Key Users
  Product Detail
  Automated Brochure
  Automated Demos
  Press Releases
  Newsletter
  Brochure
  Testimonials
  Customers
  Analyst Reviews
  Live Demo Request
  ROI

 


 
Join Our Mailing List
Email:
 
    > Newsletter > October 2006 > Spotlight on Solaris - snoop Command
 
   
 

Spotlight On: snoop Command
by Bill Calkins

After taking the Solaris 10 System Administrator Certification Exam Part 2 (CX-310-202), one reader mentioned that he was asked five different questions on the snoop command. Those of you planning to go for the SCSA for Solaris 10, make sure you're familiar with this command and a few of the more common options. While trying to keep it brief, here's some info on snoop: snoop is a network monitoring utility that captures network packets passing through a network interface and displays the contents of the packets.

First, what's a packet? A network packet is the unit of data that is routed between an originating system and a destination system on a network. Information sent across a network is broken into small chunks for efficient routing. Each packet is numbered and includes the internet address of the destination system. These packets take many routes through the internet and are reassembled into the original file once they reach their final destination.

A system administrator can use the snoop utility to capture and inspect network packets. Sometimes it's used in a bad way to view login information as it is passed across a network, but usually it's used in a good way to help the system admin troubleshoot a network issue.

For example, let's say that you're having trouble establishing an FTP session on another system on the network. You've used the ifconfig command to display the network interface configuration for the device hme0 to make sure your network interface is plumbed, up and has an IP address assigned to it as follows:

# ifconfig hme0
hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 192.168.1.198 netmask ffffff00 broadcast 192.168.1.255
        ether 8:0:20:a2:63:82

hme0 is the network interface and it's IP address is set to 192.168.1.198. Everything on the local system looks fine.

You use the ping command to verify that you can contact the destination system and it reports the following:

# ping -s 192.168.1.1
PING 192.168.1.1: 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0. time=1.50 ms
64 bytes from 192.168.1.1: icmp_seq=1. time=1.08 ms
64 bytes from 192.168.1.1: icmp_seq=2. time=1.07 ms
64 bytes from 192.168.1.1: icmp_seq=3. time=1.08 ms

The remote system appears to be responding fine.

On my local system named ultra5, IP address 192.168.1.198, I open a window and startup snoop to monitor the local network interface to see what's going on as follows:
snoop 192.168.1.198 (I could also use snoop -d hme0 )

In another window, on the same local system, I try to establish an FTP session on the remote server (192.168.1.250). The snoop window displays the following:

Using device /dev/hme (promiscuous mode)
ftp 192.168.1.1

      ultra5 -> 192.168.1.250 FTP C port=32782
192.168.1.250 -> ultra5       FTP R port=32782
      ultra5 -> 192.168.1.250 FTP C port=32782
192.168.1.250 -> ultra5       FTP R port=32782 220-Microsoft FTP Se
      ultra5 -> 192.168.1.250 FTP C port=32782
192.168.1.250 -> ultra5       FTP R port=32782 220 Secure Site\r\n
      ultra5 -> 192.168.1.250 FTP C port=32782
      ultra5 -> 192.168.1.250 FTP C port=32782 USER root\r\n
192.168.1.250 -> ultra5       FTP R port=32782 331 Password require
      ultra5 -> 192.168.1.250 FTP C port=32782
      ultra5 -> 192.168.1.250 FTP C port=32782 PASS junk\r\n
192.168.1.250 -> ultra5       FTP R port=32782 530 User root cannot
      ultra5 -> 192.168.1.250 FTP C port=32782 SYST\r\n
192.168.1.250 -> ultra5       FTP R port=32782 530 Please login wit
      ultra5 -> 192.168.1.250 FTP C port=32782

Note: 'promiscuous' mode just means that the network card can intercept all packets going through a network cable. This operation can cause privacy issues, therfore, only root can access this functionality.

You can see the FTP session started on port 32782, so the FTP server appears to be running and responding properly. A user name is supplied: root, then a password is supplied: junk. I get an error on my system that says:
530 User root cannot log in.
Login failed.
ftp>

When I look back at the previous snoop data, it doesn't specifically tell me the problem, other than "User cannot log in". I have however verified that the FTP server is responding. After reviewing the message, I determine that I may be supplying the wrong login information. I try again, this time supplying the correct password and snoop displays:

ultra5 -> 192.168.1.250 FTP C port=32783 USER root\r\n
192.168.1.250 -> ultra5       FTP R port=32783 331 Password require
      ultra5 -> 192.168.1.250 FTP C port=32783
      ultra5 -> 192.168.1.250 FTP C port=32783 PASS FOO01\r\n
192.168.1.250 -> ultra5       FTP R port=32783 230 User root logged
      ultra5 -> 192.168.1.250 FTP C port=32783 SYST\r\n
192.168.1.250 -> ultra5       FTP R port=32783 215 Windows_NT\r\n
      ultra5 -> 192.168.1.250 FTP C port=32783

FTP, like telnet, is an unsecure network connection and the login information is passed across the network using no encryption. It is easily picked up by a network sniffer like snoop, so a word of caution is in order. Use secure FTP and secure shell so that this information is not sent out for anyone to capture.

Here are a few options to use when using snoop:
-d Enter the device name rather than the IP address. For example, use snoop –d hme0 to examine packets on the hme0 interface.
-v verbose mode. Without –v, you’ll only see summary information. Use –v to see lots and lots of data.
-o <filename> Send snoop data to a filename rather than std output.

At the end of the snoop command, you can use expressions. Here are a few to be aware of:

broadcast Only display broadcast packets. For example:
snoop -d hme0 broadcast.
<filter>

Examine packets by filtering snoop data. For example, to only display packets that pertain to IP address 192.168.1.1, use the following syntax:
snoop -d hme0 192.168.1.1

This should be all you need to carry out some simple network troubleshooting and to get you through the exam on test day.

If you have questions or comments regarding this article or would like to submit a question or topic for future discussion, please email me at billcalkins@stsolutions.com