SNOOPY(8)                                               SNOOPY(8)

          snoopy - spy on network packets

          snoopy [ -CDdpst ] [ -M m ] [ -N n ] [ -f filter-expression
          ] [ -h first-header ] [ packet-source ]

          snoopy -? [ proto... ]

          Snoopy reads packets from a packet-source (default
          /net/ether0), matches them to a filter (by default anything
          matches), and writes matching packets to standard output
          either in human readable form (default) or in a binary trace
          format that can be later read by snoopy. Packet-source can
          be the name of an Ethernet (e.g., /net/ether0), an interface
          (e.g., /net/ipifc/0), or a file of captured packets.

          The human readable format consists of multiple lines per
          packet.  The first line contains the milliseconds since the
          trace was started.  Subsequent ones are indented with a tab
          and each contains the dump of a single protocol header.  The
          last line contains the dump of any contained data.  For
          example, a BOOTP packet would look like:

               324389 ms
                    ether(s=0000929b1b54 d=ffffffffffff pr=0800 ln=342)
                    ip(s= d= id=5099 frag=0000...
                    udp(s=68 d=67 ck=d151 ln= 308)
                    bootp(t=Req ht=1 hl=16 hp=0 xid=217e5f27 sec=0 fl=800...
                    dhcp(t=Request clientid=0152415320704e7266238ebf01030...

          The binary format consists of:

               2 bytes of packet length, msb first

               8 bytes of nanosecond time, msb first

               the packet

          Filters are expressions specifying protocols to be traced
          and specific values for fields in the protocol headers.  The
          grammar is:

               expr:       protocol
                    | field '=' value
                    | field '!=' value
                    | protocol '(' expr ')'
                    | '(' expr ')'
                    | expr '||' expr

     SNOOPY(8)                                               SNOOPY(8)

                    | expr '&&' expr
                    | '!' expr

          The values for protocol and field can be obtained using the
          -? option.  With no arguments, it lists the known protocols.
          Otherwise it prints, for each protocol specified, which sub-
          protocols it can multiplex to, and which fields can be used
          for filtering.  For example, the listing for ethernet is

               ether's filter attributes:
                 s  - source address
                 d  - destination address
                 a  - source|destination address
                 sd - source|destination address
                 t  - type
               ether's subprotos:
                 0x0800 ip           0x8863 pppoe_disc
                 0x0806 arp          0x8864 pppoe_sess
                 0x0806 rarp         0x888e eapol
                 0x86dd ip6

          The format of value depends on context.  In general, ether-
          net addresses are entered as a string of hex digits; IP num-
          bers in the canonical `.' format for v4 and `:' format for
          v6; and ports in decimal.

          Snoopy's options are:

          -C   compute the correct checksum for each packet; on mis-
               match, add a field !ck=xxxx where xxxx is the correct

          -D   output will be a binary trace file in Unix pcap format.

          -d   output will be a binary trace file.

          -t   input is a binary trace file as generated with the -d

          -p   do not enter promiscuous mode.  Only packets to this
               interface will be seen.

          -s   force one output line per packet.  The default is mul-

          -M   discard all but the first m bytes of each packet.  The
               default is to keep the entire packet.  This option is
               most useful when writing packets to a file with the -d

          -N   dump n data bytes per packet.  The default is 32.

     SNOOPY(8)                                               SNOOPY(8)

          -f   use filter-expression to filter the packet stream.  The
               default is to match all packets.

          -h   assume the first header per packet to be of the first-
               header protocol.  The default is `ether'.

          To display only BOOTP and ARP packets:

               % snoopy -f 'arp || bootp'
               after optimize: ether(arp || ip(udp(bootp)))

          The first line of output shows the completed filter expres-
          sion.  Snoopy will fill in other protocols as necessary to
          complete the filter and then optimize to remove redundant

          To save all packets between to and
          later display those to/from TCP port 80:

               % ramfs
               % snoopy -df 'ip(s= && d= ||\
                    ip(s= && d=' > /tmp/quux
               <interrupt from the keyboard>
               % snoopy -tf 'tcp(sd=80)' /tmp/quux

               Ethernet device


          Snoopy only dumps ethernet packets, because there's no
          device to get IP packets without a media header.