snoopy 3.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177
  1. .TH SNOOPY 8
  2. .SH NAME
  3. snoopy \- spy on network packets
  4. .SH SYNOPSIS
  5. .B snoopy
  6. [
  7. .B -?stdCp
  8. ] [
  9. .B -f
  10. .I filter-expression
  11. ] [
  12. .B -N
  13. .I n
  14. ] [
  15. .B -h first-header
  16. ] [
  17. packet-file
  18. ]
  19. .SH DESCRIPTION
  20. .PP
  21. .I Snoopy
  22. reads packets from a packet source (default
  23. .BR /net/ether0 ),
  24. matches them to a filter (by default anything matches), and writes
  25. matching packets to standard output either in human readable form (default)
  26. or in a binary trace format that can be reinput to
  27. .IR snoopy .
  28. .PP
  29. The human readable format consists of multiple lines per packet.
  30. The first line contains the milliseconds since the
  31. trace was started. Subsequent ones are indented with a tab
  32. and each contains the dump of a single protocol header. The last line
  33. contains the dump of any contained data. For example, a
  34. .SM BOOTP
  35. packet would look like:
  36. .sp
  37. .EX
  38. 324389 ms
  39. ether(s=0000929b1b54 d=ffffffffffff pr=0800 ln=342)
  40. ip(s=135.104.9.62 d=255.255.255.255 id=5099 frag=0000...
  41. udp(s=68 d=67 ck=d151 ln= 308)
  42. bootp(t=Req ht=1 hl=16 hp=0 xid=217e5f27 sec=0 fl=800...
  43. dhcp(t=Request clientid=0152415320704e7266238ebf01030...
  44. .EE
  45. .PP
  46. The binary format consists of:
  47. .IP
  48. 2 bytes of packet length, msb first
  49. .IP
  50. 8 bytes of nanosecond time, msb first
  51. .IP
  52. the packet
  53. .PP
  54. Filters are expressions specifying protocols to be traced
  55. and specific values for fields in the protocol headers.
  56. The grammar is:
  57. .sp
  58. .EX
  59. expr : protocol
  60. | field '=' value
  61. | protocol '(' expr ')'
  62. | '(' expr ')'
  63. | expr '||' expr
  64. | expr '&&' expr
  65. | '!' expr
  66. .EE
  67. .PP
  68. The values for <protocol> and <field> can
  69. be obtained using the
  70. .B -?
  71. option. It will list each known protocol,
  72. which subprotocols it can multiplex to,
  73. and which fields can be used for filtering.
  74. For example, the listing for ethernet is currently:
  75. .sp
  76. .EX
  77. ether's filter attr:
  78. s - source address
  79. d - destination address
  80. a - source|destination address
  81. t - type
  82. ether's subprotos:
  83. ip
  84. arp
  85. rarp
  86. ip6
  87. pppoe_disc
  88. pppoe_sess
  89. .EE
  90. .PP
  91. The format of <value> depends on context. In general,
  92. ethernet addresses are entered as a string of hex
  93. digits; IP numbers in the canonical `.' format for v4 and `:' format
  94. for v6; and ports in decimal.
  95. .PP
  96. .IR Snoopy 's
  97. options are:
  98. .TP
  99. .B -t
  100. input is a binary trace file. The default assumes
  101. a packet device, one packet per read.
  102. .TP
  103. .B -d
  104. output will be a binary trace file. The default is
  105. human readable.
  106. .TP
  107. .B -s
  108. force one output line per packet. The
  109. default is multiline.
  110. .TP
  111. .B -C
  112. compute correct checksums and if doesn't match
  113. the contained one, add a field
  114. .B !ck=\fIxxxx\fP
  115. where
  116. .I xxxx
  117. is the correct checksum.
  118. .TP
  119. .B -p
  120. do not enter promiscuous mode. Only packets to
  121. this interface will be seen.
  122. .TP
  123. .B -N
  124. dump
  125. .I n
  126. data bytes per packet. The default is 32.
  127. .TP
  128. .B -f
  129. use
  130. .I filter-expression
  131. to filter the packet stream. The default is
  132. to match all packets.
  133. .TP
  134. .B -h
  135. assume the first header per packet to be
  136. .IR first-header .
  137. The default is
  138. .IR ether .
  139. .SH EXAMPLES
  140. the following would display only
  141. .SM BOOTP
  142. and
  143. .SM ARP
  144. packets:
  145. .sp
  146. .EX
  147. % snoopy -f 'arp || bootp'
  148. after optimize: ether( arp || ip( udp( bootp ) ) )
  149. .EE
  150. .PP
  151. The first line of output shows the completed filter
  152. expression.
  153. .I Snoopy
  154. will fill in other protocols as necessary to complete
  155. the filter and then optimize to remove redundant
  156. comparisons.
  157. .PP
  158. To save all packets between 135.104.9.2 to 135.104.9.6 and
  159. later display those to/from TCP port 80:
  160. .sp
  161. .EX
  162. % ramfs
  163. % snoopy -df 'ip(s=135.104.9.2&d=135.104.9.6)||\\
  164. ip(s=135.104.9.6&d=135.104.9.2)' > /tmp/quux
  165. <interrupt from the keyboard>
  166. % snoopy -tf 'tcp(sd=80)' /tmp/quux
  167. .EE
  168. .SH FILES
  169. .TP
  170. .B /net/ether
  171. Ethernet device
  172. .SH SOURCE
  173. .B /sys/src/cmd/ip/snoopy
  174. .SH BUGS
  175. At the moment it only dumps ethernet packets because there's
  176. no device to get IP packets without the media header. This will
  177. be corrected soon.