home *** CD-ROM | disk | FTP | other *** search
/ IRIX Base Documentation 2001 May / SGI IRIX Base Documentation 2001 May.iso / usr / share / catman / a_man / cat1 / snoop.z / snoop
Encoding:
Text File  |  1998-10-20  |  45.6 KB  |  619 lines
  1.  
  2.  
  3.  
  4. ssssnnnnoooooooopppp((((1111MMMM))))                                                            ssssnnnnoooooooopppp((((1111MMMM))))
  5.  
  6.  
  7.  
  8. NNNNAAAAMMMMEEEE
  9.      snoop - capture and inspect network packets
  10.  
  11. SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSS
  12.      ssssnnnnoooooooopppp [ ----aaaaPPPPDDDDSSSSvvvvVVVVNNNNCCCC ] [ ----dddd _d_e_v_i_c_e ] [ ----ssss _s_n_a_p_l_e_n ]
  13.           [ ----cccc _m_a_x_c_o_u_n_t ] [ ----iiii _f_i_l_e_n_a_m_e ] [ ----oooo _f_i_l_e_n_a_m_e ]
  14.           [ ----nnnn _f_i_l_e_n_a_m_e ] [ ----tttt [ rrrr | aaaa | dddd ] ]
  15.           [ ----pppp _f_i_r_s_t [  , _l_a_s_t ] ] [ ----xxxx _o_f_f_s_e_t [ , _l_e_n_g_t_h ] ]
  16.           [ _e_x_p_r_e_s_s_i_o_n ]
  17.  
  18. DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
  19.      ssssnnnnoooooooopppp captures packets from the network and displays their contents.
  20.      ssssnnnnoooooooopppp uses both the network packet filter and streams buffer modules to
  21.      provide efficient capture of packets from the network.  Captured packets
  22.      can be displayed as they are received, or saved to a file for later
  23.      inspection.
  24.  
  25.      ssssnnnnoooooooopppp can display packets in a single-line summary form or in verbose
  26.      multi-line forms.  In summary form, only the data pertaining to the
  27.      highest level protocol is displayed.  For example, an NFS packet will
  28.      have only NFS information displayed.  The underlying RPC, UDP, IP, and
  29.      ethernet frame information is suppressed but can be displayed if either
  30.      of the verbose options are chosen.
  31.  
  32. OOOOPPPPTTTTIIIIOOOONNNNSSSS
  33.      ----aaaa             Listen to packets on ////ddddeeeevvvv////aaaauuuuddddiiiioooo (warning: can be noisy).
  34.  
  35.      ----PPPP             Capture packets in non-promiscuous mode.  Only broadcast,
  36.                     multicast, or packets addressed to the host machine will
  37.                     be seen.
  38.  
  39.      ----dddd _d_e_v_i_c_e      Receive packets from the network using the interface
  40.                     specified by _d_e_v_i_c_e.  Usually eeeecccc0000.  The program
  41.                     nnnneeeettttssssttttaaaatttt(1M), when invoked with the ----iiii flag, lists all the
  42.                     interfaces that a machine has.  Normally, ssssnnnnoooooooopppp will
  43.                     automatically choose the first non-loopback interface it
  44.                     finds.
  45.  
  46.      ----ssss _s_n_a_p_l_e_n     Truncate each packet after _s_n_a_p_l_e_n bytes.  Usually the
  47.                     whole packet is captured.  This option is useful if only
  48.                     certain packet header information is required. The packet
  49.                     truncation is done within the kernel giving better
  50.                     utilization of the streams packet buffer.  This means less
  51.                     chance of dropped packets due to buffer overflow during
  52.                     periods of high traffic.  It also saves disk space when
  53.                     capturing large traces to a capture file.  To capture only
  54.                     IP headers (no options) use a _s_n_a_p_l_e_n of 34.  For UDP use
  55.                     42, and for TCP use 54.  You can capture RPC headers with
  56.                     a _s_n_a_p_l_e_n of 80 bytes.  NFS headers can be captured in 120
  57.                     bytes.
  58.  
  59.  
  60.  
  61.  
  62.  
  63.                                                                         PPPPaaaaggggeeee 1111
  64.  
  65.  
  66.  
  67.  
  68.  
  69.  
  70. ssssnnnnoooooooopppp((((1111MMMM))))                                                            ssssnnnnoooooooopppp((((1111MMMM))))
  71.  
  72.  
  73.  
  74.      ----cccc _m_a_x_c_o_u_n_t    Quit after capturing _m_a_x_c_o_u_n_t packets.  Otherwise keep
  75.                     capturing until there is no disk left or until interrupted
  76.                     with CTRL-C.
  77.  
  78.      ----iiii _f_i_l_e_n_a_m_e    Display packets previously captured in _f_i_l_e_n_a_m_e.  Without
  79.                     this option, ssssnnnnoooooooopppp reads packets from the network
  80.                     interface.  If a _f_i_l_e_n_a_m_e....nnnnaaaammmmeeeessss file is present, it is
  81.                     automatically loaded into ssssnnnnoooooooopppp's IP address-to-name
  82.                     mapping table (See ----NNNN flag below).
  83.  
  84.      ----oooo _f_i_l_e_n_a_m_e    Save captured packets in _f_i_l_e_n_a_m_e as they are captured.
  85.                     During packet capture, a count of the number of packets
  86.                     saved in the file is displayed. If you wish just to count
  87.                     packets without saving to a file, name the file ////ddddeeeevvvv////nnnnuuuullllllll.
  88.  
