8322 nl: misleading-indentation

[unleashed/tickless.git] / usr / src / man / man1m / snoop.1m

'\" te
.\" Copyright (C) 2009, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH SNOOP 1M "Feb 25, 2017"
.SH NAME
snoop \- capture and inspect network packets
.SH SYNOPSIS
.LP
.nf
\fBsnoop\fR  [\fB-aqrCDINPSvV\fR] [\fB-t\fR [r |  a |  d]] [\fB-c\fR \fImaxcount\fR]
 [\fB-d\fR \fIdevice\fR] [\fB-i\fR \fIfilename\fR] [\fB-n\fR \fIfilename\fR] [\fB-o\fR \fIfilename\fR]
 [\fB-p\fR \fIfirst\fR [, \fIlast\fR]] [\fB-s\fR \fIsnaplen\fR] [\fB-x\fR \fIoffset\fR [, \fIlength\fR]]
 [\fIexpression\fR]
.fi

.SH DESCRIPTION
.LP
From a datalink or IP interface, \fBsnoop\fR captures packets and displays
their contents. If the datalink or IP interface is not specified, \fBsnoop\fR
will pick a datalink to use, giving priority to datalinks that have been
plumbed for IP traffic. \fBsnoop\fR uses the \fBpfmod\fR(7M) and
\fBbufmod\fR(7M) STREAMS modules to provide efficient capture of packets from
the network. Captured packets can be displayed as they are received or saved to
a file (which is \fIRFC 1761\fR-compliant) for later inspection.
.sp
.LP
\fBsnoop\fR can display packets in a single-line summary form or in verbose
multi-line forms. In summary form, with the exception of certain VLAN packets,
only the data pertaining to the highest level protocol is displayed. If a
packet has a VLAN header and its VLAN ID is non-zero, then \fBsnoop\fR will
show that the packet is VLAN tagged. For example, an \fBNFS\fR packet will have
only \fBNFS\fR information displayed. Except for VLAN information under the
condition just described, the underlying \fBRPC\fR, \fBUDP\fR, \fBIP\fR, and
Ethernet frame information is suppressed, but can be displayed if either of the
verbose options are chosen.
.sp
.LP
In the absence of a name service, such as LDAP or NIS, \fBsnoop\fR displays
host names as numeric IP addresses.
.sp
.LP
\fBsnoop\fR requires an interactive interface.
.SH OPTIONS
.ne 2
.na
\fB\fB-C\fR\fR
.ad
.sp .6
.RS 4n
List the code generated from the filter expression for either the kernel packet
filter, or \fBsnoop\fR's own filter.
.RE

.sp
.ne 2
.na
\fB\fB-D\fR\fR
.ad
.sp .6
.RS 4n
Display number of packets dropped during capture on the summary line.
.RE

.sp
.ne 2
.na
\fB\fB-N\fR\fR
.ad
.sp .6
.RS 4n
Create an \fBIP\fR address-to-name file from a capture file. This must be set
together with the \fB-i\fR option that names a capture file. The
address-to-name file has the same name as the capture file with \fB\&.names\fR
appended. This file records the \fBIP\fR address to hostname mapping at the
capture site and increases the portability of the capture file. Generate a
\fB\&.names\fR file if the capture file is to be analyzed elsewhere. Packets
are not displayed when this flag is used.
.RE

.sp
.ne 2
.na
\fB\fB-I\fR \fIinterface\fR\fR
.ad
.sp .6
.RS 4n
Capture IP packets from the network using the IP interface specified by
\fIinterface\fR, for example, \fBlo0\fR. The \fBifconfig\fR(1M) command can be
used to list available IP interfaces. The \fB-I\fR and \fB-d\fR options are
mutually exclusive.
.RE

.sp
.ne 2
.na
\fB\fB-P\fR\fR
.ad
.sp .6
.RS 4n
Capture packets in non-promiscuous mode. Only broadcast, multicast, or packets
addressed to the host machine will be seen.
.RE

.sp
.ne 2
.na
\fB\fB-S\fR\fR
.ad
.sp .6
.RS 4n
Display size of the entire link layer frame in bytes on the summary line.
.RE

