Thursday, August 30, 2007

Troubleshooting a Network with the Snoop Utility

One of the most useful networking utilities is the snoop command. It is used to capture and inspect network packets. Here are some examples of its use.

Snoop a network in the promiscuous mode (captures and displays all packets as received)
# snoop
Using device /dev/hme (promiscuous mode)
192.168.1.26 -> esoft TELNET C port=2319
esoft -> 192.168.1.10 TELNET R port=2319 Using device /dev/hm
192.168.1.26 -> esoft TELNET C port=2319

Snoop a particular host
# snoop client-10

Prints detailed ETHER, IP and TCP header data (a lot of data)
# snoop -v

Snoop between two hosts
# snoop client-10 client-11

Capture snoop output to a file (binary format)
# snoop -o snoop_capture

Read captured snoop output from file
# snoop -i snoop_capture

Prints summary mode
# snoop -V

Extra:

I've been asked how to disable snoop. Rename the utility so it can't be executed when someone executes snoop via CLI. Or simply move it to another area of the filesystem. You can also tighten down the permissions, too. i.e. root can only run it.

# mv /usr/sbin/snoop /usr/sbin/mysnoop
# mv /usr/sbin/snoop /usr/sbin/.snoop
# chmod 700 /usr/sbin/snoop

Check the permissions (perm 600) on the interfaces -- hme, ge, ce, eri, etc
# ls -l /devices/pseudo/

No comments: