Thursday, June 21, 2007

Snoop on Solaris and Ethereal

I am a big fan of Ethereal tool and use it frequently for analysis of network traffic.
The GUI is great and we can decode HTTP traffic from the TCP packet frames.

Recently I had to capture the traffic on a remote production box running on Solaris and did not have the time to install Ethereal there. I knew about the 'snoop' command on Solaris and had used it in the past to capture network calls.
But I did not know that the snoop command can write all captured network packets to a file that is RFC 1761- compliant. What that means is that I can write the packets to a file and then open that file anywhere in Ethereal :)

This was just what I needed for my scenario. Quick listing of snoop commands:

- To capture packets to a file and only those on port 9080
snoop -o fileName.cap port 9080

- To format a captured file in ASCII
snoop -i fileName.cap -x0