.sp
.ne 2
.na
\fB\fB-V\fR\fR
.ad
.sp .6
.RS 4n
Verbose summary mode. This is halfway between summary mode and verbose mode in
degree of verbosity. Instead of displaying just the summary line for the
highest level protocol in a packet, it displays a summary line for each
protocol layer in the packet. For instance, for an \fBNFS\fR packet it will
display a line each for the \fBETHER\fR, \fBIP\fR, \fBUDP\fR, \fBRPC\fR and
\fBNFS\fR layers. Verbose summary mode output may be easily piped through
\fBgrep\fR to extract packets of interest. For example, to view only \fBRPC\fR
summary lines, enter the following: \fBexample#\fR \fBsnoop -i rpc.cap -V |
grep RPC\fR
.RE

.sp
.ne 2
.na
\fB\fB-a\fR\fR
.ad
.sp .6
.RS 4n
Listen to packets on \fB/dev/audio\fR (warning: can be noisy).
.RE

.sp
.ne 2
.na
\fB\fB-c\fR \fImaxcount\fR\fR
.ad
.sp .6
.RS 4n
Quit after capturing \fImaxcount\fR packets. Otherwise keep capturing until
there is no disk space left or until interrupted with Control-C.
.RE

.sp
.ne 2
.na
\fB\fB-d\fR \fIdatalink\fR\fR
.ad
.sp .6
.RS 4n
Capture link-layer packets from the network using the DLPI datalink specified
by \fIdatalink\fR, for example, \fBbge0\fR or \fBnet0\fR. The \fBdladm\fR(1M)
\fBshow-link\fR subcommand can be used to list available datalinks. The
\fB-d\fR and \fB-I\fR options are mutually exclusive.
.RE

.sp
.ne 2
.na
\fB\fB-i\fR \fIfilename\fR\fR
.ad
.sp .6
.RS 4n
Display packets previously captured in \fIfilename\fR. Without this option,
\fBsnoop\fR reads packets from the network interface. If a
\fIfilename\fR\fB\&.names\fR file is present, it is automatically loaded into
the \fBsnoop\fR \fBIP\fR address-to-name mapping table (See \fB-N\fR flag).
.RE

.sp
.ne 2
.na
\fB\fB-n\fR \fIfilename\fR\fR
.ad
.sp .6
.RS 4n
Use \fIfilename\fR as an \fBIP\fR address-to-name mapping table. This file must
have the same format as the \fB/etc/hosts\fR file (IP address followed by the
hostname).
.RE

.sp
.ne 2
.na
\fB\fB-o\fR \fIfilename\fR\fR
.ad
.sp .6
.RS 4n
Save captured packets in \fIfilename\fR as they are captured. (This
\fIfilename\fR is referred to as the "capture file".) The format of the capture
file is RFC 1761-compliant. During packet capture, a count of the number of
packets saved in the file is displayed. If you wish just to count packets
without saving to a file, name the file \fB/dev/null\fR.
.RE

.sp
.ne 2
.na
\fB\fB-p\fR \fIfirst\fR [ , \fBlast\fR ]\fR
.ad
.sp .6
.RS 4n
Select one or more packets to be displayed from a capture file. The \fIfirst\fR
packet in the file is packet number 1.
.RE

.sp
.ne 2
.na
\fB\fB-q\fR\fR
.ad
.sp .6
.RS 4n
When capturing network packets into a file, do not display the packet count.
This can improve packet capturing performance.
.RE

.sp
.ne 2
.na
\fB\fB-r\fR\fR
.ad
.sp .6
.RS 4n
Do not resolve the \fBIP\fR address to the symbolic name. This prevents
\fBsnoop\fR from generating network traffic while capturing and displaying
packets. However, if the \fB-n\fR option is used, and an address is found in
the mapping file, its corresponding name will be used.
.RE

.sp
.ne 2
.na
\fB\fB-s\fR \fIsnaplen\fR\fR
.ad
.sp .6
.RS 4n
Truncate each packet after \fIsnaplen\fR bytes. Usually the whole packet is
captured. This option is useful if only certain packet header information is
required. The packet truncation is done within the kernel giving better
utilization of the streams packet buffer. This means less chance of dropped
packets due to buffer overflow during periods of high traffic. It also saves
disk space when capturing large traces to a capture file. To capture only
\fBIP\fR headers (no options) use a \fIsnaplen\fR of 34. For \fBUDP\fR use 42,
and for \fBTCP\fR use 54. You can capture \fBRPC\fR headers with a
\fIsnaplen\fR of 80 bytes. \fBNFS\fR headers can be captured in 120 bytes.
.RE

