Looking for tcpdump on Solaris? Use snoop!

Written by - 1 comments

Published on - Listed in Linux Solaris Shell Network Unix


Just tried to troubleshoot high network usage on an old Solaris server and, naturally, typed the command tcpdump. Sadness hit me - tcpdump doesn't exist on Solaris. 

But there's snoop on Solaris, which seems to be a worthy alternative of tcpdump. At least I could figure out what was going on and pin-point the causing process.

So on Linux I'd have done:

linux:~ # tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:30:39.469512 IP 192.168.252.85.44326 > server01.ssh: Flags [P.], seq 196273793:196273857, ack 1276950350, win 331, options [nop,nop,TS val 1545899889 ecr 852624366], length 64
10:30:39.470948 IP server01.ssh > 192.168.252.85.44326: Flags [P.], seq 1:33, ack 64, win 49248, options [nop,nop,TS val 852625868 ecr 1545899889], length 32
10:30:39.470963 IP 192.168.252.85.44326 > server01.ssh: Flags [.], ack 33, win 331, options [nop,nop,TS val 1545899890 ecr 852625868], length 0
10:30:39.471084 ARP, Request who-has 192.168.252.53 tell 192.168.252.85, length 28

And on Solaris using snoop:

(solaris </root>) 1 # snoop -d back0
Using device back0 (promiscuous mode)
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes
           ? -> (multicast)  ETHER Type=2000 (Unknown), size=401 bytes
           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size=52 bytes
 10.10.90.28 -> (broadcast)  ARP C Who is 10.10.90.28, 10.10.90.28 ?



Add a comment

Show form to leave a comment

Comments (newest first)

Alexander from Schweiz wrote on Jul 12th, 2013:

Yep, snoop is a "worthy alternative" to tcpdump. With "snoop -o file …" you can redirect ouput to a file (just like "-w file" for writing to a file with tcpdump).
And such a file can then be opened with Wireshark for further analysis.


RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder