snoop command

kurtolo · February 4, 2004, 6:41am

Hi.
I'm trying to capture traffic with the snoop command using the net expression but I fail when a I've to specify a subnet
ex: 10.201.64/18
Did you know the correct syntax?
I've tried with
snoop -ta -x0 net 10.201.64.0 255.255.192.0
but doesn't match.

Thnx

malcom · February 4, 2004, 7:39am

RTFM

rb2k · January 21, 2008, 6:01am

Sorry for ressurecting the old thread... but it's still pretty high on google
I did read the manual... still can't figure out how to specify a subnet

the man page says:

  net net
       True  if	 either	 the  IP  source  or  destination
       address	has a network number of	net.  The from or
       to qualifier may	be used	 to  select  packets  for
       which the network number	occurs only in the source
       or destination address.

snoop -v net 10.0.0.0 255.0.0.0 doesn't seem to capture packets coming from/going to nodes in the 10.X net
snoop -v net 10.0.0.0/8 ---> invalid expression at "".
snoop -v net 10.0.0.0 8 doesn't seem to capture any packets either

jlliagre · January 21, 2008, 7:16am

The manual page states the network number should be used. You are adding various ways to specify the network mask which aren't expected by the command.
Try:

snoop -v net 10.0.0.0

rb2k · January 21, 2008, 7:55am

hm, thanks for the fast answer

So does snoop simply try to guess the network mask? (kinda strange... isn't it?)

Even with the "proper" commadnline, snoop doesn't seem to properly capture anything on my Solaris Box (sun 0S 5.8 on a SPARC cpu)

It could be that bug though I guess: Bug ID: 6407761 Improve how snoop filters on a subnet