You are here

Tracing Network Traffic (snoop)

It is often useful to record network traffic on one of the interfaces attached to Airlock. This may be to analyze whether packets sent from external systems reach Airlock, to check network connectivity, routing and firewall settings. The tool used on Airlock (up to version 4.2) to record such traffic is snoop, a common Solaris tool (for Airlock 5, please use tcpdump). Traces recorded with snoop are compatible with other monitoring tools and analyzers like Ethereal or Wireshark.

How to use snoop:

The most important thing to know for recording network traffic are the names of the available network interfaces. They can be found on the Server Setting panel in the Airlock Configuration Center. There is a Management Interface, a Back-end Interface and a Public Interface. The names used for interfaces are, e.g. hme0, qfe0, pcn0, vmxnet0 etc. The names depend on the interface card type used. The number of the interface may vary depending on the network setup.

For the following examples, we assume the network interfaces are named hme0 for the Management Interface and the Back-end Interface, hme1 for the Public Interface.

snoop needs to be started in the global zone. It is not possible to use snoop directly in the ext or int zone, even though tools like curl and telnet have to be used in those zones and cannot be used in the global zone.

To record everything received and transmitted on the Management Interface, use following command:

snoop -d hme0

To restrict the traced traffic to a certain IP address, use following command:

snoop -d hme0 host

To restrict the traced traffic to a certain port, use following command:

snoop -d hme0 port 80

To trace everything except SSH traffic, use following command:

snoop -d hme0 not port 22

To write traffic to a file for further analysis in another tool, use the following command:

snoop -d hme0 -o /tmp/backend.pcap

To reduce the recorded traffic, combine filter expressions while writing the traffic to a file:

snoop -d hme0 -o /tmp/backend.pcap port 443


How to transfer captured data to your workstation:

To copy the recorded data to another system for further analysis, use SCP or WinSCP from the target system, e.g.

scp root@airlock:/tmp/backend.pcap .

Knowledge Base Categories: