Solaris的中文命令参考手册 （4）

Snoop 的使用

Snoop 是Solaris 系统中自带的工具， 是一个用于显示网络通讯的程序， 它

可捕获IP 包并将其显示或保存到指定文件. (限超级用户使用snoop)

Snoop 可将捕获的包以一行的形式加以总结或用多行加以详细的描述(有

调用不同的参数-v -V来实现). 在总结方式下(-V ) , 将仅显示最高层的相关协

议, 例如一个NFS 包将仅显示NFS 信息, 其低层的RPC, UDP, IP, Ethernet 帧信息将不会显示, 但是当加上相应的参数(-v ), 这些信息都能被显示出来.

参数简介：

[ -a ] # Listen to packets on audio

[ -d device ] # settable to le?, ie?, bf?, tr?

[ -s snaplen ] # Truncate packets

[ -c count ] # Quit after count packets

[ -P ] # Turn OFF promiscuous mode

[ -D ] # Report dropped packets

[ -S ] # Report packet size

[ -i file ] # Read previously captured packets

[ -o file ] # Capture packets in file

[ -n file ] # Load addr-to-name table from file

[ -N ] # Create addr-to-name table

[ -t r|a|d ] # Time: Relative, Absolute or Delta

[ -v ] # Verbose packet display

[ -V ] # Show all summary lines

[ -p first[,last] ] # Select packet(s) to display

[ -x offset[,length] ] # Hex dump from offset for length

[ -C ] # Print packet filter code

由于snoop 的使用非常灵活, 希望能通过下面一些例子的学习来其常见用法.

1. 监听所有以本机为源和目的的包并将其显示出来.

# snoop

2. 监听所有以主机A为源和目的的包并将其显示出来. ( A为主机名, 下同)

- 2 -

# snoop A

3. 监听所有A和B之间的包并将其保存到文件file.

# snoop -o file A B

4. 显示文件file 中指定的包(99-108)

# snoop - i file -p 99,108

99 0.0027 boutique -> sunroof NFS C GETATTR FH=8E6C

100 0.0046 sunroof -> boutique NFS R GETATTR OK

101 0.0080 boutique -> sunroof NFS C RENAME FH=8E6C MTra00192

to .nfs08

102 0.0102 marmot -> viper NFS C LOOKUP FH=561E screen.r.13.i386

103 0.0072 viper -> marmot NFS R LOOKUP No such file or directory

104 0.0085 bugbomb -> sunroof RLOGIN C PORT=1023 h

105 0.0005 kandinsky -> sparky RSTAT C Get Statistics

106 0.0004 beeblebrox -> sunroof NFS C GETATTR FH=0307

107 0.0021 sparky -> kandinsky RSTAT R

108 0.0073 office -> jeremiah NFS C READ FH=2584 at 40960 for 8192

5. 详细查看文件file 中第101 个包:

# snoop - i file - v -p101

ETHER: ----- Ether Header -----

ETHER:

ETHER: Packet 101 arrived at 16:09:53.59

ETHER: Packet size = 210 bytes

ETHER: Destination = 8:0:20:1:3d:94, Sun

ETHER: Source = 8:0:69:1:5f:e, Silicon Graphics

ETHER: Ethertype = 0800 (IP)

ETHER:

IP: ----- IP Header -----

IP:

IP: Version = 4, header length = 20 bytes

IP: Type of service = 00

IP: ..0. .... = routine

IP: ...0 .... = normal delay

IP: .... 0... = normal throughput

IP: .... .0.. = normal reliability

IP: Total length = 196 bytes

IP: Identification 19846

IP: Flags = 0X

IP: .0.. .... = may fragment

IP: ..0. .... = more fragments

?

- 3 -

?