  89.      ----nnnn _f_i_l_e_n_a_m_e    Use _f_i_l_e_n_a_m_e as an IP address-to-name mapping table.  This
  90.                     file must have the same format as the ////eeeettttcccc////hhhhoooossssttttssss file (IP
  91.                     address followed by the hostname).
  92.  
  93.      ----DDDD             Display number of packets dropped during capture on the
  94.                     summary line.
  95.  
  96.      ----SSSS             Display size of the entire ethernet frame in bytes on the
  97.                     summary line.
  98.  
  99.      ----tttt  [[[[ r |||| a |||| d ]
  100.                     Time-stamp presentation.  Time-stamps are accurate to
  101.                     within a few microseconds.  The default is for times to be
  102.                     presented in dddd (delta) format (the time since receiving
  103.                     the previous packet).
  104.                     Option aaaa (absolute) gives wall-clock time.
  105.                     Option rrrr (relative) gives time relative to the first
  106.                     packet displayed.  This can be used with the ----pppp option to
  107.                     display time relative to any selected packet.
  108.  
  109.      ----vvvv             Verbose mode.  Print packet headers in lots of detail.
  110.                     This display consumes many lines per packet and should be
  111.                     used only on selected packets.
  112.  
  113.      ----VVVV             Verbose summary mode.  This is halfway between summary
  114.                     mode and verbose mode in degree of verbosity. Instead of
  115.                     displaying just the summary line for the highest level
  116.                     protocol in a packet, it displays a summary line for each
  117.                     protocol layer in the packet.  For instance, for an NFS
  118.                     packet it will display a line each for the ETHER, IP, UDP,
  119.                     RPC and NFS layers.  Verbose summary mode output may be
  120.                     easily piped through ggggrrrreeeepppp to extract packets of interest.
  121.                     For example to view only RPC summary lines:
  122.                     eeeexxxxaaaammmmpppplllleeee#### ssssnnnnoooooooopppp ----iiii rrrrppppcccc....ccccaaaapppp ----VVVV |||| ggggrrrreeeepppp RRRRPPPPCCCC
  124.  
  125.  
  126.  
  127.  
  128.                                                                         PPPPaaaaggggeeee 2222
  129.  
  130.  
  131.  
  132.  
  133.  
  134.  
  135. ssssnnnnoooooooopppp((((1111MMMM))))                                                            ssssnnnnoooooooopppp((((1111MMMM))))
  136.  
  137.  
  138.  
  139.      ----pppp _f_i_r_s_t [ , _l_a_s_t ]
  140.                     Select one or more packets to be displayed from a capture
  141.                     file.  The _f_i_r_s_t packet in the file is packet #1.
  142.  
  143.      ----xxxx _o_f_f_s_e_t [ , _l_e_n_g_t_h ]
  144.                     Display packet data in hexadecimal and ASCII format.  The
  145.                     _o_f_f_s_e_t and _l_e_n_g_t_h values select a portion of the packet to
  146.                     be displayed.  To display the whole packet, use an _o_f_f_s_e_t
  147.                     of 0.  If a _l_e_n_g_t_h value is not provided, the rest of the
  148.                     packet is displayed.
  149.  
  150.      ----NNNN             Create an IP address-to-name file from a capture file.
  151.                     This must be set together with the ----iiii option that names a
  152.                     capture file.  The address-to-name file has the same name
  153.                     as the capture file with ....nnnnaaaammmmeeeessss appended. This file
  154.                     records the IP address to hostname mapping at the capture
  155.                     site and increases the portability of the capture file.
  156.                     Generate a ....nnnnaaaammmmeeeessss file if the capture file is to be
  157.                     analyzed elsewhere.  Packets are not displayed when this
  158.                     flag is used.
  159.  
  160.      ----CCCC             List the code generated from the filter expression for
  161.                     either the kernel packet filter, or ssssnnnnoooooooopppp's own filter.
  162.  
  163.      _e_x_p_r_e_s_s_i_o_n     Select packets either from the network or from a capture
  164.                     file.  Only packets for which the expression is true will
  165.                     be selected.  If no expression is provided it is assumed
  166.                     to be true.
  167.                     Given a filter expression, ssssnnnnoooooooopppp generates code for either
  168.                     the kernel packet filter or for its own internal filter.
  169.                     If capturing packets with the network interface, code for
  170.                     the kernel packet filter is generated.  This filter is
  171.                     implemented as a streams module, upstream of the buffer
  172.                     module.  The buffer module accumulates packets until it
  173.                     becomes full and passes the packets on to ssssnnnnoooooooopppp.  The
  174.                     kernel packet filter is very efficient, since it rejects
  175.                     unwanted packets in the kernel before they reach the
  176.                     packet buffer or ssssnnnnoooooooopppp.  The kernel packet filter has some
  177.                     limitations in its implementation - it is possible to
  178.                     construct filter expressions that it cannot handle.  In
  179.                     this event, ssssnnnnoooooooopppp generates code for its own filter.  The
  180.                     ----CCCC flag can be used to view generated code for either the
  181.                     kernel's or ssssnnnnoooooooopppp's own packet filter.  If packets are
  182.                     read from a capture file using the ----iiii option, only ssssnnnnoooooooopppp's
  183.                     packet filter is used.
  184.                     A filter _e_x_p_r_e_s_s_i_o_n consists of a series of one or more
  185.                     boolean primitives that may be combined with boolean
  186.                     operators ( AND , OR , and NOT ).  Normal precedence rules
  187.                     for boolean operators apply.  Order of evaluation of these
  188.                     operators may be controlled with parentheses.  Since
  189.                     parentheses and other filter expression characters are
  190.                     known to the shell, it is often necessary to enclose the
  191.  
