Most often used Network Sniffer flags for tcpdump and snoop

Most often used flags for tcpdump and snoop are below. Snoop is for SunOS while tcpdump is available for mostly all Unix/Linux kinds. We will discuss filters in another post. And to read back and process the captured files, I use wireshark which provides lots of options to deep dive into the packet stream.

Purpose snoop tcpdump Description
Select Interface -d <iface> -i <iface> Not needed if system has only one interface (ignoring localhost)
Capture full -s 0 -s 0 Snap length controls how much to capture. Zero means capture all.
Write capture to a file -o <filename> -w <filename>
Avoid DNS lookups for IPs in capture -r -n So no DNS lookups are performed when displaying real-time capture, good for efficiency

Examples

  1. To capture full network traffic and display in real-time
    

    /usr/sbin/snoop -r -s 0 -d e1000g0
    /usr/sbin/tcpdump -n -s 0 -i eth
    
  2. To capture full network traffic and save in a file.
    

    /usr/sbin/snoop  -s 0 -d e1000g0 -o ~/capture.pcap
    /usr/sbin/tcpdump -s 0 -i eth0 -w ~/capture.pcap