One of the most useful networking utilities is the snoop command. It is used to capture and inspect network packets. Here are some examples of its use.
Snoop a network in the promiscuous mode (captures and displays all packets as received)
# snoop
Using device /dev/hme (promiscuous mode)
192.168.1.26 -> esoft TELNET C port=2319
esoft -> 192.168.1.10 TELNET R port=2319 Using device /dev/hm
192.168.1.26 -> esoft TELNET C port=2319
Snoop a particular host
# snoop client-10
Prints detailed ETHER, IP and TCP header data (a lot of data)
# snoop -v
Snoop between two hosts
# snoop client-10 client-11
Capture snoop output to a file (binary format)
# snoop -o snoop_capture
Read captured snoop output from file
# snoop -i snoop_capture
Prints summary mode
# snoop -V
Extra:
I've been asked how to disable snoop. Rename the utility so it can't be executed when someone executes snoop via CLI. Or simply move it to another area of the filesystem. You can also tighten down the permissions, too. i.e. root can only run it.
# mv /usr/sbin/snoop /usr/sbin/mysnoop
# mv /usr/sbin/snoop /usr/sbin/.snoop
# chmod 700 /usr/sbin/snoop
Check the permissions (perm 600) on the interfaces -- hme, ge, ce, eri, etc
# ls -l /devices/pseudo/
No comments:
Post a Comment