6. 查看主机A和主机B之间的NFS 包(命令中的and 和or 为相应的逻辑运

算)

# snoop - i file rpc nfs and A and B

1 0.0000 A -> B NFS C GETATTR FH=8E6C

2 0.0046 B -> A NFS R GETATTR OK

3 0.0080 A -> B NFS C RENAME FH=8E6C MTra00192 to .nfs08

7. 将这些符合条件的包保存到另一文件file2 中:

# snoop - i file -o file2 rpc nfs A B

8. 监听主机A和主机B间所有TCP 80 端口或UDP80端口的包

# snoop A and B and (tcp or udp) and port 80

9. 监听所有的广播包

# snoop broadcast

Using device /dev/hme (promiscuous mode)

10.10.10.50 -> BROADCAST UDP D=177 S=2541 LEN=35

10.10.10.50 -> BROADCAST UDP D=177 S=2541 LEN=35

10.10.10.50 -> BROADCAST UDP D=177 S=2541 LEN=35

10. 监听所有的多播包, 并显示详细内容.

#snoop -v multicast

ETHER: ----- Ether Header -----

ETHER:

ETHER: Packet 1 arrived at 12:33:2.16

ETHER: Packet size = 69 bytes

ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)

ETHER: Source = 0:4:76:46:8f:50,

ETHER: Ethertype = 0800 (IP)

ETHER:

IP: ----- IP Header -----

IP:

IP: Version = 4

IP: Header length = 20 bytes

IP: Type of service = 0x00

IP: xxx. .... = 0 (precedence)

IP: ...0 .... = normal delay

- 4 -

IP: .... 0... = normal throughput

IP: .... .0.. = normal reliability

IP: Total length = 55 bytes

IP: Identification = 14658

IP: Flags = 0x0

IP: .0.. .... = may fragment

IP: ..0. .... = last fragment

IP: Fragment offset = 0 bytes

IP: Time to live = 128 seconds/hops

IP: Protocol = 17 (UDP)

IP: Header checksum = ed38

IP: Source address = 10.10.10.50, 10.10.10.50

IP: Destination address = 255.255.255.255, BROADCAST

IP: No options

IP:

UDP: ----- UDP Header -----

UDP:

UDP: Source port = 2541

UDP: Destination port = 177

UDP: Length = 35

UDP: Checksum = 8E35

UDP:

ETHER: ----- Ether Header -----

ETHER:

ETHER: Packet 2 arrived at 12:33:12.16

ETHER: Packet size = 69 bytes

ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)

ETHER: Source = 0:4:76:46:8f:50,

ETHER: Ethertype = 0800 (IP)

ETHER:

IP: ----- IP Header -----

IP:

IP: Version = 4

IP: Header length = 20 bytes

IP: Type of service = 0x00

IP: xxx. .... = 0 (precedence)

IP: ...0 .... = normal delay

IP: .... 0... = normal throughput

IP: .... .0.. = normal reliability

IP: Total length = 55 bytes

IP: Identification = 14985

IP: Flags = 0x0

IP: .0.. .... = may fragment

IP: ..0. .... = last fragment

IP: Fragment offset = 0 bytes

IP: Time to live = 128 seconds/hops

IP: Protocol = 17 (UDP)

IP: Header checksum = ebf1

IP: Source address = 10.10.10.50, 10.10.10.50

- 5 -

IP: Destination address = 255.255.255.255, BROADCAST

IP: No options

IP:

UDP: ----- UDP Header -----

UDP:

UDP: Source port = 2541

UDP: Destination port = 177

UDP: Length = 35

UDP: Checksum = 8E35

UDP:

11．监听所有的NTP 协议包

# snoop |grep - i NTP

Using device /dev/hme (promiscuous mode)

ts1 -> 224.0.1.1 NTP broadcast (Tue Jul 23 12:48:50 2002)

ts1 -> 224.0.1.1 NTP broadcast (Tue Jul 23 12:49:54 2002)

ts1 -> 224.0.1.1 NTP broadcast (Tue Jul 23 12:50:58 2002)

ts1 -> 224.0.1.1 NTP broadcast (Tue Jul 23 12:52:02 2002)

ts1 -> 224.0.1.1 NTP broadcast (Tue Jul 23 12:53:06 2002)

ts1 -> 224.0.1.1 NTP broadcast (Tue Jul 23 12:54:10 2002)

这里我们也可看到NTP server 每隔约一分钟即向多播地址广播一次.

