Looking for tcpdump on Solaris? Use snoop!

Written by - 1 comments

Published on - Listed in Linux Solaris Shell Network Unix

Just tried to troubleshoot high network usage on an old Solaris server and, naturally, typed the command tcpdump. Sadness hit me - tcpdump doesn't exist on Solaris. 

But there's snoop on Solaris, which seems to be a worthy alternative of tcpdump. At least I could figure out what was going on and pin-point the causing process.

So on Linux I'd have done:

linux:~ # tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:30:39.469512 IP > server01.ssh: Flags [P.], seq 196273793:196273857, ack 1276950350, win 331, options [nop,nop,TS val 1545899889 ecr 852624366], length 64
10:30:39.470948 IP server01.ssh > Flags [P.], seq 1:33, ack 64, win 49248, options [nop,nop,TS val 852625868 ecr 1545899889], length 32
10:30:39.470963 IP > server01.ssh: Flags [.], ack 33, win 331, options [nop,nop,TS val 1545899890 ecr 852625868], length 0
10:30:39.471084 ARP, Request who-has tell, length 28

And on Solaris using snoop:

(solaris </root>) 1 # snoop -d back0
Using device back0 (promiscuous mode)
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes
           ? -> (multicast)  ETHER Type=2000 (Unknown), size=401 bytes
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes -> (broadcast)  ARP C Who is, ?

Add a comment

Show form to leave a comment

Comments (newest first)

Alexander from Schweiz wrote on Jul 12th, 2013:

Yep, snoop is a "worthy alternative" to tcpdump. With "snoop -o file …" you can redirect ouput to a file (just like "-w file" for writing to a file with tcpdump).
And such a file can then be opened with Wireshark for further analysis.