  192.  
  193.  
  194.                                                                         PPPPaaaaggggeeee 3333
  195.  
  196.  
  197.  
  198.  
  199.  
  200.  
  201. ssssnnnnoooooooopppp((((1111MMMM))))                                                            ssssnnnnoooooooopppp((((1111MMMM))))
  202.  
  203.  
  204.  
  205.                     the filter expression in quotes.  The primitives are:
  206.  
  207.                     hhhhoooosssstttt _h_o_s_t_n_a_m_e
  208.                          True if the source or destination address is that of
  209.                          _h_o_s_t_n_a_m_e.  The keyword hhhhoooosssstttt may be omitted if the
  210.                          name does not conflict with the name of another
  211.                          expression primitive e.g.  "ppppiiiinnnnkkkkyyyy" selects packets
  212.                          transmitted to or received from the host ppppiiiinnnnkkkkyyyy
  213.                          whereas "ppppiiiinnnnkkkkyyyy aaaannnndddd ddddiiiinnnnkkkkyyyy" selects packets exchanged
  214.                          between hosts ppppiiiinnnnkkkkyyyy AND ddddiiiinnnnkkkkyyyy.  Normally the IP
  215.                          address is used.  With the eeeetttthhhheeeerrrr qualifier the
  216.                          ethernet address is used, for instance, "eeeetttthhhheeeerrrr
  217.                          ppppiiiinnnnkkkkyyyy".
  218.  
  219.                     _i_p_a_d_d_r or _e_t_h_e_r_a_d_d_r
  220.                          Literal addresses, both IP dotted and ethernet colon
  221.                          are recognized. For example, "111122229999....111144444444....44440000....11113333" matches
  222.                          all packets with that IP address as source or
  223.                          destination, and similarly, "8888::::0000::::22220000::::ffff::::bbbb1111::::55551111" matches
  224.                          all packets with the ethernet address as source or
  225.                          destination.  An ethernet address beginning with a
  226.                          letter is interpreted as a hostname. To avoid this,
  227.                          prepend a zero when specifying the address. For
  228.                          example, if the ethernet address is
  229.                          "aa:0:45:23:52:44", then specify it by add a leading
  230.                          zero to make it "0aa:0:45:23:52:44".
  231.  
  232.                     ffffrrrroooommmm or ssssrrrrcccc
  233.                          A qualifier that modifies the following hhhhoooosssstttt, nnnneeeetttt,
  234.                          _i_p_a_d_d_r, _e_t_h_e_r_a_d_d_r, ppppoooorrrrtttt or rrrrppppcccc primitive to match
  235.                          just the source address, port, or RPC reply.
  236.  
  237.                     ttttoooo or ddddsssstttt
  238.                          A qualifier that modifies the following hhhhoooosssstttt, nnnneeeetttt,
  239.                          _i_p_a_d_d_r, _e_t_h_e_r_a_d_d_r, ppppoooorrrrtttt or rrrrppppcccc primitive to match
  240.                          just the destination address, port, or RPC call.
  241.  
  242.                     eeeetttthhhheeeerrrr
  243.                          A qualifier that modifies the following hhhhoooosssstttt
  244.                          primitive to resolve a name to an ethernet address.
  245.                          Normally, IP address matching is performed.
  246.  
  247.                     eeeetttthhhheeeerrrrttttyyyyppppeeee _n_u_m_b_e_r
  248.                          True if the ethernet type field has value _n_u_m_b_e_r.
  249.                          Equivalent to "eeeetttthhhheeeerrrr[[[[11112222::::2222]]]] ==== _n_u_m_b_e_r".
  250.  
  251.                     iiiipppp, aaaarrrrpppp, rrrraaaarrrrpppp
  252.                          True if the packet is of the appropriate ethertype.
  253.  
  254.                     bbbbrrrrooooaaaaddddccccaaaasssstttt
  255.                          True if the packet is a broadcast packet.
  256.                          Equivalent to "eeeetttthhhheeeerrrr[[[[2222::::4444]]]] ==== 0000xxxxffffffffffffffffffffffffffffffff".
  257.  
  258.  
  259.  
  260.                                                                         PPPPaaaaggggeeee 4444
  261.  
  262.  
  263.  
  264.  
  265.  
  266.  
  267. ssssnnnnoooooooopppp((((1111MMMM))))                                                            ssssnnnnoooooooopppp((((1111MMMM))))
  268.  
  269.  
  270.  
  271.                     mmmmuuuullllttttiiiiccccaaaasssstttt
  272.                          True if the packet is a multicast packet.
  273.                          Equivalent to "eeeetttthhhheeeerrrr[[[[0000]]]] &&&& 1111 ==== 1111".
  274.  
  275.                     aaaapppppppplllleeee
  276.                          True if the packet is an Apple Ethertalk packet.
  277.                          Equivalent to "eeeetttthhhheeeerrrrttttyyyyppppeeee 0000xxxx888800009999bbbb oooorrrr eeeetttthhhheeeerrrrttttyyyyppppeeee 0000xxxx888800003333ffff".
  278.  
  279.                     ddddeeeeccccnnnneeeetttt
  280.                          True if the packet is a DECNET packet.
  281.  
  282.                     ggggrrrreeeeaaaatttteeeerrrr _l_e_n_g_t_h
  283.                          True if the packet is longer than _l_e_n_g_t_h.
  284.  
  285.                     lllleeeessssssss _l_e_n_g_t_h
  286.                          True if the packet is shorter than _l_e_n_g_t_h.
  287.  