date

# date

2003年10月12日 星期日 10时04分16秒 CST

（CST是Chinese Standard Time的缩写）

# date 10121003 设置时间为10月12日10时03分

设备管理

软盘

#volcheck

fdformat [-dDeEfHlLmMUqvx] [-b label] [-B filename] [-t dos-

type] [devname] //格式化

prtconf

# prtconf //配置信息

System Configuration: Sun Microsystems i86pc

Memory size: 128 Megabytes //内存

System Peripherals (Software Nodes):

i86pc

+boot (driver not attached)

memory (driver not attached)

aliases (driver not attached)

chosen (driver not attached)

i86pc-memory (driver not attached)

i86pc-mmu (driver not attached)

openprom (driver not attached)

options, instance #0

packages (driver not attached)

delayed-writes (driver not attached)

itu-props (driver not attached)

isa, instance #0

motherboard (driver not attached)

asy, instance #0

asy, instance #1

lp (driver not attached)

fdc, instance #0

fd, instance #0

fd, instance #1 (driver not attached)

i8042, instance #0

keyboard, instance #0

mouse, instance #0

PNP0C02 (driver not attached)

PNP0C02 (driver not attached)

PNP0C02 (driver not attached)

bios (driver not attached)

bios (driver not attached)

bios (driver not attached)

pci, instance #0

pci15ad,1976 (driver not attached)

pci8086,7191 (driver not attached)

pci15ad,1976 (driver not attached)

pci-ide, instance #0

ide, instance #0

cmdk, instance #0

ide, instance #1

sd, instance #0

pci15ad,1976, instance #0

pci15ad,1976 (driver not attached)

display, instance #0

pci1022,2000, instance #0

pci1274,1371 (driver not attached)

used-resources (driver not attached)

objmgr, instance #0

cpus (driver not attached)

cpu, instance #0 (driver not attached)

pseudo, instance #0

#

# prtconf | grep Memory //查看内存

Memory size: 128 Megabytes

arch

# arch -k //了解体系结构

i86pc

uname

# uname -m

i86pc

# uname

SunOS

# uname -a

SunOS wing 5.9 Generic_112234-03 i86pc i386 i86pc

eject

#eject floppy

eeprom

#eeprom selftest -#megs=64 //修改系统自检到的内存数

sysdef

#sysdef //更详细的体系机构

df

# df -k //显示当前所有已安装的文件系统上的文件数目和空闲块的数目

文件系统 千字节 用了 可用 容量 挂接在

/dev/dsk/c0d0s0 63127 36143 20672 64% /

/dev/dsk/c0d0s6 1201014 768820 372144 68% /usr

/proc 0 0 0 0% /proc

mnttab 0 0 0 0% /etc/mnttab

fd 0 0 0 0% /dev/fd

/dev/dsk/c0d0s3 55047 25258 24285 51% /var

swap 651040 24 651016 1% /var/run

swap 651016 0 651016 0% /tmp

/dev/dsk/c0d0s5 24239 15 21801 1% /opt

/dev/dsk/c0d0s7 2691830 122 2637872 1% /export/home

/dev/dsk/c0d0s1 462639 306816 109560 74% /usr/openwin

# df -a //打印所有文件系统的信息

/ (/dev/dsk/c0d0s0 ): 53968 块 30100 文件

/usr (/dev/dsk/c0d0s6 ): 864388 块 261705 文件

/proc (/proc ): 0 块 1878 文件

/etc/mnttab (mnttab ): 0 块 0 文件

/dev/fd (fd ): 0 块

• ·unix常用命令（第一章 目录及文件操作）
• ·在Sun Blade 100上使用优盘小记
• ·Solaris的中文命令参考手册 （1）
• ·Solaris的中文命令参考手册 （2）
• ·Solaris的中文命令参考手册 （3）
• ·在solaris 9 x86下如何支持滚轮
• ·安装VMware＋Windows2KClust
• ·入门级SUN培训
• ·solaris中将系统的关机权限赋给一个普通用
• ·使用SOLARIS的初步设置