Using Snoop on Solaris

This week I have been looking at a performance problem on some Solaris Unix boxes. Due to the logs not providing enough data, I have had to piece together the transaction timeline through network captures. Normally, these are supplied to me by the sys admin or I capture myself with wireshark. However, this time I had access to the boxes and could do a network capture using the unix tool called snoop. So, here are my notes on using snoop.

First if snoop is not in your path you will need to find it and add the location to your path. To find the location use

"find / -name snoop"

Next on multi network machine you have to find the correct interface to monitor. To do this list them with the

netstat -i

You will need to have root access to run snoop so the basic command will be

sudo snoop

Here are a few other examples

Capture packets on network interface vnet2 for any traffic that doesn’t use port 7001

sudo snoop -d vnet2 not port 7001

Capture packets that are to or from server gbcrf123 on network interface vnet2

sudo snoop -d vnet2 gbcrf123

And now if you want to capture to a file that can be read by wireshark us

sudo snoop -o filename


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s