.sp
.ne 2
.na
\fB\fB-t\fR [ \fBr\fR | \fBa\fR | \fBd\fR ]\fR
.ad
.sp .6
.RS 4n
Time-stamp presentation. Time-stamps are accurate to within 4 microseconds. The
default is for times to be presented in \fBd\fR (delta) format (the time since
receiving the previous packet). Option \fBa\fR (absolute) gives wall-clock
time. Option \fBr\fR (relative) gives time relative to the first packet
displayed. This can be used with the \fB-p\fR option to display time relative
to any selected packet.
.RE

.sp
.ne 2
.na
\fB\fB-v\fR\fR
.ad
.sp .6
.RS 4n
Verbose mode. Print packet headers in lots of detail. This display consumes
many lines per packet and should be used only on selected packets.
.RE

.sp
.ne 2
.na
\fB\fB\fR\fB-x\fR\fIoffset\fR [ , \fIlength\fR]\fR
.ad
.sp .6
.RS 4n
Display packet data in hexadecimal and \fBASCII\fR format. The \fIoffset\fR and
\fIlength\fR values select a portion of the packet to be displayed. To display
the whole packet, use an \fIoffset\fR of 0. If a \fIlength\fR value is not
provided, the rest of the packet is displayed.
.RE

.SH OPERANDS
.ne 2
.na
\fB\fIexpression\fR\fR
.ad
.sp .6
.RS 4n
Select packets either from the network or from a capture file. Only packets for
which the expression is true will be selected. If no expression is provided it
is assumed to be true.
.sp
Given a filter expression, \fBsnoop\fR generates code for either the kernel
packet filter or for its own internal filter. If capturing packets with the
network interface, code for the kernel packet filter is generated. This filter
is implemented as a streams module, upstream of the buffer module. The buffer
module accumulates packets until it becomes full and passes the packets on to
\fBsnoop\fR. The kernel packet filter is very efficient, since it rejects
unwanted packets in the kernel before they reach the packet buffer or
\fBsnoop\fR. The kernel packet filter has some limitations in its
implementation; it is possible to construct filter expressions that it cannot
handle. In this event, \fBsnoop\fR tries to split the filter and do as much
filtering in the kernel as possible. The remaining filtering is done by the
packet filter for \fBsnoop\fR. The \fB-C\fR flag can be used to view generated
code for either the packet filter for the kernel or the packet filter for
\fBsnoop\fR. If packets are read from a capture file using the \fB-i\fR option,
only the packet filter for \fBsnoop\fR is used.
.sp
A filter \fIexpression\fR consists of a series of one or more boolean
primitives that may be combined with boolean operators (\fBAND\fR, \fBOR\fR,
and \fBNOT\fR). Normal precedence rules for boolean operators apply. Order of
evaluation of these operators may be controlled with parentheses. Since
parentheses and other filter expression characters are known to the shell, it
is often necessary to enclose the filter expression in quotes. Refer to  for
information about setting up more efficient filters.
.sp
The primitives are:
.sp
.ne 2
.na
\fB\fBhost\fR \fIhostname\fR\fR
.ad
.sp .6
.RS 4n
True if the source or destination address is that of \fBhostname\fR. The
\fIhostname\fR argument may be a literal address. The keyword \fBhost\fR may be
omitted if the name does not conflict with the name of another expression
primitive. For example, \fBpinky\fR selects packets transmitted to or received
from the host \fBpinky\fR, whereas \fBpinky and dinky\fR selects packets
exchanged between hosts \fBpinky AND dinky\fR.
.sp
The type of address used depends on the primitive which precedes the \fBhost\fR
primitive. The possible qualifiers are \fBinet\fR, \fBinet6\fR, \fBether\fR, or
none. These three primitives are discussed below. Having none of the primitives
present is equivalent to "inet host hostname or inet6 host hostname". In other
words, snoop tries to filter on all IP addresses associated with hostname.
.RE

.sp
.ne 2
.na
\fB\fIinet\fR or \fIinet6\fR\fR
.ad
.sp .6
.RS 4n
A qualifier that modifies the \fBhost\fR primitive that follows. If it is
\fIinet\fR, then \fBsnoop\fR tries to filter on all IPv4 addresses returned
from a name lookup. If it is \fIinet6\fR, \fBsnoop\fR tries to filter on all
IPv6 addresses returned from a name lookup.
.RE