  288.                     uuuuddddpppp, ttttccccpppp, iiiiccccmmmmpppp
  289.                          True if the IP protocol is of the appropriate type.
  290.  
  291.                     nnnneeeetttt _n_e_t
  292.                          True if either the IP source or destination address
  293.                          has a network number of _n_e_t.  The ffffrrrroooommmm or ttttoooo
  294.                          qualifier may be used to select packets for which the
  295.                          network number occurs only in the source or
  296.                          destination address.
  297.  
  298.                     ppppoooorrrrtttt _p_o_r_t
  299.                          True if either the source or destination port is
  300.                          _p_o_r_t.  The _p_o_r_t may be either a port number or name
  301.                          from ////eeeettttcccc////sssseeeerrrrvvvviiiicccceeeessss.  The ttttccccpppp or uuuuddddpppp primitives may be
  302.                          used to select TCP or UDP ports only.  The ffffrrrroooommmm or ttttoooo
  303.                          qualifier may be used to select packets for which the
  304.                          _p_o_r_t occurs only as the source or destination.
  305.  
  306.                     rrrrppppcccc _p_r_o_g [ , _v_e_r_s [ , _p_r_o_c ] ]
  307.                          True if the packet is an RPC call or reply packet for
  308.                          the protocol identified by _p_r_o_g. The _p_r_o_g may be
  309.                          either the name of an RPC protocol from ////eeeettttcccc////rrrrppppcccc or a
  310.                          program number.  The _v_e_r_s and _p_r_o_c may be used to
  311.                          further qualify the program _v_e_r_s_i_o_n and _p_r_o_c_e_d_u_r_e
  312.                          number, for example, "rrrrppppcccc nnnnffffssss,,,,2222,,,,0000" selects all calls
  313.                          and replies for the NFS null procedure.  The ttttoooo or
  314.                          ffffrrrroooommmm qualifier may be used to select either call or
  315.                          reply packets only.
  316.  
  317.                     ggggaaaatttteeeewwwwaaaayyyy _h_o_s_t
  318.                          True if the packet used _h_o_s_t as a gateway, that is,
  319.                          the ethernet source or destination address was for
  320.                          _h_o_s_t but not the IP address.
  321.                          Equivalent to "eeeetttthhhheeeerrrr hhhhoooosssstttt _h_o_s_t and not host _h_o_s_t".
  322.  
  323.  
  324.  
  325.  
  326.                                                                         PPPPaaaaggggeeee 5555
  327.  
  328.  
  329.  
  330.  
  331.  
  332.  
  333. ssssnnnnoooooooopppp((((1111MMMM))))                                                            ssssnnnnoooooooopppp((((1111MMMM))))
  334.  
  335.  
  336.  
  337.                     nnnnooooffffrrrraaaagggg
  338.                          True if the packet is unfragmented or is the first in
  339.                          a series of IP fragments.
  340.                          Equivalent to "iiiipppp[[[[6666::::2222]]]] &&&& 0000xxxx1111ffffffffffff ==== 0000".
  341.  
  342.                     _e_x_p_r  _r_e_l_o_p  _e_x_p_r
  343.                          True if the relation holds, where _r_e_l_o_p is one of >>>>,
  344.                          <<<<, >>>>====, <<<<====, ====, !!!!====, and _e_x_p_r is an arithmetic
  345.                          expression composed of numbers, packet field
  346.                          selectors, the lllleeeennnnggggtttthhhh primitive, and arithmetic
  347.                          operators ++++, ----, ****, &&&&, ||||, ^^^^, and%%%%.  The arithmetic
  348.                          operators within _e_x_p_r are evaluated before the
  349.                          relational operator and normal precedence rules apply
  350.                          between the arithmetic operators, such as
  351.                          multiplication before addition.  Parentheses may be
  352.                          used to control the order of evaluation.  To use the
  353.                          value of a field in the packet use the following
  354.                          syntax:
  355.                               _b_a_s_e[_e_x_p_r [:::: _s_i_z_e ] ]
  356.                          where _e_x_p_r evaluates the value of an offset into the
  357.                          packet from a _b_a_s_e offset which may be eeeetttthhhheeeerrrr, iiiipppp,
  358.                          uuuuddddpppp, ttttccccpppp, or iiiiccccmmmmpppp.  The _s_i_z_e value specifies the size
  359.                          of the field.  If not given, 1 is assumed.  Other
  360.                          legal values are 2 and 4.
  361.  
  362.                     Examples:
  363.  
  364.                          "eeeetttthhhheeeerrrr[[[[0000]]]] &&&& 1111 ==== 1111" is equivalent to mmmmuuuullllttttiiiiccccaaaasssstttt.
  365.  
  366.                           "eeeetttthhhheeeerrrr[[[[2222::::4444]]]] ==== 0000xxxxffffffffffffffffffffffffffffffff" is equivalent to
  367.                          bbbbrrrrooooaaaaddddccccaaaasssstttt.
  368.  
  369.                          "iiiipppp[[[[iiiipppp[[[[0000]]]] &&&& 0000xxxxffff **** 4444 :::: 2222]]]] ==== 2222000044449999" is equivalent to
  370.                          "uuuuddddpppp[[[[0000::::2222]]]] ==== 2222000044449999".
  371.  
  372.                          "iiiipppp[[[[0000]]]] &&&& 0000xxxxffff >>>> 5555" selects IP packets with options.
  373.  
  374.                          "iiiipppp[[[[6666::::2222]]]] &&&& 0000xxxx1111ffffffffffff ==== 0000" eliminates IP fragments.
  375.  
