Using snoop/tcpdump as a Filter

Using snoop/tcpdump as a Filter

Okay, this is kinda cool. Yesterday, I ran snoop (Sun’s version of tcpdump) to help the network folks diagnose a problem we’ve been seeing. Unfortunately, I let it run a bit too long, and wound up with a 1.5Gb file. And the guy who’s going to be looking at this is at a conference, and would rather not download files that big.

Now, I’d known that snoop can dump packets to a file with -o filename and that that file can be read with -i filename; and of course that you can give an expression to say what kinds of packets you want to scan for. But until now, it never occurred to me to put the three of them together. And it turns out that not only does snoop support that, it Does The Right Thing to boot.

Now, one of the reasons I wound up with 1.5Gb worth of packets is that we didn’t know which port the process we were trying to debug would run on, until it ran. (That, and the fact that I started scanning early because I wasn’t sure when it would run. And ending late because the Internet dangled shiny things in front of me.)

At any rate, I was able to run

# snoop -i old-snoop-log -o new-snoop-log host thehost.dom.ain port 50175

and wind up with a packet capture file of manageable size.

And a bit of experimentation showed that tcpdump does the same thing (adjust arguments as appropriate). I’ll have to remember this.