.sp
.ne 2
.na
\fB\fIipaddr\fR, \fIatalkaddr\fR, or \fIetheraddr\fR\fR
.ad
.sp .6
.RS 4n
Literal addresses, \fBIP\fR dotted, AppleTalk dotted, and Ethernet colon are
recognized. For example,
.RS +4
.TP
.ie t \(bu
.el o
"\fB172.16.40.13\fR" matches all packets with that \fBIP\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
"\fB2::9255:a00:20ff:fe73:6e35\fR" matches all packets with that IPv6 address
as source or destination;
.RE
.RS +4
.TP
.ie t \(bu
.el o
"\fB65281.13\fR" matches all packets with that AppleTalk address;
.RE
.RS +4
.TP
.ie t \(bu
.el o
"\fB8:0:20:f:b1:51\fR" matches all packets with the Ethernet address as source
or destination.
.RE
An Ethernet address beginning with a letter is interpreted as a hostname. To
avoid this, prepend a zero when specifying the address. For example, if the
Ethernet address is \fBaa:0:45:23:52:44\fR, then specify it by add a leading
zero to make it \fB0aa:0:45:23:52:44\fR.
.RE

.sp
.ne 2
.na
\fB\fBfrom\fR or \fBsrc\fR\fR
.ad
.sp .6
.RS 4n
A qualifier that modifies the following \fBhost\fR, \fBnet\fR, \fIipaddr\fR,
\fIatalkaddr\fR, \fIetheraddr\fR, \fBport\fR or \fBrpc\fR primitive to match
just the source address, port, or \fBRPC\fR reply.
.RE

.sp
.ne 2
.na
\fB\fBto\fR or \fBdst\fR\fR
.ad
.sp .6
.RS 4n
A qualifier that modifies the following \fBhost\fR, \fBnet\fR, \fIipaddr\fR,
\fIatalkaddr\fR, \fIetheraddr\fR, \fBport\fR or \fBrpc\fR primitive to match
just the destination address, port, or \fBRPC\fR call.
.RE

.sp
.ne 2
.na
\fB\fBether\fR\fR
.ad
.sp .6
.RS 4n
A qualifier that modifies the following \fBhost\fR primitive to resolve a name
to an Ethernet address. Normally, \fBIP\fR address matching is performed. This
option is not supported on media such as IPoIB (IP over InfiniBand).
.RE

.sp
.ne 2
.na
\fB\fBethertype\fR \fInumber\fR\fR
.ad
.sp .6
.RS 4n
True if the Ethernet type field has value \fInumber\fR. If \fInumber\fR is not
0x8100 (VLAN) and the packet is VLAN tagged, then the expression will match the
encapsulated Ethernet type.
.RE

.sp
.ne 2
.na
\fB\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBpppoed\fR, \fBpppoes\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is of the appropriate ethertype.
.RE

.sp
.ne 2
.na
\fB\fBvlan\fR\fR
.ad
.sp .6
.RS 4n
True if the packet has \fBethertype\fR VLAN and the VLAN ID is not zero.
.RE

.sp
.ne 2
.na
\fB\fBvlan-id\fR \fIid\fR\fR
.ad
.sp .6
.RS 4n
True for packets of ethertype VLAN with the id \fIid\fR.
.RE

.sp
.ne 2
.na
\fB\fBpppoe\fR\fR
.ad
.sp .6
.RS 4n
True if the ethertype of the packet is either \fBpppoed\fR or \fBpppoes\fR.
.RE

.sp
.ne 2
.na
\fB\fBbroadcast\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is a broadcast packet. Equivalent to \fBether[2:4] =
0xffffffff\fR for Ethernet. This option is not supported on media such as IPoIB
(IP over InfiniBand).
.RE

.sp
.ne 2
.na
\fB\fBmulticast\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is a multicast packet. Equivalent to "\fBether[0] & 1 =
1\fR" on Ethernet. This option is not supported on media such as IPoIB (IP over
InfiniBand).
.RE

.sp
.ne 2
.na
\fB\fBbootp\fR, \fBdhcp\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is an unfragmented IPv4 UDP packet with either a source port
of \fBBOOTPS (67)\fR and a destination port of \fBBOOTPC (68)\fR, or a source
port of \fBBOOTPC (68)\fR and a destination of \fBBOOTPS (67)\fR.
.RE

.sp
.ne 2
.na
\fB\fBdhcp6\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is an unfragmented IPv6 UDP packet with either a source port
of \fBDHCPV6-SERVER\fR (547) and a destination port of \fBDHCPV6-CLIENT\fR
(546), or a source port of \fBDHCPV6-CLIENT\fR (546) and a destination of
\fBDHCPV6-SERVER\fR (547).
.RE

