2

Doing testing on a server right now. Both the client and server are on my machine. I am trying to snoop the packets between them but am not having any luck. These are some variations I have tried:

sudo snoop host myHost and port 443 or port 8443

sudo snoop to host myHost from host myHost

Neither of these returns any results. Does this suggest:

  1. snoop cannot pickup packets that are between the same host
  2. I am using snoop wrong
  3. my client and server are doing something strange

These commands all return a lot of information (so I am assuming that it works and is configured properly)

sudo snoop

sudo snoop host myHost
Insyte
  • 9,314
  • 2
  • 27
  • 45
sixtyfootersdude
  • 455
  • 1
  • 6
  • 15

4 Answers4

2

To the best of my knowledge, Solaris doesn't allow you to capture on the local loopback interface (lo0, in your case). For example, this page states flatly that it can't be done on Solaris short of a kernel recompile.

So you would have to either set up the client and server on separate machines, or see if there's some way to route the traffic through your network (so that it goes through the non-loopback interface).

Alex
  • 253
  • 2
  • 9
  • I created this page to verify your answer: http://serverfault.com/questions/119681/viewing-the-loopback-interface-on-solaris-10-using-snoop-or-another-tool and to see if I can find another alternative – sixtyfootersdude Mar 05 '10 at 19:48
  • AFAIK, Solaris doesn't support loopback capture. It should in the future, however: http://hub.opensolaris.org/bin/view/Project+clearview/WebHome – Gerald Combs Mar 05 '10 at 19:58
1

I'm not very familiar with snoop, but perhaps you would have better luck with wireshark?

Legion
  • 233
  • 1
  • 7
  • Snoop is at least as capable as libpcap, if not more so. In my experience, Solaris admins tend to prefer it. – Insyte Mar 05 '10 at 18:35
  • Interesting. Good to know. – Legion Mar 05 '10 at 19:00
  • would this be able to view the loopback interface on solaris? – sixtyfootersdude Mar 05 '10 at 19:49
  • No, wireshark can't see the loopback either when snoop can't. You can snoop the lookback with OpenSolaris: # snoop -V -I lo0 Using device ipnet/lo0 (promiscuous mode) localhost is alive ________________________________ pcjll -> pcjll IPNET src zone 0 dst zone 0 pcjll -> pcjll IP D=127.0.0.1 S=127.0.0.1 LEN=84, ID=2656, TOS=0x0, TTL=255 pcjll -> pcjll ICMP Echo request (ID: 3939 Sequence number: 0) ... – jlliagre Mar 10 '10 at 12:20
1

You're listening on one of the ethernet interfaces but talking over the loopback. From the snoop man page:

    -d device       Receive packets from the network  using  the
                    interface specified by device.  Usually le0
                    or  ie0.   The  program  netstat(1M),   when
                    invoked  with  the   - i  flag, lists all the
                    interfaces that  a  machine  has.   Normally,
                    snoop  will  automatically  choose  the first
                    non-loopback interface it finds.

So if you want to eavesdrop on local communications, add your loopback interface using the -d option.

Insyte
  • 9,314
  • 2
  • 27
  • 45
  • Huh, I tried that but get this error: `% sudo snoop -d lo0' 'snoop: cannot open "lo0": DLPI link does not exist` – sixtyfootersdude Mar 05 '10 at 18:57
  • maybe that is unsupported on solaris..? See: http://serverfault.com/questions/119681/viewing-the-loopback-interface-on-solaris-10-using-snoop-or-another-tool – sixtyfootersdude Mar 05 '10 at 19:48
-2
  1. Login to your machine as root user.

  2. Run the snoop command as shown below:

    root@psp-2 # snoop -o /export/home/john/file.pcap

    Using device vnet0 (promiscuous mode)

  3. Press Ctrl+C to stop the packet capture.

  4. You can check the desired packet capture at the mentioned path.
Chinmoy
  • 1