Snoop 是Solaris 系统中自带的工具， 是一个用于显示网络通讯的程序， 它可捕获IP 包并将其显示或保存到指定文件. (限超级用户使用snoop)Snoop 可将捕获的包以一行的形式加以总结或用多行加以详细的描述(有调用不同的参数-v -V来实现). 在总结方式下(-V ) , 将仅显示最高层的相关协议, 例如一个NFS 包将仅显示NFS 信息, 其低层的RPC, UDP, IP, Ethernet 帧信息将不会显示, 但是当加上相应的参数(-v ), 这些信息都能被显示出来. 参数简介：[ -a ] # Listen to packets on audio[ -d device ] # settable to le, ie, bf, tr[ -s snaplen ] # Truncate packets [ -c count ] # Quit after count packets [ -P ] # Turn OFF promiscuous mode [ -D ] # Report dropped packets[ -S ] # Report packet size [ -i file ] # Read previously captured packets [ -o file ] # Capture packets in file [ -n file ] # Load addr-to-name table from file [ -N ] # Create addr-to-name table [ -t r|a|d ] # Time: Relative, Absolute or Delta [ -v ] # Verbose packet display [ -V ] # Show all summary lines[ -p first[,last] ] # Select packet(s) to display [ -x offset[,length] ] # Hex dump from offset for length [ -C ] # Print packet filter code

?# snoop host1 host2?host1 -> host2 ICMP Echo request ?host2 -> host1 ICMP Echo reply ?# snoop -a dhcp?# snoop 监听所有以本机为源和目的的包并将其显示出来.?# snoop A 监听所有以主机A为源和目的的包并将其显示出来. ( A为主机名, 下同)?# snoop -o file A B 监听所有A和B之间的包并将其保存到文件file.?查看主机A和主机B之间的NFS 包(命令中的and 和or 为相应的逻辑运算)?# snoop - i file rpc nfs and A and B1 0.0000 A -> B NFS C GETATTR FH=8E6C2 0.0046 B -> A NFS R GETATTR OK3 0.0080 A -> B NFS C RENAME FH=8E6C MTra00192 to .nfs08?# snoop - i file -o file2 rpc nfs A B 将这些符合条件的包保存到另一文件file2 中?# snoop A and B and (tcp or udp) and port 80 监听主机A和主机B间所有TCP 80 端口或UDP80端口的包?# snoop broadcast 监听所有的广播包?Using device /dev/hme (promiscuous mode)0 -> BROADCAST UDP D=177 S=2541 LEN=350 -> BROADCAST UDP D=177 S=2541 LEN=350 -> BROADCAST UDP D=177 S=2541 LEN=35?# snoop -v multicast 监听所有的多播包, 并显示详细内容?# snoop |grep - i NTP 监听所有的NTP 协议包?Using device /dev/hme (promiscuous mode)ts1 -> NTP broadcast (Tue Jul 23 12:48:50 2002)ts1 -> NTP broadcast (Tue Jul 23 12:49:54 2002)ts1 -> NTP broadcast (Tue Jul 23 12:50:58 2002)ts1 -> NTP broadcast (Tue Jul