.sp
.ne 2
.na
\fB\fBapple\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is an Apple Ethertalk packet. Equivalent to "\fBethertype
0x809b or ethertype 0x80f3\fR".
.RE

.sp
.ne 2
.na
\fB\fBdecnet\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is a \fBDECNET\fR packet.
.RE

.sp
.ne 2
.na
\fB\fBgreater\fR \fIlength\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is longer than \fIlength\fR.
.RE

.sp
.ne 2
.na
\fB\fBless\fR \fIlength\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is shorter than \fIlength\fR.
.RE

.sp
.ne 2
.na
\fB\fBudp\fR, \fBtcp\fR, \fBicmp\fR, \fBicmp6\fR, \fBah\fR, \fBesp\fR\fR
.ad
.sp .6
.RS 4n
True if the \fBIP\fR or IPv6 protocol is of the appropriate type.
.RE

.sp
.ne 2
.na
\fB\fBnet\fR \fInet\fR\fR
.ad
.sp .6
.RS 4n
True if either the \fBIP\fR source or destination address has a network number
of \fInet\fR. The \fBfrom\fR or \fBto\fR qualifier may be used to select
packets for which the network number occurs only in the source or destination
address.
.RE

.sp
.ne 2
.na
\fB\fBport\fR \fIport\fR\fR
.ad
.sp .6
.RS 4n
True if either the source or destination port is \fIport\fR. The \fIport\fR may
be either a port number or name from \fB/etc/services\fR. The \fBtcp\fR or
\fBudp\fR primitives may be used to select \fBTCP\fR or \fBUDP\fR ports only.
The \fBfrom\fR or \fBto\fR qualifier may be used to select packets for which
the \fIport\fR occurs only as the source or destination.
.RE

.sp
.ne 2
.na
\fB\fBrpc\fR \fIprog\fR [ , \fIvers\fR [ , \fBproc\fR ] ]\fR
.ad
.sp .6
.RS 4n
True if the packet is an \fBRPC\fR call or reply packet for the protocol
identified by \fIprog\fR. The \fIprog\fR may be either the name of an \fBRPC\fR
protocol from \fB/etc/rpc\fR or a program number. The \fIvers\fR and \fBproc\fR
may be used to further qualify the program \fIversion\fR and \fIprocedure\fR
number, for example, \fBrpc nfs,2,0\fR selects all calls and replies for the
\fBNFS\fR null procedure. The \fBto\fR or \fBfrom\fR qualifier may be used to
select either call or reply packets only.
.RE

.sp
.ne 2
.na
\fB\fBzone\fR \fIzoneid\fR\fR
.ad
.sp .6
.RS 4n
True if \fIzoneid\fR matches either the source or destination \fIzoneid\fR of a
packet received on an \fBipnet\fR device.
.RE

.sp
.ne 2
.na
\fB\fBldap\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is an \fBLDAP\fR packet on port 389.
.RE

.sp
.ne 2
.na
\fB\fBgateway\fR \fIhost\fR\fR
.ad
.sp .6
.RS 4n
True if the packet used \fIhost\fR as a gateway, that is, the Ethernet source
or destination address was for \fIhost\fR but not the \fBIP\fR address.
Equivalent to "\fBether host\fR \fIhost\fR and not host \fIhost\fR".
.RE

.sp
.ne 2
.na
\fB\fBnofrag\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is unfragmented or is the first in a series of \fBIP\fR
fragments. Equivalent to \fBip[6:2] & 0x1fff = 0\fR.
.RE

.sp
.ne 2
.na
\fB\fIexpr\fR \fIrelop\fR \fIexpr\fR\fR
.ad
.sp .6
.RS 4n
True if the relation holds, where \fIrelop\fR is one of \fB>\fR, \fB<\fR,
\fB>=\fR, \fB<=\fR, \fB=\fR, \fB!=\fR, and \fBexpr\fR is an arithmetic
expression composed of numbers, packet field selectors, the \fBlength\fR
primitive, and arithmetic operators \fB+\fR, \fB\(mi\fR, \fB*\fR, \fB&\fR,
\fB|\fR, \fB^\fR, and \fB%\fR. The arithmetic operators within \fBexpr\fR are
evaluated before the relational operator and normal precedence rules apply
between the arithmetic operators, such as multiplication before addition.
Parentheses may be used to control the order of evaluation. To use the value of
a field in the packet use the following syntax:
.sp
.in +2
.nf
\fIbase\fR[\fBexpr\fR [\fB:\fR \fBsize\fR ] ]
.fi
.in -2
.sp