  376.                          "uuuuddddpppp aaaannnndddd iiiipppp[[[[6666::::2222]]]]&&&&0000xxxx1111ffffffffffff ==== 0000 aaaannnndddd uuuuddddpppp[[[[6666::::2222]]]] !!!!==== 0000" finds
  377.                          all packets with UDP checksums.
  378.  
  379.                          The lllleeeennnnggggtttthhhh primitive may be used to obtain the length
  380.                          of the packet.  For instance "lllleeeennnnggggtttthhhh >>>> 66660000" is
  381.                          equivalent to "ggggrrrreeeeaaaatttteeeerrrr 66660000", and "eeeetttthhhheeeerrrr[[[[lllleeeennnnggggtttthhhh ---- 1111]]]]"
  382.                          obtains the value of the last byte in a packet.
  383.  
  384.                     aaaannnndddd  Perform a logical AND operation between two boolean
  385.                          values. The AND operation is implied by the
  386.                          juxtaposition of two boolean expressions, for example
  387.                          "ddddiiiinnnnkkkkyyyy ppppiiiinnnnkkkkyyyy" is the same as "ddddiiiinnnnkkkkyyyy AAAANNNNDDDD ppppiiiinnnnkkkkyyyy".
  388.  
  389.  
  390.  
  391.  
  392.                                                                         PPPPaaaaggggeeee 6666
  393.  
  394.  
  395.  
  396.  
  397.  
  398.  
  399. ssssnnnnoooooooopppp((((1111MMMM))))                                                            ssssnnnnoooooooopppp((((1111MMMM))))
  400.  
  401.  
  402.  
  403.                     oooorrrr or ,,,,
  404.                          Perform a logical OR operation between two boolean
  405.                          values.  A comma may be used instead, for example,
  406.                          "ddddiiiinnnnkkkkyyyy,,,,ppppiiiinnnnkkkkyyyy" is the same as "ddddiiiinnnnkkkkyyyy OOOORRRR ppppiiiinnnnkkkkyyyy".
  407.  
  408.                     nnnnooootttt or !!!!
  409.                          Perform a logical NOT operation on the following
  410.                          boolean value.  This operator is evaluated before AND
  411.                          or OR .
  412.  
  413. EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
  414.      Capture all packets and display them as they are received:
  415.      eeeexxxxaaaammmmpppplllleeee####snoop
  416.      Capture packets with host ffffuuuunnnnkkkkyyyy as either the source or destination and
  417.      display them as they are received:
  418.      eeeexxxxaaaammmmpppplllleeee####snoopffffuuuunnnnkkkkyyyy
  419.      Capture packets between ffffuuuunnnnkkkkyyyy and ppppiiiinnnnkkkkyyyy and save them to a file.  Then
  420.      inspect the packets using times (in seconds) relative to the first
  421.      captured packet:
  422.      eeeexxxxaaaammmmpppplllleeee#### ssssnnnnoooooooopppp ----oooo ccccaaaapppp  ffffuuuunnnnkkkkyyyy ppppiiiinnnnkkkkyyyy
  423.      eeeexxxxaaaammmmpppplllleeee$$$$ ssssnnnnoooooooopppp ----iiii ccccaaaapppp  ----tttt rrrr |||| mmmmoooorrrreeee
  424.      Look at selected packets in another capture file:
  425.      eeeexxxxaaaammmmpppplllleeee$$$$ ssssnnnnoooooooopppp ----iiii ppppkkkkttttssss  ----pppp99999999,,,,111100008888
  426.            99999999   0000....0000000022227777   bbbboooouuuuttttiiiiqqqquuuueeee ---->>>> ssssuuuunnnnrrrrooooooooffff     NNNNFFFFSSSS CCCC GGGGEEEETTTTAAAATTTTTTTTRRRR FFFFHHHH====8888EEEE6666CCCC
  427.           111100000000   0000....0000000044446666   ssssuuuunnnnrrrrooooooooffff ---->>>> bbbboooouuuuttttiiiiqqqquuuueeee     NNNNFFFFSSSS RRRR GGGGEEEETTTTAAAATTTTTTTTRRRR OOOOKKKK
  428.           111100001111   0000....0000000088880000   bbbboooouuuuttttiiiiqqqquuuueeee ---->>>> ssssuuuunnnnrrrrooooooooffff     NNNNFFFFSSSS CCCC RRRREEEENNNNAAAAMMMMEEEE FFFFHHHH====8888EEEE6666CCCC MMMMTTTTrrrraaaa00000000111199992222 ttttoooo ....nnnnffffssss00008888
  429.           111100002222   0000....0000111100002222   mmmmaaaarrrrmmmmooootttt ---->>>> vvvviiiippppeeeerrrr          NNNNFFFFSSSS CCCC LLLLOOOOOOOOKKKKUUUUPPPP FFFFHHHH====555566661111EEEE ssssccccrrrreeeeeeeennnn....rrrr....11113333....iiii333388886666
  430.           111100003333   0000....0000000077772222   vvvviiiippppeeeerrrr ---->>>> mmmmaaaarrrrmmmmooootttt          NNNNFFFFSSSS RRRR LLLLOOOOOOOOKKKKUUUUPPPP NNNNoooo ssssuuuucccchhhh ffffiiiilllleeee oooorrrr ddddiiiirrrreeeeccccttttoooorrrryyyy
  431.           111100004444   0000....0000000088885555   bbbbuuuuggggbbbboooommmmbbbb ---->>>> ssssuuuunnnnrrrrooooooooffff    RRRRLLLLOOOOGGGGIIIINNNN CCCC PPPPOOOORRRRTTTT====1111000022223333 hhhh
