ITPub博客

首页 > Linux操作系统 > Linux操作系统 > solaris的snoop指令

solaris的snoop指令

原创 Linux操作系统 作者:wilson2006 时间:2019-06-12 10:36:04 0 删除 编辑

    Snoop 是Solaris 系统中自带的通信监测工具

    snoop可惜只能在root下使用
[macg@machome]:/export/home/macg>$/usr/sbin/snoop -S -n packet.pkt
snoop: /dev/iprb0: Permission denied


    无参数的snoop,就是开启本机(以本机地址为源或目的)抓包
[root@machome]:/>$snoop
Using device /dev/iprb0 (promiscuous mode)
192.168.1.11 -> machome      TELNET C port=2843
     machome -> 192.168.1.11 TELNET R port=2843 192.168.1.11 -> mach
192.168.1.11 -> machome      TELNET C port=2843
     machome -> 192.168.1.11 TELNET R port=2843      machome -> 192.
192.168.1.11 -> machome      TELNET C port=2843
     machome -> 192.168.1.11 TELNET R port=2843 192.168.1.11 -> mach
192.168.1.11 -> machome      TELNET C port=2843
 

 

    # snoop host1 host2
host1 -> host2 ICMP Echo request
host2 -> host1 ICMP Echo reply


    snoop –V  (大写V),  抓datail包,但用“一层一行“显示
[root@machome]:/>$snoop -V
Using device /dev/iprb0 (promiscuous mode)
________________________________
192.168.1.11 -> machome      ETHER Type=0800 (IP), size = 60 bytes
192.168.1.11 -> machome      IP  D=192.168.1.12 S=192.168.1.11 LEN=40, ID=36254, TOS=0x0, TTL=128
192.168.1.11 -> machome      TCP D=23 S=2843 Ack=664253318 Seq=1670510379 Len=0 Win=16623
192.168.1.11 -> machome      TELNET C port=2843
________________________________
     machome -> 192.168.1.11 ETHER Type=0800 (IP), size = 98 bytes
     machome -> 192.168.1.11 IP  D=192.168.1.11 S=192.168.1.12 LEN=84, ID=113, TOS=0x0, TTL=60
     machome -> 192.168.1.11 TCP D=2843 S=23 Push Ack=1670510379 Seq=664253318 Len=44 Win=49640
     machome -> 192.168.1.11 TELNET R port=2843 Using device /dev/ip
 
 

   snoop –v 小写v,   抓detail包,但用“一层多行”显示
ETHER:  ----- Ether Header -----                                    二层包头
ETHER: 
ETHER:  Packet 15 arrived at 19:56:57.96862
ETHER:  Packet size = 890 bytes
ETHER:  Destination = 0:40:ca:c9:a4:76,
ETHER:  Source      = 0:90:27:10:d7:50,
ETHER:  Ethertype = 0800 (IP)
ETHER: 
IP:   ----- IP Header -----                                                三层IP包头
IP:  
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 876 bytes
IP:   Identification = 51671
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment ffset = 0 bytes
IP:   Time to live = 60 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = ee4c
IP:   Source address = 192.168.1.12, machome
IP:   Destination address = 192.168.1.11, 192.168.1.11  这是telnet回包
IP:   No options
IP:  
TCP:  ----- TCP Header -----                                          四层TCP包头
TCP: 
TCP:  Source port = 23                                      server回包
TCP:  Destination port = 2843
TCP:  Sequence number = 664191537
TCP:  Acknowledgement number = 1670509890
TCP:  Data ffset = 20 bytes
TCP:  Flags = 0x18
TCP:        0... .... = No ECN congestion window reduced
TCP:        .0.. .... = No ECN echo
TCP:        ..0. .... = No urgent pointer
TCP:        ...1 .... = Acknowledgement
TCP:        .... 1... = Push
TCP:        .... .0.. = No reset
TCP:        .... ..0. = No Syn
TCP:        .... ...0 = No Fin
TCP:  Window = 49640
TCP:  Checksum = 0x7336
TCP:  Urgent pointer = 0
TCP:  No options
TCP: 
TELNET:  ----- TELNET:   -----                 四层以上就直接抓了应用层
TELNET: 
TELNET:  "IP:   Source address = 192.168.1.11, 192.168.1.11\r\nIP:   Des"
TELNET: 
 

ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 16 arrived at 19:56:58.16912
ETHER:  Packet size = 60 bytes
ETHER:  Destination = 0:90:27:10:d7:50,
ETHER:  Source      = 0:40:ca:c9:a4:76,
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP: 
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 40 bytes
IP:   Identification = 35171
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment ffset = 0 bytes
IP:   Time to live = 128 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = ee04
IP:   Source address = 192.168.1.11, 192.168.1.11
IP:   Destination address = 192.168.1.12, machome
IP:   No options
IP: 
TCP:  ----- TCP Header -----
TCP:
TCP:  Source port = 2843
TCP:  Destination port = 23 (TELNET)
TCP:  Sequence number = 1670509890
TCP:  Acknowledgement number = 664192373
TCP:  Data ffset = 20 bytes
TCP:  Flags = 0x10
TCP:        0... .... = No ECN congestion window reduced
TCP:        .0.. .... = No ECN echo
TCP:        ..0. .... = No urgent pointer
TCP:        ...1 .... = Acknowledgement
TCP:        .... 0... = No push
TCP:        .... .0.. = No reset
TCP:        .... ..0. = No Syn
TCP:        .... ...0 = No Fin
TCP:  Window = 16654
TCP:  Checksum = 0x9a4c
TCP:  Urgent pointer = 0
TCP:  No options
TCP:
TELNET:  ----- TELNET:   -----
TELNET:
TELNET:  ""
TELNET: 
 