where \fBexpr\fR evaluates the value of an offset into the packet from a
\fIbase\fR offset which may be \fBether\fR, \fBip\fR, \fBip6\fR, \fBudp\fR,
\fBtcp\fR, or \fBicmp\fR. The \fBsize\fR value specifies the size of the field.
If not given, 1 is assumed. Other legal values are 2 and 4. For example,
.sp
.in +2
.nf
ether[0] & 1 = 1
.fi
.in -2

is equivalent to \fBmulticast\fR
.sp
.in +2
.nf
ether[2:4] = 0xffffffff
.fi
.in -2

is equivalent to \fBbroadcast\fR.
.sp
.in +2
.nf
ip[ip[0] & 0xf * 4 : 2] = 2049
.fi
.in -2

is equivalent to \fBudp[0:2] = 2049\fR
.sp
.in +2
.nf
ip[0] & 0xf > 5
.fi
.in -2

selects \fBIP\fR packets with options.
.sp
.in +2
.nf
ip[6:2] & 0x1fff = 0
.fi
.in -2

eliminates \fBIP\fR fragments.
.sp
.in +2
.nf
udp and ip[6:2]&0x1fff = 0 and udp[6:2] != 0
.fi
.in -2

finds all packets with \fBUDP\fR checksums.
.sp
The \fBlength\fR primitive may be used to obtain the length of the packet. For
instance "\fBlength > 60\fR" is equivalent to "\fBgreater 60\fR", and
"\fBether[length \(mi 1]\fR" obtains the value of the last byte in a packet.
.RE

.sp
.ne 2
.na
\fB\fBand\fR\fR
.ad
.sp .6
.RS 4n
Perform a logical \fBAND\fR operation between two boolean values. The \fBAND\fR
operation is implied by the juxtaposition of two boolean expressions, for
example "\fBdinky pinky\fR" is the same as "\fBdinky AND pinky\fR".
.RE

.sp
.ne 2
.na
\fB\fBor\fR or \fB,\fR\fR
.ad
.sp .6
.RS 4n
Perform a logical \fBOR\fR operation between two boolean values. A comma may be
used instead, for example, "\fBdinky,pinky\fR" is the same as "\fBdinky OR
pinky\fR".
.RE

.sp
.ne 2
.na
\fB\fBnot\fR or \fB!\fR\fR
.ad
.sp .6
.RS 4n
Perform a logical \fBNOT\fR operation on the following boolean value. This
operator is evaluated before \fBAND\fR or OR.
.RE

.sp
.ne 2
.na
\fB\fBslp\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is an \fBSLP\fR packet.
.RE

.sp
.ne 2
.na
\fB\fBsctp\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is an \fBSCTP\fR packet.
.RE

.sp
.ne 2
.na
\fB\fBospf\fR\fR
.ad
.sp .6
.RS 4n
True if the packet is an \fBOSPF\fR packet.
.RE

.RE

.SH EXAMPLES
.LP
\fBExample 1 \fRUsing the \fBsnoop\fR Command
.sp
.LP
Capture all packets and display them as they are received:

.sp
.in +2
.nf
example# \fBsnoop\fR
.fi
.in -2
.sp

.sp
.LP
Capture packets with host \fBfunky\fR as either the source or destination and
display them as they are received:

.sp
.in +2
.nf
example# \fBsnoop funky\fR
.fi
.in -2
.sp

.sp
.LP
Capture packets between \fBfunky\fR and \fBpinky\fR and save them to a file.
Then inspect the packets using times (in seconds) relative to the first
captured packet:

.sp
.in +2
.nf
example# \fBsnoop -o cap funky pinky\fR
example# \fBsnoop -i cap -t r | more\fR
.fi
.in -2
.sp

.sp
.LP
To look at selected packets in another capture file:

.sp
.in +2
.nf
example# \fBsnoop -i pkts -p 99,108\fR
 99   0.0027   boutique -> sunroof     NFS C GETATTR FH=8E6
100   0.0046   sunroof -> boutique     NFS R GETATTR OK
101   0.0080   boutique -> sunroof NFS C RENAME FH=8E6C MTra00192 to .nfs08
102   0.0102   marmot -> viper        NFS C LOOKUP FH=561E screen.r.13.i386
103   0.0072   viper -> marmot       NFS R LOOKUP No such file or directory
104   0.0085   bugbomb -> sunroof    RLOGIN C PORT=1023 h
105   0.0005   kandinsky -> sparky    RSTAT C Get Statistics
106   0.0004   beeblebrox -> sunroof  NFS C GETATTR FH=0307
107   0.0021   sparky -> kandinsky    RSTAT R
108   0.0073   office -> jeremiah      NFS C READ FH=2584 at 40960 for 8192
.fi
.in -2
.sp

