Most often used flags for tcpdump and snoop are below. Snoop is for SunOS while tcpdump is available for mostly all Unix/Linux kinds. We will discuss filters in another post. And to read back and process the captured files, I use wireshark which provides lots of options to deep dive into the packet stream.
| Purpose | snoop | tcpdump | Description |
|---|---|---|---|
| Select Interface | -d <iface> | -i <iface> | Not needed if system has only one interface (ignoring localhost) |
| Capture full | -s 0 | -s 0 | Snap length controls how much to capture. Zero means capture all. |
| Write capture to a file | -o <filename> | -w <filename> | |
| Avoid DNS lookups for IPs in capture | -r | -n | So no DNS lookups are performed when displaying real-time capture, good for efficiency |
Examples
- To capture full network traffic and display in real-time
/usr/sbin/snoop -r -s 0 -d e1000g0 /usr/sbin/tcpdump -n -s 0 -i eth
- To capture full network traffic and save in a file.
/usr/sbin/snoop -s 0 -d e1000g0 -o ~/capture.pcap /usr/sbin/tcpdump -s 0 -i eth0 -w ~/capture.pcap
