Lines Matching +full:ethernet +full:- +full:port
10 snoop \- capture and inspect network packets
13 \fBsnoop\fR [\fB-afqrCDINPSvV\fR] [\fB-t\fR [r | a | d]] [\fB-c\fR \fImaxcount\fR]
14 [\fB-d\fR \fIdevice\fR] [\fB-i\fR \fIfilename\fR] [\fB-n\fR \fIfilename\fR]
15 [\fB-o\fR \fIfilename\fR | \fB-O\fR \fIprefix:count:size\fR]
16 …[\fB-p\fR \fIfirst\fR [, \fIlast\fR]] [\fB-s\fR \fIsnaplen\fR] [\fB-x\fR \fIoffset\fR [, \fIlength…
27 a file (which is \fIRFC 1761\fR-compliant) for later inspection.
30 \fBsnoop\fR can display packets in a single-line summary form or in verbose
31 multi-line forms. In summary form, with the exception of certain VLAN packets,
33 packet has a VLAN header and its VLAN ID is non-zero, then \fBsnoop\fR will
37 Ethernet frame information is suppressed, but can be displayed if either of the
49 \fB\fB-C\fR\fR
60 \fB\fB-D\fR\fR
70 \fB\fB-N\fR\fR
74 Create an \fBIP\fR address-to-name file from a capture file. This must be set
75 together with the \fB-i\fR option that names a capture file. The
76 address-to-name file has the same name as the capture file with \fB\&.names\fR
86 \fB\fB-I\fR \fIinterface\fR\fR
92 used to list available IP interfaces. The \fB-I\fR and \fB-d\fR options are
99 \fB\fB-P\fR\fR
103 Capture packets in non-promiscuous mode. Only broadcast, multicast, or packets
110 \fB\fB-S\fR\fR
120 \fB\fB-V\fR\fR
131 summary lines, enter the following: \fBexample#\fR \fBsnoop -i rpc.cap -V |
138 \fB\fB-a\fR\fR
148 \fB\fB-c\fR \fImaxcount\fR\fR
153 there is no disk space left or until interrupted with Control-C.
159 \fB\fB-d\fR \fIdatalink\fR\fR
163 Capture link-layer packets from the network using the DLPI datalink specified
165 \fBshow-link\fR subcommand can be used to list available datalinks. The
166 \fB-d\fR and \fB-I\fR options are mutually exclusive.
172 \fB\fB-f\fR\fR
184 \fB\fB-i\fR \fIfilename\fR\fR
191 the \fBsnoop\fR \fBIP\fR address-to-name mapping table (See \fB-N\fR flag).
197 \fB\fB-n\fR \fIfilename\fR\fR
201 Use \fIfilename\fR as an \fBIP\fR address-to-name mapping table. This file must
209 \fB\fB-o\fR \fIfilename\fR\fR
215 file is RFC 1761-compliant. During packet capture, a count of the number of
223 \fB\fB-O\fR \fIprefix\fR:\fIcount\fR:\fIsize\fR\fR
228 \fIprefix-??.snoop\fR with just over \fIsize\fR data in each.
229 The \fIcount\fR must be in [1-100].
239 stored in 20 files named \fBtest1-??.snoop\fR, run:
242 \fBexample%\fR \fBsnoop -O test1:20:10m ...\fR
250 \fBexample%\fR \fBmergecap -w test1.pcap test1-??.snoop\fR
260 \fB\fB-p\fR \fIfirst\fR [ , \fBlast\fR ]\fR
271 \fB\fB-q\fR\fR
282 \fB\fB-r\fR\fR
288 packets. However, if the \fB-n\fR option is used, and an address is found in
295 \fB\fB-s\fR \fIsnaplen\fR\fR
313 \fB\fB-t\fR [ \fBr\fR | \fBa\fR | \fBd\fR ]\fR
317 Time-stamp presentation. Time-stamps are accurate to within 4 microseconds. The
319 receiving the previous packet). Option \fBa\fR (absolute) gives wall-clock
321 displayed. This can be used with the \fB-p\fR option to display time relative
328 \fB\fB-v\fR\fR
339 \fB\fB\fR\fB-x\fR\fIoffset\fR [ , \fIlength\fR]\fR
371 packet filter for \fBsnoop\fR. The \fB-C\fR flag can be used to view generated
373 \fBsnoop\fR. If packets are read from a capture file using the \fB-i\fR option,
426 Literal addresses, \fBIP\fR dotted, AppleTalk dotted, and Ethernet colon are
451 "\fB8:0:20:f:b1:51\fR" matches all packets with the Ethernet address as source
454 An Ethernet address beginning with a letter is interpreted as a hostname. To
456 Ethernet address is \fBaa:0:45:23:52:44\fR, then specify it by add a leading
468 \fIatalkaddr\fR, \fIetheraddr\fR, \fBport\fR or \fBrpc\fR primitive to match
469 just the source address, port, or \fBRPC\fR reply.
480 \fIatalkaddr\fR, \fIetheraddr\fR, \fBport\fR or \fBrpc\fR primitive to match
481 just the destination address, port, or \fBRPC\fR call.