 

    snoop –c 2   抓2个包
[root@machome]:/>$snoop -c 2
Using device /dev/iprb0 (promiscuous mode)
192.168.1.11 -> machome      TELNET C port=2843
     machome -> 192.168.1.11 TELNET R port=2843 Using device /dev/ip
2 packets captured
 

 

   snoop | grep  检查特定包
[root@machome]:/>$snoop | grep -v "TELNET"  过滤掉telnet包
Using device /dev/iprb0 (promiscuous mode)
           ? -> *            PPP-LCP:  (Echo-Request)
           ? -> *            PPP-LCP:  (Echo-Reply)
           ? -> *            PPP-LCP:  (Echo-Request)
           ? -> *            PPP-LCP:  (Echo-Reply)
192.168.1.11 -> machome      ICMP Echo request (ID: 768 Sequence number: 1280)
     machome -> 192.168.1.11 ICMP Echo reply (ID: 768 Sequence number: 1280)
192.168.1.11 -> machome      ICMP Echo request (ID: 768 Sequence number: 1536)
     machome -> 192.168.1.11 ICMP Echo reply (ID: 768 Sequence number: 1536)
192.168.1.11 -> machome      ICMP Echo request (ID: 768 Sequence number: 1792)
     machome -> 192.168.1.11 ICMP Echo reply (ID: 768 Sequence number: 1792)
192.168.1.11 -> machome      ICMP Echo request (ID: 768 Sequence number: 2048)
     machome -> 192.168.1.11 ICMP Echo reply (ID: 768 Sequence number: 2048)
           ? -> *            PPP-LCP:  (Echo-Request)
           ? -> *            PPP-LCP:  (Echo-Reply)
           ? -> *            PPP-LCP:  (Echo-Request)
           ? -> *            PPP-LCP:  (Echo-Reply)
     machome -> (broadcast)  ARP C Who is 192.168.1.11, 192.168.1.11 ?
192.168.1.11 -> machome      ARP R 192.168.1.11, 192.168.1.11 is 0:40:ca:c9:a4:76
 
 


    snoop 特定的包
[root@machome]:/>$snoop multicast
Using device /dev/iprb0 (promiscuous mode)
 
[root@machome]:/>$snoop broadcast
Using device /dev/iprb0 (promiscuous mode)


  10.10.10.50 -> BROADCAST UDP D=177 S=2541 LEN=35
  10.10.10.50 -> BROADCAST UDP D=177 S=2541 LEN=35
  10.10.10.50 -> BROADCAST UDP D=177 S=2541 LEN=35
 
[root@machome]:/>$snoop arp
Using device /dev/iprb0 (promiscuous mode)
 


    [ -D ] # Report dropped packets
[root@machome]:/>$snoop -D
Using device /dev/iprb0 (promiscuous mode)
192.168.1.11 -> machome      drops: 0 TELNET C port=2843
     machome -> 192.168.1.11 drops: 0 TELNET R port=2843 Using device /dev/ip
           ? -> *            drops: 0 PPP-LCP:  (Echo-Request)
192.168.1.11 -> machome      drops: 0 TELNET C port=2843
           ? -> *            drops: 0 PPP-LCP:  (Echo-Reply)
     machome -> 192.168.1.11 drops: 0 TELNET R port=2843 192.168.1.11 -> mach
192.168.1.11 -> machome      drops: 0 TELNET C port=2843
     machome -> 192.168.1.11 drops: 0 TELNET R port=2843      machome -> 192.
192.168.1.11 -> machome      drops: 0 TELNET C port=2843
61.225.160.50 -> 221.221.184.73 drops: 0 HTTP (proxy) C port=4904
221.221.184.73 -> 61.225.160.50 drops: 0 HTTP (proxy) R port=4904
 

 

   [ -S ] # Report packet size
[root@machome]:/>$snoop -S
Using device /dev/iprb0 (promiscuous mode)
           ? -> *            length:   60  PPP-LCP:  (Echo-Request)
           ? -> *            length:   60  PPP-LCP:  (Echo-Reply)
192.168.1.11 -> machome      length:   60  TELNET C port=2843
     machome -> 192.168.1.11 length:   98  TELNET R port=2843 Using device /dev/ip
192.168.1.11 -> machome      length:   60  TELNET C port=2843
     machome -> 192.168.1.11 length:  123  TELNET R port=2843            ? -> *
 

 
    [ -o file ] # Capture packets in file
[root@machome]:/>$snoop -S -o packet.pkt
Using device /dev/iprb0 (promiscuous mode)
 
抓到的包是什么格式的?cap格式
打开是乱码
必须用一些如sniffer等来看

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/768134/viewspace-695391/,如需转载,请注明出处,否则将追究法律责任。

下一篇: solaris的ndd指令
请登录后发表评论 登录
全部评论

注册时间:2018-11-04

  • 博文量
    35
  • 访问量
    27029