.sp
.LP
To look at packet 101 in more detail:

.sp
.in +2
.nf
example# \fBsnoop -i pkts -v -p101\fR
ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 101 arrived at 16:09:53.59
ETHER:  Packet size = 210 bytes
ETHER:  Destination = 8:0:20:1:3d:94, Sun
ETHER:  Source      = 8:0:69:1:5f:e,  Silicon Graphics
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4, header length = 20 bytes
IP:   Type of service = 00
IP:         ..0. .... = routine
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 196 bytes
IP:   Identification 19846
IP:   Flags = 0X
IP:   .0.. .... = may fragment
IP:   ..0. .... = more fragments
IP:   Fragment offset = 0 bytes
IP:   Time to live = 255 seconds/hops
IP:   Protocol = 17 (UDP)
IP:   Header checksum = 18DC
IP:   Source address = 172.16.40.222, boutique
IP:   Destination address = 172.16.40.200, sunroof
IP:
UDP:  ----- UDP Header -----
UDP:
UDP:  Source port = 1023
UDP:  Destination port = 2049 (Sun RPC)
UDP:  Length = 176
UDP:  Checksum = 0
UDP:
RPC:  ----- SUN RPC Header -----
RPC:
RPC:  Transaction id = 665905
RPC:  Type = 0 (Call)
RPC:  RPC version = 2
RPC:  Program = 100003 (NFS), version = 2, procedure = 1
RPC:  Credentials: Flavor = 1 (Unix), len = 32 bytes
RPC:     Time = 06-Mar-90 07:26:58
RPC:     Hostname = boutique
RPC:     Uid = 0, Gid = 1
RPC:     Groups = 1
RPC:  Verifier   : Flavor = 0 (None), len = 0 bytes
RPC:
NFS:  ----- SUN NFS -----
NFS:
NFS:  Proc = 11 (Rename)
NFS:  File handle = 000016430000000100080000305A1C47
NFS:                597A0000000800002046314AFC450000
NFS:  File name = MTra00192
NFS:  File handle = 000016430000000100080000305A1C47
NFS:                597A0000000800002046314AFC450000
NFS:  File name = .nfs08
NFS:
.fi
.in -2
.sp

.sp
.LP
To view just the \fBNFS\fR packets between \fBsunroof\fR and \fBboutique\fR:

.sp
.in +2
.nf
example# \fBsnoop -i pkts rpc nfs and sunroof and boutique\fR
1   0.0000   boutique -> sunroof    NFS C GETATTR FH=8E6C
2   0.0046    sunroof -> boutique   NFS R GETATTR OK
3   0.0080   boutique -> sunroof   NFS C RENAME FH=8E6C MTra00192 to .nfs08
.fi
.in -2
.sp

.sp
.LP
To save these packets to a new capture file:

.sp
.in +2
.nf
example# \fBsnoop -i pkts -o pkts.nfs rpc nfs sunroof boutique\fR
.fi
.in -2
.sp

.sp
.LP
To view encapsulated packets, there will be an indicator of encapsulation:

.sp
.in +2
.nf
example# \fBsnoop ip-in-ip\fR
sunroof -> boutique ICMP Echo request    (1 encap)
.fi
.in -2
.sp

.sp
.LP
If -V is used on an encapsulated packet:

.sp
.in +2
.nf
example# \fBsnoop -V ip-in-ip\fR
sunroof -> boutique  ETHER Type=0800 (IP), size = 118 bytes
sunroof -> boutique  IP D=172.16.40.222 S=172.16.40.200 LEN=104, ID=27497
sunroof -> boutique  IP  D=10.1.1.2 S=10.1.1.1 LEN=84, ID=27497
sunroof -> boutique  ICMP Echo request
.fi
.in -2
.sp

.LP
\fBExample 2 \fRSetting Up A More Efficient Filter
.sp
.LP
To set up a more efficient filter, the following filters should be used toward
the end of the expression, so that the first part of the expression can be set
up in the kernel: \fBgreater\fR, \fBless\fR, \fBport\fR, \fBrpc\fR,
\fBnofrag\fR, and \fBrelop\fR. The presence of \fBOR\fR makes it difficult to
split the filtering when using these primitives that cannot be set in the
kernel. Instead, use parentheses to enforce the primitives that should be
\fBOR\fR'd.

