Download - Networking Snoop

7/31/2019 Networking Snoop

1/14

Snoop

Usage: snoop

[ -a ] # Listen to packets on audio

[ -d device ] # settable to le?, ie?, bf?, tr?

[ -s snaplen ] # Truncate packets

[ -c count ] # Quit after count packets

[ -P ] # Turn OFF promiscuous mode

[ -D ] # Report dropped packets

[ -S ] # Report packet size

[ -i file ] # Read previously captured packets

[ -o file ] # Capture packets in file

[ -n file ] # Load addr-to-name table from file

[ -N ] # Create addr-to-name table

[ -t r|a|d ] # Time: Relative, Absolute or Delta

[ -v ] # Verbose packet display

[ -V ] # Show all summary lines

[ -p first[,last] ] # Select packet(s) to display

[ -x offset[,length] ] # Hex dump from offset for length

[ -C ] # Print packet filter code

[ -q ] # Suppress printing packet count

[ -r ] # Do not resolve address to name

[ filter expression ]


2/14

How to stop:

press Control-C to stop the snoop utility.

The snoop command can only be run bysuperuser.

snoop only displays data pertaining to thehighest-level protocol. For example, an NFSpacket will only display NFS information. Theunderlying RPC, UDP, IP, and Ethernet frame

information is suppressed but can be displayed ifone of the verbose options (-v or -V) is chosen.


3/14

NFS in OSI


4/14

EXERCISE: Obtaining Network Information

1. Log in as root on hostA. Make sure you have an entry in your /etc/inet/hosts file for hostB.

2. As root, use the ifconfig command to display information about your network interface:

ifconfig -a lo0: flags=1000849,VIRTUAL mtu

8232 index 1\ inet 127.0.0.1 netmask ff000000 hme0:

flags=1000843 mtu 1500 index 2\ inet

192.168.1.106 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:a2:63:82

The ifconfig utility shows that the Ethernet address of the hme0 interface is

8:0:20:a2:63:82. The first half of the address is generally specific to the manufacturer. In

this case, 8:0:20 is Sun Microsystems. The last half of the address, in this case a2:63:82, is

unique for every system.


5/14

3. Use ping to send ICMP echo requests from hostA to hostB:

ping hostB

On hostA, use the rpcinfo utility with the -p option to list the registered RPC

programs:

rpcinfo

4. Look for the sprayd service on your system:

rpcinfo | grep sprayd


6/14

Description:

The sprayd service was detected as running. rpc.sprayd is a server

that records the packets sent by spray, and sends a response to theoriginator of the packets. The rpc.sprayd daemon is normally

invoked by inetd.

sprayd sends a one-way stream of packets to a host using RPC, and

reports how many were received, as well as the transfer rate. The

host argument can be either a name or an Internet address.

Remedy:

Disable the sprayd service if it is not needed.

To disable the service:

1.Edit the /etc/inetd.conf (or equivalent) file.

2.Locate the line that controls the daemon.

3.Type a # at the beginning of the line to comment out the

daemon.

4.Restart inetd.


7/14

5. Stop the sprayd service on your local system, as follows:

rpcinfo -d sprayd 1

6. Verify that the sprayd service has been unregistered from RPC:

rpcinfo | grep sprayd

7. Restart the sprayd service by issuing the svcadm restart command, as follows:

svcadm restart spray


8/14

Using snoop to Display Network Information

1. On hostA, log in as root. In one window, start up the snoop

utility, as follows:

snoop hostA hostB

snoop shows what actually happens when hostA uses the pingcommand to communicate with hostB.

2. In a second window on hostA, type the following:

ping hostB


9/14

3. Watch the information that is displayed in the firstwindow that is running snoop.

4. Issue the spray command to send a one-way stream ofpackets to hostB:

spray hostB

5. Watch the information that is displayed in the firstwindow that is running snoop.


10/14

Step By Step Verifying That a Network Is Operational

PING:

Check the network connection to another system by typing the following:

ping

For example, to check the network between systemA and systemB, type ping systemB from systemA. If thecheck is successful, the remote system replies with this:

systemB is alive

If the network is not active, you get this message:

no answer from systemB

Solution:

If you get this negative response, check your cable and make sure that both the local system and the remotesystem are configured properly


11/14

Snoop

Use the snoop utility to determine whatinformation is flowing between systems. Thesnoop utility can show what actually happens

when one system sends a ping to anothersystem. The following example shows networktraffic being monitored between two hosts,namely 192.168.1.106 and 192.168.1.21:

snoop192.168.1.106 192.168.1.21


12/14

Netstat

Check for network traffic by typing the following: netstat -i 5

The netstat command is used to monitor the system's TCP/IP networkactivity.

netstat can provide some basic data about how much and what kind ofnetwork activity is happening. You should ignore the first line of output,as this shows the overall activity since the system was last booted. The -ioption shows the state of the network interface used for TCP/IP traffic.The last option, 5, reissues the netstat command every 5 seconds to get a

good sampling of network activity, with each line showing the activitysince the last display, in this case 5 seconds. You can press Ctrl+C to breakout of the netstat command.


13/14

root@bt1ms1> netstat -i 5

input bge0 output input (Total) output

packets errs packets errs colls packets errs packets errs colls

476263476 0 595943742 0 0 802089697 0 921769963 00

1184 0 1358 0 0 1415 0 1589 0 0

399 0 464 0 0 615 0 680 0 0

1251 0 1458 0 0 1522 0 1729 0 0

278 0 331 0 0 372 0 425 0 0


14/14

4. Look in the colls column to see if there is a large number of collisions. To calculatethe network collision rate, divide the number of output collisions (output colls) by thenumber of output packets. A network wide collision rate greater than 10% can indicatean overloaded network, a poorly configured network, or hardware problems.

5. Examine the errs column to see if there is a large number of errors. To calculate theinput packet error rate, divide the number of input errors by the total number of inputpackets. If the input error rate is highmore than 25%the host might be droppingpackets because of transmission problems. Transmission problems can be caused byother hardware on the network and by heavy traffic and low-level hardware problems.Routers can drop packets, forcing retransmissions and causing degraded performance.

6. Type ping -sRv from the client to determine how long it takes a packetto make a round-trip on the network. If the round-trip takes more than a fewmilliseconds, the routers on the network are slow or the network is very busy. Issuethe ping command twice and ignore the first set of results.

The ping -sRv command also displays packet losses. If you suspect a physicalproblem, you can use ping -sRv to find the response times of several hosts on thenetwork. If the response time (in milliseconds) from one host is not what youexpect, you should investigate that host.