  432.           111100005555   0000....0000000000005555   kkkkaaaannnnddddiiiinnnnsssskkkkyyyy ---->>>> ssssppppaaaarrrrkkkkyyyy    RRRRSSSSTTTTAAAATTTT CCCC GGGGeeeetttt SSSSttttaaaattttiiiissssttttiiiiccccssss
  433.           111100006666   0000....0000000000004444   bbbbeeeeeeeebbbblllleeeebbbbrrrrooooxxxx ---->>>> ssssuuuunnnnrrrrooooooooffff  NNNNFFFFSSSS CCCC GGGGEEEETTTTAAAATTTTTTTTRRRR FFFFHHHH====0000333300007777
  434.           111100007777   0000....0000000022221111   ssssppppaaaarrrrkkkkyyyy ---->>>> kkkkaaaannnnddddiiiinnnnsssskkkkyyyy    RRRRSSSSTTTTAAAATTTT RRRR
  435.           111100008888   0000....0000000077773333   ooooffffffffiiiicccceeee ---->>>> jjjjeeeerrrreeeemmmmiiiiaaaahhhh        NNNNFFFFSSSS CCCC RRRREEEEAAAADDDD FFFFHHHH====2222555588884444 aaaatttt 44440000999966660000 ffffoooorrrr 8888111199992222
  436.      Packet 101 Looks interesting. Take a look in more detail:
  437.      eeeexxxxaaaammmmpppplllleeee$$$$ ssssnnnnoooooooopppp ----iiii ppppkkkkttttssss  ----vvvv ----pppp111100001111
  438.           EEEETTTTHHHHEEEERRRR::::  -------------------- EEEEtttthhhheeeerrrr HHHHeeeeaaaaddddeeeerrrr --------------------
  439.           EEEETTTTHHHHEEEERRRR::::
  440.           EEEETTTTHHHHEEEERRRR::::  PPPPaaaacccckkkkeeeetttt 111100001111 aaaarrrrrrrriiiivvvveeeedddd aaaatttt 11116666::::00009999::::55553333....55559999
  441.           EEEETTTTHHHHEEEERRRR::::  PPPPaaaacccckkkkeeeetttt ssssiiiizzzzeeee ==== 222211110000 bbbbyyyytttteeeessss
  442.           EEEETTTTHHHHEEEERRRR::::  DDDDeeeessssttttiiiinnnnaaaattttiiiioooonnnn ==== 8888::::0000::::22220000::::1111::::3333dddd::::99994444,,,, SSSSuuuunnnn
  443.           EEEETTTTHHHHEEEERRRR::::  SSSSoooouuuurrrrcccceeee      ==== 8888::::0000::::66669999::::1111::::5555ffff::::eeee,,,,  SSSSiiiilllliiiiccccoooonnnn GGGGrrrraaaapppphhhhiiiiccccssss
  444.           EEEETTTTHHHHEEEERRRR::::  EEEEtttthhhheeeerrrrttttyyyyppppeeee ==== 0000888800000000 ((((IIIIPPPP))))
  445.           EEEETTTTHHHHEEEERRRR::::
  446.           IIIIPPPP::::   -------------------- IIIIPPPP HHHHeeeeaaaaddddeeeerrrr --------------------
  447.           IIIIPPPP::::
  448.           IIIIPPPP::::   VVVVeeeerrrrssssiiiioooonnnn ==== 4444,,,, hhhheeeeaaaaddddeeeerrrr lllleeeennnnggggtttthhhh ==== 22220000 bbbbyyyytttteeeessss
  449.           IIIIPPPP::::   TTTTyyyyppppeeee ooooffff sssseeeerrrrvvvviiiicccceeee ==== 00000000
  450.           IIIIPPPP::::         ........0000.... ................ ==== rrrroooouuuuttttiiiinnnneeee
  451.           IIIIPPPP::::         ............0000 ................ ==== nnnnoooorrrrmmmmaaaallll ddddeeeellllaaaayyyy
  452.           IIIIPPPP::::         ................ 0000............ ==== nnnnoooorrrrmmmmaaaallll tttthhhhrrrroooouuuugggghhhhppppuuuutttt
  453.           IIIIPPPP::::         ................ ....0000........ ==== nnnnoooorrrrmmmmaaaallll rrrreeeelllliiiiaaaabbbbiiiilllliiiittttyyyy
  454.           IIIIPPPP::::   TTTToooottttaaaallll lllleeeennnnggggtttthhhh ==== 111199996666 bbbbyyyytttteeeessss
  455.           IIIIPPPP::::   IIIIddddeeeennnnttttiiiiffffiiiiccccaaaattttiiiioooonnnn 11119999888844446666
  456.           IIIIPPPP::::   FFFFllllaaaaggggssss ==== 0000XXXX
  457.           IIIIPPPP::::   ....0000........ ................ ==== mmmmaaaayyyy ffffrrrraaaaggggmmmmeeeennnntttt
  458.           IIIIPPPP::::   ........0000.... ................ ==== mmmmoooorrrreeee ffffrrrraaaaggggmmmmeeeennnnttttssss
  459.           IIIIPPPP::::   FFFFrrrraaaaggggmmmmeeeennnntttt ooooffffffffsssseeeetttt ==== 0000 bbbbyyyytttteeeessss
  460.           IIIIPPPP::::   TTTTiiiimmmmeeee ttttoooo lllliiiivvvveeee ==== 222255555555 sssseeeeccccoooonnnnddddssss////hhhhooooppppssss
  461.           IIIIPPPP::::   PPPPrrrroooottttooooccccoooollll ==== 11117777 ((((UUUUDDDDPPPP))))
  462.           IIIIPPPP::::   HHHHeeeeaaaaddddeeeerrrr cccchhhheeeecccckkkkssssuuuummmm ==== 11118888DDDDCCCC
  463.           IIIIPPPP::::   SSSSoooouuuurrrrcccceeee aaaaddddddddrrrreeeessssssss ==== 111122229999....111144444444....44440000....222222222222,,,, bbbboooouuuuttttiiiiqqqquuuueeee
  464.           IIIIPPPP::::   DDDDeeeessssttttiiiinnnnaaaattttiiiioooonnnn aaaaddddddddrrrreeeessssssss ==== 111122229999....111144444444....44440000....222200000000,,,, ssssuuuunnnnrrrrooooooooffff
  465.           IIIIPPPP::::
  466.           UUUUDDDDPPPP::::  -------------------- UUUUDDDDPPPP HHHHeeeeaaaaddddeeeerrrr --------------------
  467.  
