Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Looking for tcpdump on Solaris? Use snoop!
Friday - Jul 12th 2013 - by - (1 comments)

Just tried to troubleshoot high network usage on an old Solaris server and, naturally, typed the command tcpdump. Sadness hit me - tcpdump doesn't exist on Solaris. 

But there's snoop on Solaris, which seems to be a worthy alternative of tcpdump. At least I could figure out what was going on and pin-point the causing process.

So on Linux I'd have done:

linux:~ # tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:30:39.469512 IP 192.168.252.85.44326 > server01.ssh: Flags [P.], seq 196273793:196273857, ack 1276950350, win 331, options [nop,nop,TS val 1545899889 ecr 852624366], length 64
10:30:39.470948 IP server01.ssh > 192.168.252.85.44326: Flags [P.], seq 1:33, ack 64, win 49248, options [nop,nop,TS val 852625868 ecr 1545899889], length 32
10:30:39.470963 IP 192.168.252.85.44326 > server01.ssh: Flags [.], ack 33, win 331, options [nop,nop,TS val 1545899890 ecr 852625868], length 0
10:30:39.471084 ARP, Request who-has 192.168.252.53 tell 192.168.252.85, length 28

And on Solaris using snoop:

(solaris </root>) 1 # snoop -d back0
Using device back0 (promiscuous mode)
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes
           ? -> (multicast)  ETHER Type=2000 (Unknown), size=401 bytes
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes
 10.10.90.28 -> (broadcast)  ARP C Who is 10.10.90.28, 10.10.90.28 ?


 

Add a comment

Show form to leave a comment

Comments (newest first):

Alexander from Schweiz wrote on Jul 12th, 2013:
Yep, snoop is a "worthy alternative" to tcpdump. With "snoop -o file " you can redirect ouput to a file (just like "-w file" for writing to a file with tcpdump).
And such a file can then be opened with Wireshark for further analysis.


Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

7576 Days
until Death of Computers
Why?