1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
.TH SNOOPY 8
.SH NAME
snoopy \- spy on network packets
.SH SYNOPSIS
.B snoopy
[
.B -CDdpst
] [
.B -M
.I m
] [
.B -N
.I n
] [
.B -f
.I filter-expression
] [
.B -h
.I first-header
] [
.I packet-source
]
.PP
.B snoopy
.B -?
[
.I proto...
]
.SH DESCRIPTION
.I Snoopy
reads packets from a
.I packet-source
(default
.BR /net/ether0 ),
matches them to a filter (by default anything matches), and writes
matching packets to standard output either in human readable form (default)
or in a binary trace format that can be later read by
.IR snoopy .
.I Packet-source
can be the name of an Ethernet
(e.g.,
.BR /net/ether0 ),
an interface
(e.g.,
.BR /net/ipifc/0 ),
or a file of captured packets.
.PP
The human readable format consists of multiple lines per packet.
The first line contains the milliseconds since the
trace was started. Subsequent ones are indented with a tab
and each contains the dump of a single protocol header. The last line
contains the dump of any contained data. For example, a
.SM BOOTP
packet would look like:
.IP
.EX
324389 ms
ether(s=0000929b1b54 d=ffffffffffff pr=0800 ln=342)
ip(s=135.104.9.62 d=255.255.255.255 id=5099 frag=0000...
udp(s=68 d=67 ck=d151 ln= 308)
bootp(t=Req ht=1 hl=16 hp=0 xid=217e5f27 sec=0 fl=800...
dhcp(t=Request clientid=0152415320704e7266238ebf01030...
.EE
.PP
The binary format consists of:
.IP
2 bytes of packet length, msb first
.IP
8 bytes of nanosecond time, msb first
.IP
the packet
.PP
Filters are expressions specifying protocols to be traced
and specific values for fields in the protocol headers.
The grammar is:
.IP
.EX
\fIexpr\fP: \fIprotocol\fP
| \fIfield\fP '=' \fIvalue\fP
| \fIfield\fP '!=' \fIvalue\fP
| \fIprotocol\fP '(' \fIexpr\fP ')'
| '(' \fIexpr\fP ')'
| \fIexpr\fP '||' \fIexpr\fP
| \fIexpr\fP '&&' \fIexpr\fP
| '!' \fIexpr\fP
.EE
.PP
The values for
.I protocol
and
.I field
can
be obtained using the
.B -?
option. With no arguments, it lists the known protocols.
Otherwise it prints, for each protocol specified,
which subprotocols it can multiplex to,
and which fields can be used for filtering.
For example, the listing for ethernet is currently:
.IP
.EX
ether's filter attributes:
s - source address
d - destination address
a - source|destination address
sd - source|destination address
t - type
ether's subprotos:
0x0800 ip 0x8863 pppoe_disc
0x0806 arp 0x8864 pppoe_sess
0x0806 rarp 0x888e eapol
0x86dd ip6
.EE
.PP
The format of
.I value
depends on context. In general,
ethernet addresses are entered as a string of hex
digits; IP numbers in the canonical `.' format for v4 and `:' format
for v6; and ports in decimal.
.PP
.IR Snoopy 's
options are:
.TP
.B -C
compute the correct checksum for each packet;
on mismatch, add a field
.B !ck=\fIxxxx\fP
where
.I xxxx
is the correct checksum.
.TP
.B -D
output will be a binary trace file in Unix pcap format.
.TP
.B -d
output will be a binary trace file.
.TP
.B -t
input is a binary trace file as generated with the
.B -d
option.
.TP
.B -p
do not enter promiscuous mode. Only packets to
this interface will be seen.
.TP
.B -s
force one output line per packet. The
default is multiline.
.TP
.B -M
discard all but the first
.I m
bytes of each packet. The default is to keep the entire packet.
This option is most useful when writing packets to a file with the
.B -d
option.
.TP
.B -N
dump
.I n
data bytes per packet. The default is 32.
.TP
.B -f
use
.I filter-expression
to filter the packet stream. The default is
to match all packets.
.TP
.B -h
assume the first header per packet to be of the
.I first-header
protocol.
The default is
.LR ether .
.SH EXAMPLES
To display only
.SM BOOTP
and
.SM ARP
packets:
.IP
.EX
% snoopy -f 'arp || bootp'
after optimize: ether(arp || ip(udp(bootp)))
.EE
.PP
The first line of output shows the completed filter
expression.
.I Snoopy
will fill in other protocols as necessary to complete
the filter and then optimize to remove redundant
comparisons.
.PP
To save all packets between 135.104.9.2 to 135.104.9.6 and
later display those to/from TCP port 80:
.IP
.EX
% ramfs
% snoopy -df 'ip(s=135.104.9.2 && d=135.104.9.6) ||\\
ip(s=135.104.9.6 && d=135.104.9.2)' > /tmp/quux
<interrupt from the keyboard>
% snoopy -tf 'tcp(sd=80)' /tmp/quux
.EE
.SH FILES
.TP
.B /net/ether0
Ethernet device
.SH SOURCE
.B /sys/src/cmd/ip/snoopy
.SH BUGS
.I Snoopy
only dumps ethernet packets, because there's
no device to get IP packets without a media header.
|
