I am trying to collect network traffic information of an old Solaris box, running Solaris 10. Now I am aware of the fact that there is no tcpdump utility there, just snoop which is similar, but yet different.
I am trying to collect SYN and FIN flagged TCP packets from all active interfaces. My problem is that I can not create the correct grouping of my filter expression. This is the version that runs, but I think it to be incorrect:
snoop -d e1000g1 -P -r -t a -v 'tcp and tcp[13] & (2 | 1) != 0 '
And this is what I think should be correct. The intention is to filter all TCP packages - that is the tcp and on the beginning - and narrow it down to capture only packages which have SYN or FIN TCP flags set (which are the rightmost 2 bits from the tcp[13] byte). Unfortunately the Linux-style aliases like tcp[tcpflags] & (tcpSYN|tcpFIN) do not work here.
snoop -d e1000g1 -P -r -t a -v 'tcp and (tcp[13] & (2 | 1) != 0 ) '
So I wanted to group SYN/FIN checking with patentheses, but I get syntax error. I feel stuck now. Can you help me?
Do you need do the SYN / FIN level filtering with snoop?
I've had best luck doing a wide capture with snoop to a file and then using tcpdump / Wireshark to filter that capture file further for actual analysis.
I've used tcpdump for decades -- though I still need to look syntax up for things like you're talking about -- and find that snoop makes me feel limited. I'm sure there are snoop wizards that can get a lot deeper than me.
But at the end of the day, sometimes it's a question of what method / tool gets the job done.
Along that lines, if it wasn't for the -a (audible) option to snoop I'd wonder about sending the output of snoop through grep looking for SYN & FIN (case not withstanding).
The other command example is collecting packages, but I think there is a logical error in the selection. Anyhow, some further reading taught me the following. Snoop itself creates filter code which is used at kernel level - when it is possible - and the rest is running at user level. The "tcp" filter, when it stands at the beginning of the filter expression, is generated to run at kernel level and the SYN/FIN selection at user level. Thus there is a chance that my expression is working correctly.
Yes, I have found all of the above links on my search, but I did not find answer on my original question: what's wrong with my parentheses in the filter expression. According to the snoop man page it is correct to use parentheses for grouping logical operations. And it is working in some cases, but not in my lines.
For example this kind of grouping is accepted by snoop: snoop -d e1000g1 -P -r -t a -v ' (host 1.2.3.4 and port 19945) or (host 44.55.33.22 and port 5656) '
But I did not find any way to use 'tcp[13]' structure between parentheses.
@DrScriptt yes, I need to filter those packages with snoop. I need to run snoop for an extended period of time to collect network connections. This is an old and mostly unknown server host with wery minimal documentation - yes, it's a shame, but not my shame, I just need to do the cleanup.
So, I need to collect and track every communication directions which occur to and from this box to prepare for its data migration. I have no space to collect full traffic, but I have enough to have just the SYN and FIN packages. Maybe SYN would be enough as well - with the extra info of currently open sockets from netstat
Fair enough. I thought it prudent to ask to see what sort of flexibility there was in finding a solution.
#beenThereDoneThat
I like that. #notMyCircusNotMyMonkeysButIRecognizeTheRingleader
I understand and sympathize with you.
I just did a proof of concept in my Solaris 10 x86 VM using the following command:
snoop -d e1000g0 'ip and tcp and tcp[13:1]&0x0002 = 2' or 'ip and tcp and tcp[13:1]&0x0001 = 1'
I had to add the ip and tcp despite the tcp[13:1] to make sure that I was only looking at IP and TCP traffic. Without tcp, UDP traffic would be pulled in. I assume that without ip other non-IP traffic would have been pulled in. -- My speculation is that the expression is converted into byte comparisons at various offsets and other things may match that aren't TCP / IP if those conditions aren't also included.
This is deeper than I usually get into snoop or packets period. I had to reference the TCP header, the UDP header, and IP header to make sense of the examples in the snoop man page to make sure I understood how to access the SYN and FIN flag (bits).
Test and see if it gets you close.
Good luck.
Please let us know what ends up working (or not) for you.
Thanks for the detailed reply. This version is working for me. Now I plan to collect pcap files with snoop and then analyze them elsewhere with tcpdump - as I have some chiseled awk scripts already from other similar pre migration studies.