.sp
.LP
To capture packets between \fBfunky\fR and \fBpinky\fR of type \fBtcp\fR or
\fBudp\fR on \fBport\fR 80:

.sp
.in +2
.nf
example# \fBsnoop funky and pinky and port 80 and tcp or udp\fR
.fi
.in -2
.sp

.sp
.LP
Since the primitive \fBport\fR cannot be handled by the kernel filter, and
there is also an \fBOR\fR in the expression, a more efficient way to filter is
to move the \fBOR\fR to the end of the expression and to use parentheses to
enforce the \fBOR\fR between \fBtcp\fR and \fBudp\fR:

.sp
.in +2
.nf
example# \fBsnoop funky and pinky and (tcp or udp) and port 80\fR
.fi
.in -2
.sp

.SH EXIT STATUS
.ne 2
.na
\fB\fB0\fR\fR
.ad
.RS 5n
Successful completion.
.RE

.sp
.ne 2
.na
\fB\fB1\fR\fR
.ad
.RS 5n
An error occurred.
.RE

.SH FILES
.ne 2
.na
\fB\fB/dev/audio\fR\fR
.ad
.RS 17n
Symbolic link to the system's primary audio device.
.RE

.sp
.ne 2
.na
\fB\fB/dev/null\fR\fR
.ad
.RS 17n
The null file.
.RE

.sp
.ne 2
.na
\fB\fB/etc/hosts\fR\fR
.ad
.RS 17n
Host name database.
.RE

.sp
.ne 2
.na
\fB\fB/etc/rpc\fR\fR
.ad
.RS 17n
RPC program number data base.
.RE

.sp
.ne 2
.na
\fB\fB/etc/services\fR\fR
.ad
.RS 17n
Internet services and aliases.
.RE

.SH SEE ALSO
.LP
\fBdladm\fR(1M), \fBifconfig\fR(1M), \fBnetstat\fR(1M), \fBhosts\fR(4),
\fBrpc\fR(4), \fBservices\fR(4), \fBattributes\fR(5), \fBaudio\fR(7I),
\fBipnet\fR(7D), \fBbufmod\fR(7M), \fBdlpi\fR(7P), \fBpfmod\fR(7M)
.sp
.LP
Callaghan, B. and Gilligan, R. \fIRFC 1761, Snoop Version 2 Packet Capture File
Format\fR. Network Working Group. February 1995.
.SH WARNINGS
.LP
The processing overhead is much higher for real-time packet interpretation.
Consequently, the packet drop count may be higher. For more reliable capture,
output raw packets to a file using the \fB-o\fR option and analyze the packets
offline.
.sp
.LP
Unfiltered packet capture imposes a heavy processing load on the host computer,
particularly if the captured packets are interpreted real-time. This processing
load further increases if verbose options are used. Since heavy use of
\fBsnoop\fR may deny computing resources to other processes, it should not be
used on production servers. Heavy use of \fBsnoop\fR should be restricted to a
dedicated computer.
.sp
.LP
\fBsnoop\fR does not reassemble \fBIP\fR fragments. Interpretation of higher
level protocol halts at the end of the first \fBIP\fR fragment.
.sp
.LP
\fBsnoop\fR may generate extra packets as a side-effect of its use. For example
it may use a network name service to convert \fBIP\fR addresses
to host names for display. Capturing into a file for later display can be used
to postpone the address-to-name mapping until after the capture session is
complete. Capturing into an NFS-mounted file may also generate extra packets.
.sp
.LP
Setting the \fBsnaplen\fR (\fB-s\fR option) to small values may remove header
information that is needed to interpret higher level protocols. The exact
cutoff value depends on the network and protocols being used. For \fBNFS\fR
Version 2 traffic using \fBUDP\fR on 10 Mb/s Ethernet, do not set \fBsnaplen\fR
less than 150 bytes. For \fBNFS\fR Version 3 traffic using \fBTCP\fR on 100
Mb/s Ethernet, \fBsnaplen\fR should be 250 bytes or more.
.sp
.LP
\fBsnoop\fR requires information from an \fBRPC\fR request to fully interpret
an \fBRPC\fR reply. If an \fBRPC\fR reply in a capture file or packet range
does not have a request preceding it, then only the \fBRPC\fR reply header will
be displayed.