Description "snoop" data is often required to analyze network issues.

The snoop command captures packets from the network for direct or later analysis . This document shows how to get snoop data for effective troubleshooting.

Steps to Follow How To Get Snoop Data for Effective Troubleshooting: 0. 1. 2. 3. Why is this document needed? How to get snoop files? What information is needed with the snoop files? Example

------------0. Why is this document needed? To analyze specific network issues from snoop files, it is necessary that the snoop files were created properly and proper information for analysis is provided. If not,it may take a long time to analyze the cause and even we may not able to start the analysis. The final purpose is that the resolution time becomes shorter. 1. How to get snoop files? 1-1. Command option Generally "text" file captured on the screen is not useful. Use the options "-o" and "-d" to get all packets. "-d" specifies the device name and "-o" specifies the output filename. # /usr/sbin/snoop -d <device> -o <filename> For example: # /usr/sbin/snoop -d ce0 -o hostA.ce0.ng.snoopIf the system is running Solaris[TM] 8 or later, also use "-q" option. For example: # /usr/sbin/snoop -q -d ce0 -o hostA.ce0.ng.snoop -q When c apturing network packets into a file, do not display the packet count. This can improve packet captuning performance.There may be several interfaces on the system. The "device" is the one which could have the issue. For example, if it's "NFS" issue, then specify the device which should be used for the NFS connection. "netstat -rn" would be useful to confirm the device(Interface) name for the specific destination.

If the several interfaces are used for the connections(ex. IPMP) then get snoop on the all of the interfaces. For example: # /usr/sbin/snoop -q -d ce0 -o hostA.ce0.ng.snoop # /usr/sbin/snoop -q -d ce1 -o hostA.ce1.ng.snoopIt may be better that the "filename" includes the hostname/interface where the snoop was got, because this information is important to analyze the ca use. The network may be very high load (ex. data backup via Gigabit Ethernet..) and it's difficult to capture all of the packets. "snoop" could influence the network performance and could drop packets. We can check the packet drops by "-D" option. Display number of packets dropped the summary line. For example: # ep -v "drops: 0 " ....... 775 0.00001 Sender -> Receiver 776 0.00001 Sender -> Receiver ....... " could be useful. -D during capture on /usr/sbin/snoop -i snoop.out -D | gr drops: 2800 FTP-DATA C port=45410 drops: 2800 FTP-DATA C port=45410 ^^^^^^^^^^^In that case,"-s snaplen

-s snaplen Truncate each packet after snaplen bytes. Usually the whole packet is captured. This option is useful if only certain packet header information is required. The packet truncation is done within the kernel giving better utilization of the streams packet buffer. This means less chance of dropped packets due to buffer overflow during periods of high traffic. It also saves disk space when capturing large traces to a capture file. To capture only IP headers (no options) use a snaplen of 34. For UDP use 42, and for TCP use 54. You can capture RPC headers with a snaplen of 80 bytes. NFS headers can be captured in 120 bytes.The size of "snaplen" depends on the issue. It may be enough with only TCP/IP header information, and may need all of the actual TCP data information. Try this option after initial analysis was done. Note that TCP header may have some options like "sack","timestamp". The usage is like below. For example: # /usr/sbin/snoop -q -d ce0 -o hostA.ce0.ng.snoop -s 100We can al so focus on specific packets only by using "filter" like "hostname","port number" etc. This would be useful if the issue can be focused on specific connection only. For example: # /usr/sbin/snoop -q -d eri0 -o hostA.eri0.ng.snoop port 8080 For example: # /usr/sbin/snoop -q -d eri0 -o hostA.eri0.ng.snoop 192.168.1.1 1 92.168.2.2 Please use filters only if you are sure that no information is missin g. If not, capturing all packets is the best practice possible, because "filtering" packets may also "filter" the important packets. 1-2. Where should you capture the information? On the host which has the issue. And also try to get snoop on the peer host at the same time, if possible.

The 2 snoop files are very useful to analyze issues since there may be equipment s between the systems (such as SWITCH,router,load balancer,firewall etc) and the y might cause the issues like "packet drop". 1-3. When should we get it? While the issue is happening. And also try to get while the issue is NOT happening, if possible. The 2 snoop files are very useful to analyze issues if the connection is somethi ng like the customer's application and we are not familiar with the expected beh avior. We can focus on only the differences between the two snoop files. 2. What information is needed with the snoop files? Provide the following information with the snoop files. 2-1. Network structure For example: HostA --- Switch --- Firewall -- Switch -- HostB 2-2. When was the snoop file created? For example: hostA.ce0.ng.snoop ==> During the issue. For example: hostA.ce0.ok.snoop ==> During normal conditions. 2-3. Where was the snoop file created? For example: hostA.ce0.ng.snoop ==> Got this on ce0 on hostA. 2-4. What snoop options were used? For example: snoop -q -o <filename> -d <device> ==> (no filter) For example: snoop -q -o <filename> -d <device> port 8080 2-5. What is For example: For example: For example: the IP address which has the issue? 192.168.2.5 Between 10.8.4.23 and 10.15.33.122 Not sure.

Note: The IP-address is better than the hostname.2-6. What is the service which has the issue? For example: Not sure. For example: LDAP For example: NFS For example: The customer's application For example: TCP port 2521 For example: http proxy port 8080 2-7. What is For example: For example: For example: 3. Example Problem description : A customer's application on HostA sends 100Mbytes of data to HostB. Usually it finishes within 5 seconds but sometimes takes over 60 seconds. Network structure: the issue? Cannot connect from HostA to HostB. ftp data transfer rate is slow. Application shows connection timeout.

HostA ----- Switch ---- Router ----- Switch ----- HostB ce0:192.168.1.1 hme0:192.168.2.2 application (port:5050) 100Mbyte data ===>Data: hostA.ce0.slow.snoop --> Got on hostA while the transmission is slow. hostB.hme0.slow.snoop --> Got on hostB at the same time.hostA.ce0.fast.snoop -> Got on hostA while the transmission is fast. hostB.hme0.fast.snoop --> Got on hostB at the same time.explorer.hostA.tar.Z --> explore of hostA explorer.hostB.tar.Z --> explore of hostBAll snoop files were got without any fi lter. (just snoop -o file -d interface)For Information on how to look at snoop files s ee Technical Instruction < Solution: 210495 > Tips for Analysis of Snoop Files

Product Solaris Solaris Solaris Solaris Solaris 2.6 Operating System 7 Operating System 8 Operating System 9 Operating System 10 Operating System