Most often used flags for tcpdump and snoop are below. Snoop is for SunOS while tcpdump is available for mostly all Unix/Linux kinds. We will discuss filters in another post. And to read back and process the captured files, I use wireshark which provides lots of options to deep dive into the packet stream.
|Select Interface||-d <iface>||-i <iface>||Not needed if system has only one interface (ignoring localhost)|
|Capture full||-s 0||-s 0||Snap length controls how much to capture. Zero means capture all.|
|Write capture to a file||-o <filename>||-w <filename>|
|Avoid DNS lookups for IPs in capture||-r||-n||So no DNS lookups are performed when displaying real-time capture, good for efficiency|
- To capture full network traffic and display in real-time
/usr/sbin/snoop -r -s 0 -d e1000g0 /usr/sbin/tcpdump -n -s 0 -i eth
- To capture full network traffic and save in a file.
/usr/sbin/snoop -s 0 -d e1000g0 -o ~/capture.pcap /usr/sbin/tcpdump -s 0 -i eth0 -w ~/capture.pcap