Key Users
  Product Detail
  Automated Brochure
  Automated Demos
  Press Releases
  Analyst Reviews
  Live Demo Request


Join Our Mailing List
    > Newsletter > October 2006 > Spotlight on Solaris - snoop Command

Spotlight On: snoop Command
by Bill Calkins

After taking the Solaris 10 System Administrator Certification Exam Part 2 (CX-310-202), one reader mentioned that he was asked five different questions on the snoop command. Those of you planning to go for the SCSA for Solaris 10, make sure you're familiar with this command and a few of the more common options. While trying to keep it brief, here's some info on snoop: snoop is a network monitoring utility that captures network packets passing through a network interface and displays the contents of the packets.

First, what's a packet? A network packet is the unit of data that is routed between an originating system and a destination system on a network. Information sent across a network is broken into small chunks for efficient routing. Each packet is numbered and includes the internet address of the destination system. These packets take many routes through the internet and are reassembled into the original file once they reach their final destination.

A system administrator can use the snoop utility to capture and inspect network packets. Sometimes it's used in a bad way to view login information as it is passed across a network, but usually it's used in a good way to help the system admin troubleshoot a network issue.

For example, let's say that you're having trouble establishing an FTP session on another system on the network. You've used the ifconfig command to display the network interface configuration for the device hme0 to make sure your network interface is plumbed, up and has an IP address assigned to it as follows:

# ifconfig hme0
hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet netmask ffffff00 broadcast
        ether 8:0:20:a2:63:82

hme0 is the network interface and it's IP address is set to Everything on the local system looks fine.

You use the ping command to verify that you can contact the destination system and it reports the following:

# ping -s
PING 56 data bytes
64 bytes from icmp_seq=0. time=1.50 ms
64 bytes from icmp_seq=1. time=1.08 ms
64 bytes from icmp_seq=2. time=1.07 ms
64 bytes from icmp_seq=3. time=1.08 ms

The remote system appears to be responding fine.

On my local system named ultra5, IP address, I open a window and startup snoop to monitor the local network interface to see what's going on as follows:
snoop (I could also use snoop -d hme0 )

In another window, on the same local system, I try to establish an FTP session on the remote server ( The snoop window displays the following:

Using device /dev/hme (promiscuous mode)

      ultra5 -> FTP C port=32782 -> ultra5       FTP R port=32782
      ultra5 -> FTP C port=32782 -> ultra5       FTP R port=32782 220-Microsoft FTP Se
      ultra5 -> FTP C port=32782 -> ultra5       FTP R port=32782 220 Secure Site\r\n
      ultra5 -> FTP C port=32782
      ultra5 -> FTP C port=32782 USER root\r\n -> ultra5       FTP R port=32782 331 Password require
      ultra5 -> FTP C port=32782
      ultra5 -> FTP C port=32782 PASS junk\r\n -> ultra5       FTP R port=32782 530 User root cannot
      ultra5 -> FTP C port=32782 SYST\r\n -> ultra5       FTP R port=32782 530 Please login wit
      ultra5 -> FTP C port=32782

Note: 'promiscuous' mode just means that the network card can intercept all packets going through a network cable. This operation can cause privacy issues, therfore, only root can access this functionality.

You can see the FTP session started on port 32782, so the FTP server appears to be running and responding properly. A user name is supplied: root, then a password is supplied: junk. I get an error on my system that says:
530 User root cannot log in.
Login failed.

When I look back at the previous snoop data, it doesn't specifically tell me the problem, other than "User cannot log in". I have however verified that the FTP server is responding. After reviewing the message, I determine that I may be supplying the wrong login information. I try again, this time supplying the correct password and snoop displays:

ultra5 -> FTP C port=32783 USER root\r\n -> ultra5       FTP R port=32783 331 Password require
      ultra5 -> FTP C port=32783
      ultra5 -> FTP C port=32783 PASS FOO01\r\n -> ultra5       FTP R port=32783 230 User root logged
      ultra5 -> FTP C port=32783 SYST\r\n -> ultra5       FTP R port=32783 215 Windows_NT\r\n
      ultra5 -> FTP C port=32783

FTP, like telnet, is an unsecure network connection and the login information is passed across the network using no encryption. It is easily picked up by a network sniffer like snoop, so a word of caution is in order. Use secure FTP and secure shell so that this information is not sent out for anyone to capture.

Here are a few options to use when using snoop:
-d Enter the device name rather than the IP address. For example, use snoop –d hme0 to examine packets on the hme0 interface.
-v verbose mode. Without –v, you’ll only see summary information. Use –v to see lots and lots of data.
-o <filename> Send snoop data to a filename rather than std output.

At the end of the snoop command, you can use expressions. Here are a few to be aware of:

broadcast Only display broadcast packets. For example:
snoop -d hme0 broadcast.

Examine packets by filtering snoop data. For example, to only display packets that pertain to IP address, use the following syntax:
snoop -d hme0

This should be all you need to carry out some simple network troubleshooting and to get you through the exam on test day.

If you have questions or comments regarding this article or would like to submit a question or topic for future discussion, please email me at