe useful as input for a script that you have custom written. Use the -o flag to direct the output to the named file.

1pbd@omnios:~# sudo snoop -o ping.pcap icmp from greater 128

13. Reading Packets from a Snoop File

Reading Snoop files with the -i flag can be combined with other flags such as -x to display Hex data or with the -p flag to display a specific or range of packets as in the following example:

1pbd@omnios:~# snoop -i ping.pcap -xp 2,4

You can also define further flags, depending on your needs.

14. Converting a Snoop capture file to a TCP-Dump file

While not a snoop command, this is handy should you need to share your capture file with someone who only has access to tcpdump. You will need Wireshark installed.

1pbd@fedora:~$ tshark -r snoop.pcap -w snoop.dump

Wrapping up

For resolving network problems or problems with applications that send data over the network, Snoop is a tool that you want to investigate. If you have not already done so, check out the snoop(1m) man page for a more detailed look into Snoop.