492 to an Ethernet address. Normally, \fBIP\fR address matching is performed. This
503 True if the Ethernet type field has value \fInumber\fR. If \fInumber\fR is not
505 encapsulated Ethernet type.
531 \fB\fBvlan-id\fR \fIid\fR\fR
556 0xffffffff\fR for Ethernet. This option is not supported on media such as IPoIB
568 1\fR" on Ethernet. This option is not supported on media such as IPoIB (IP over
579 True if the packet is an unfragmented IPv4 UDP packet with either a source port
580 of \fBBOOTPS (67)\fR and a destination port of \fBBOOTPC (68)\fR, or a source
581 port of \fBBOOTPC (68)\fR and a destination of \fBBOOTPS (67)\fR.
591 True if the packet is an unfragmented IPv6 UDP packet with either a source port
592 of \fBDHCPV6-SERVER\fR (547) and a destination port of \fBDHCPV6-CLIENT\fR
593 (546), or a source port of \fBDHCPV6-CLIENT\fR (546) and a destination of
594 \fBDHCPV6-SERVER\fR (547).
664 \fB\fBport\fR \fIport\fR\fR
668 True if either the source or destination port is \fIport\fR. The \fIport\fR may
669 be either a port number or name from \fB/etc/services\fR. The \fBtcp\fR or
672 the \fIport\fR occurs only as the source or destination.
709 True if the packet is an \fBLDAP\fR packet on port 389.
719 True if the packet used \fIhost\fR as a gateway, that is, the Ethernet source
920 example# \fBsnoop -o cap funky pinky\fR
921 example# \fBsnoop -i cap -t r | more\fR
933 example# \fBsnoop -i pkts -p 99,108\fR
934 99 0.0027 boutique -> sunroof NFS C GETATTR FH=8E6
935 100 0.0046 sunroof -> boutique NFS R GETATTR OK
936 101 0.0080 boutique -> sunroof NFS C RENAME FH=8E6C MTra00192 to .nfs08
937 102 0.0102 marmot -> viper NFS C LOOKUP FH=561E screen.r.13.i386
938 103 0.0072 viper -> marmot NFS R LOOKUP No such file or directory
939 104 0.0085 bugbomb -> sunroof RLOGIN C PORT=1023 h
940 105 0.0005 kandinsky -> sparky RSTAT C Get Statistics
941 106 0.0004 beeblebrox -> sunroof NFS C GETATTR FH=0307
942 107 0.0021 sparky -> kandinsky RSTAT R
943 108 0.0073 office -> jeremiah NFS C READ FH=2584 at 40960 for 8192
955 example# \fBsnoop -i pkts -v -p101\fR
956 ETHER: ----- Ether Header -----
964 IP: ----- IP Header -----
984 UDP: ----- UDP Header -----
986 UDP: Source port = 1023
987 UDP: Destination port = 2049 (Sun RPC)
991 RPC: ----- SUN RPC Header -----
998 RPC: Time = 06-Mar-90 07:26:58
1004 NFS: ----- SUN NFS -----
1025 example# \fBsnoop -i pkts rpc nfs and sunroof and boutique\fR
1026 1 0.0000 boutique -> sunroof NFS C GETATTR FH=8E6C
1027 2 0.0046 sunroof -> boutique NFS R GETATTR OK
1028 3 0.0080 boutique -> sunroof NFS C RENAME FH=8E6C MTra00192 to .nfs08
1040 example# \fBsnoop -i pkts -o pkts.nfs rpc nfs sunroof boutique\fR
1052 example# \fBsnoop ip-in-ip\fR
1053 sunroof -> boutique ICMP Echo request (1 encap)
1060 If -V is used on an encapsulated packet:
1065 example# \fBsnoop -V ip-in-ip\fR
1066 sunroof -> boutique ETHER Type=0800 (IP), size = 118 bytes
1067 sunroof -> boutique IP D=172.16.40.222 S=172.16.40.200 LEN=104, ID=27497
1068 sunroof -> boutique IP D=10.1.1.2 S=10.1.1.1 LEN=84, ID=27497
1069 sunroof -> boutique ICMP Echo request
1080 up in the kernel: \fBgreater\fR, \fBless\fR, \fBport\fR, \fBrpc\fR,
1089 \fBudp\fR on \fBport\fR 80:
1094 example# \fBsnoop funky and pinky and port 80 and tcp or udp\fR
1101 Since the primitive \fBport\fR cannot be handled by the kernel filter, and
1109 example# \fBsnoop funky and pinky and (tcp or udp) and port 80\fR
1190 For all options except \fB-O\fR.
1209 The processing overhead is much higher for real-time packet interpretation.
1211 output raw packets to a file using the \fB-o\fR option and analyze the packets
1216 particularly if the captured packets are interpreted real-time. This processing
1227 \fBsnoop\fR may generate extra packets as a side-effect of its use. For example
1230 to postpone the address-to-name mapping until after the capture session is
1231 complete. Capturing into an NFS-mounted file may also generate extra packets.
1234 Setting the \fBsnaplen\fR (\fB-s\fR option) to small values may remove header
1237 Version 2 traffic using \fBUDP\fR on 10 Mb/s Ethernet, do not set \fBsnaplen\fR
1239 Mb/s Ethernet, \fBsnaplen\fR should be 250 bytes or more.