  468.  
  469.  
  470.                                                                         PPPPaaaaggggeeee 7777
  471.  
  472.  
  473.  
  474.  
  475.  
  476.  
  477. ssssnnnnoooooooopppp((((1111MMMM))))                                                            ssssnnnnoooooooopppp((((1111MMMM))))
  478.  
  479.  
  480.  
  481.           UUUUDDDDPPPP::::
  482.           UUUUDDDDPPPP::::  SSSSoooouuuurrrrcccceeee ppppoooorrrrtttt ==== 1111000022223333
  483.           UUUUDDDDPPPP::::  DDDDeeeessssttttiiiinnnnaaaattttiiiioooonnnn ppppoooorrrrtttt ==== 2222000044449999 ((((SSSSuuuunnnn RRRRPPPPCCCC))))
  484.           UUUUDDDDPPPP::::  LLLLeeeennnnggggtttthhhh ==== 111177776666
  485.           UUUUDDDDPPPP::::  CCCChhhheeeecccckkkkssssuuuummmm ==== 0000
  486.           UUUUDDDDPPPP::::
  487.           RRRRPPPPCCCC::::  -------------------- SSSSUUUUNNNN RRRRPPPPCCCC HHHHeeeeaaaaddddeeeerrrr --------------------
  488.           RRRRPPPPCCCC::::
  489.           RRRRPPPPCCCC::::  TTTTrrrraaaannnnssssaaaaccccttttiiiioooonnnn iiiidddd ==== 666666665555999900005555
  490.           RRRRPPPPCCCC::::  TTTTyyyyppppeeee ==== 0000 ((((CCCCaaaallllllll))))
  491.           RRRRPPPPCCCC::::  RRRRPPPPCCCC vvvveeeerrrrssssiiiioooonnnn ==== 2222
  492.           RRRRPPPPCCCC::::  PPPPrrrrooooggggrrrraaaammmm ==== 111100000000000000003333 ((((NNNNFFFFSSSS)))),,,, vvvveeeerrrrssssiiiioooonnnn ==== 2222,,,, pppprrrroooocccceeeedddduuuurrrreeee ==== 1111
  493.           RRRRPPPPCCCC::::  CCCCrrrreeeeddddeeeennnnttttiiiiaaaallllssss:::: FFFFllllaaaavvvvoooorrrr ==== 1111 ((((UUUUnnnniiiixxxx)))),,,, lllleeeennnn ==== 33332222 bbbbyyyytttteeeessss
  494.           RRRRPPPPCCCC::::     TTTTiiiimmmmeeee ==== 00006666----MMMMaaaarrrr----99990000 00007777::::22226666::::55558888
  495.           RRRRPPPPCCCC::::     HHHHoooossssttttnnnnaaaammmmeeee ==== bbbboooouuuuttttiiiiqqqquuuueeee
  496.           RRRRPPPPCCCC::::     UUUUiiiidddd ==== 0000,,,, GGGGiiiidddd ==== 1111
  497.           RRRRPPPPCCCC::::     GGGGrrrroooouuuuppppssss ==== 1111
  498.           RRRRPPPPCCCC::::  VVVVeeeerrrriiiiffffiiiieeeerrrr   :::: FFFFllllaaaavvvvoooorrrr ==== 0000 ((((NNNNoooonnnneeee)))),,,, lllleeeennnn ==== 0000 bbbbyyyytttteeeessss
  499.           RRRRPPPPCCCC::::
  500.           NNNNFFFFSSSS::::  -------------------- SSSSUUUUNNNN NNNNFFFFSSSS --------------------
  501.           NNNNFFFFSSSS::::
  502.           NNNNFFFFSSSS::::  PPPPrrrroooocccc ==== 11111111 ((((RRRReeeennnnaaaammmmeeee))))
  503.           NNNNFFFFSSSS::::  FFFFiiiilllleeee hhhhaaaannnnddddlllleeee ==== 000000000000000011116666444433330000000000000000000000000000111100000000000088880000000000000000333300005555AAAA1111CCCC44447777
  504.           NNNNFFFFSSSS::::                555599997777AAAA0000000000000000000000000000888800000000000000002222000044446666333311114444AAAAFFFFCCCC444455550000000000000000
  505.           NNNNFFFFSSSS::::  FFFFiiiilllleeee nnnnaaaammmmeeee ==== MMMMTTTTrrrraaaa00000000111199992222
  506.           NNNNFFFFSSSS::::  FFFFiiiilllleeee hhhhaaaannnnddddlllleeee ==== 000000000000000011116666444433330000000000000000000000000000111100000000000088880000000000000000333300005555AAAA1111CCCC44447777
  507.           NNNNFFFFSSSS::::                555599997777AAAA0000000000000000000000000000888800000000000000002222000044446666333311114444AAAAFFFFCCCC444455550000000000000000
  508.           NNNNFFFFSSSS::::  FFFFiiiilllleeee nnnnaaaammmmeeee ==== ....nnnnffffssss00008888
  509.           NNNNFFFFSSSS::::
  511.      View just the NFS packets between ssssuuuunnnnrrrrooooooooffff and bbbboooouuuuttttiiiiqqqquuuueeee:
  512.      eeeexxxxaaaammmmpppplllleeee$$$$ ssssnnnnoooooooopppp ----iiii ppppkkkkttttssss  rrrrppppcccc nnnnffffssss aaaannnndddd ssssuuuunnnnrrrrooooooooffff aaaannnndddd bbbboooouuuuttttiiiiqqqquuuueeee
  513.        1111   0000....0000000000000000   bbbboooouuuuttttiiiiqqqquuuueeee ---->>>> ssssuuuunnnnrrrrooooooooffff    NNNNFFFFSSSS CCCC GGGGEEEETTTTAAAATTTTTTTTRRRR FFFFHHHH====8888EEEE6666CCCC
