4

I am trying to use snoop on solaris 10 to detect traffic between a client and server both located on my machine. Question: I just want to verify that I should use the loopback interface for this.

So now for the real question.

I have found a few posts that suggest that you cannot use snoop on Solaris to listen to a loopback interface. Can someone verify this for me. I have found a few threads that seems to suggest this but most of them are fairly old (see links at bottom).

Has this problem been solved? Is there a way to listen to a loop back interface on Solaris 10? (Using snoop or another method. My assumption is that if snoop will not work something like wireshark will not work either).

This is what I have tried:

% sudo snoop -d lo0

Which results in this:

snoop: cannot open "lo0": DLPI link does not exist

Thanks


Links

http://forums.sun.com/thread.jspa?threadID=5252240 http://www.mail-archive.com/networking-discuss@opensolaris.org/msg01860.html http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-sun/2002-08/0007.html http://opensolaris.org/jive/thread.jspa?messageID=175240

sixtyfootersdude
  • 455
  • 1
  • 6
  • 15

6 Answers6

7

I realize that this is an old thread, but in case someone stumbles across it, it is worth noting that this appears to now be possible in Solaris 11:

http://docs.oracle.com/cd/E23824_01/html/821-1453/gexkw.html#gexnc

There is now a '-I' option that allows snoop to work with IP-layer devices.

Rubinstien
  • 71
  • 1
  • 1
5

The posts are correct, you cannot snoop loopback traffic on solaris. You can't tcpdump it, you can't wireshark it. You can't dtrace it. Many have tried.

OpenSolaris supports it (via the clearview project).

quadruplebucky
  • 5,041
  • 18
  • 23
1

I vaguely recall some problems with snoop on the loopback interface (something about snoop requiring a real piece of harware which is why you get that DLPI message -- there's no Data Link Provider Interface for loopback b/c it's a virtual device).

You may want to try Wireshark or plain-ol-tcpdump, but you might be out of luck Re: lo0. As an alternative you could connect one of your physical interfaces to a dead-end hub with nothing else & send your traffic over that interface.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • 1
    tcpdump fails with a similar error message. "tcpdump: lo0: No such device exists" "(lo0: No DLPI device found)" – TCampbell Mar 05 '10 at 20:28
0

https://blogs.oracle.com/seb/entry/observe_loopback_and_inter_zone

Seems like OpenSolaris has this feature (or will)

alanc
  • 1,500
  • 9
  • 12
sixtyfootersdude
  • 455
  • 1
  • 6
  • 15
0

I'm no expert in the use of Dtrace, but there may be a way to use it to capture the data.

TCampbell
  • 2,014
  • 14
  • 14
-1

i have captured traffic in solaris 10 using Opnet ... however, you cannot capture from a zone, you must use global zone, unless you are assigning dedicated IO cards to the zones under the global...