  514.        2222   0000....0000000044446666    ssssuuuunnnnrrrrooooooooffff ---->>>> bbbboooouuuuttttiiiiqqqquuuueeee   NNNNFFFFSSSS RRRR GGGGEEEETTTTAAAATTTTTTTTRRRR OOOOKKKK
  515.        3333   0000....0000000088880000   bbbboooouuuuttttiiiiqqqquuuueeee ---->>>> ssssuuuunnnnrrrrooooooooffff    NNNNFFFFSSSS CCCC RRRREEEENNNNAAAAMMMMEEEE FFFFHHHH====8888EEEE6666CCCC MMMMTTTTrrrraaaa00000000111199992222 ttttoooo ....nnnnffffssss00008888
  517.      Save these packets to a new capture file:
  518.      $$$$ ssssnnnnoooooooopppp ----iiii ppppkkkkttttssss ----oooo ppppkkkkttttssss....nnnnffffssss rrrrppppcccc nnnnffffssss ssssuuuunnnnrrrrooooooooffff bbbboooouuuuttttiiiiqqqquuuueeee
  519.  
  520. EEEEXXXXIIIITTTT SSSSTTTTAAAATTTTUUUUSSSS
  521.      Unless ssssnnnnoooooooopppp receives an error signal, its Exit Status is zero. All
  522.      abnormal exits return 1111.
  523.  
  524. WWWWAAAARRRRNNNNIIIINNNNGGGGSSSS
  525.      The processing overhead is much higher for realtime packet
  526.      interpretation.  Consequently, the packet drop count may be higher.  For
  527.      more reliable capture, output raw packets to a file using the ----oooo option
  528.      and analyze the packets off-line.
  529.  
  530.      Unfiltered packet capture imposes a heavy processing load on the host
  531.      computer-particularly if the captured packets are interpreted realtime.
  532.      This processing load further increases if verbose options are used.
  533.      Since heavy use of ssssnnnnoooooooopppp may deny computing resources to other processes,
  534.      it should not be used on production servers.  Heavy use of ssssnnnnoooooooopppp should
  535.      be restricted to a dedicated computer.
  536.  
  537.      ssssnnnnoooooooopppp does not reassemble IP fragments. Interpretation of higher level
  538.      protocol halts at the end of the first IP fragment.
  539.  
  540.      ssssnnnnoooooooopppp may generate extra packets as a side-effect of its use.  For
  541.      example it may use a network name service (NIS or NIS+) to convert IP
  542.      addresses to host names for display.  Capturing into a file for later
  543.      display can be used to postpone the address-to-name mapping until after
  544.      the capture session is complete.  Capturing into an NFS-mounted file may
  545.      also generate extra packets.
  546.  
  547.  
  548.  
  549.                                                                         PPPPaaaaggggeeee 8888
  550.  
  551.  
  552.  
  553.  
  554.  
  555.  
  556. ssssnnnnoooooooopppp((((1111MMMM))))                                                            ssssnnnnoooooooopppp((((1111MMMM))))
  557.  
  558.  
  559.  
  560.      Setting the ssssnnnnaaaapppplllleeeennnn( ----ssss option) to small values may remove header
  561.      information required for packet interpretation for higher level
  562.      protocols.  For complete NFS interpretation do not set ssssnnnnaaaapppplllleeeennnn less than
  563.      120 bytes.
  564.  
  565.      ssssnnnnoooooooopppp requires information from an RPC request to fully interpret an RPC
  566.      reply.  If an RPC reply in a capture file or packet range does not have a
  567.      request preceding it, then only the RPC reply header will be displayed.
  568.  
  569. NNNNOOOOTTTTEEEESSSS
  570.      ssssnnnnoooooooopppp requires an interactive interface.
  571.  
  572.  
  573.  
  574.  
  575.  
  576.  
  577.  
  578.  
  579.  
  580.  
  581.  
  582.  
  583.  
  584.  
  585.  
  586.  
  587.  
  588.  
  589.  
  590.  
  591.  
  592.  
  593.  
  594.  
  595.  
  596.  
  597.  
  598.  
  599.  
  600.  
  601.  
  602.  
  603.  
  604.  
  605.  
  606.  
  607.  
  608.  
  609.  
  610.  
  611.  
  612.  
  613.  
  614.  
  615.                                                                         PPPPaaaaggggeeee 9999
  616.  
  617.  
  618.  
  619.