How to Sniff a NIC

BACKGROUND

This procedure is useful when trying to track what traffic is passing through a Network Interface Card (NIC).

This may be necessary if trying to identify which address a NIC is using as a point if reference for IP Multi-Pathing (IPMP).

WORKED EXAMPLE

IDENTIFY THE IP ADDRESSES TO BE CHECKED

cat /etc/hosts

#
# Internet host table
#
::1     localhost
127.0.0.1       localhost
116.101.156.156 HOSTNAME01 HOSTNAME01-app loghost
116.101.156.157 HOSTNAME01-oracle
116.101.150.126 HOSTNAME01-mgmt HOSTNAME01.backup
116.101.146.131 HOSTNAME01-hb1                                   <---- This host name is used for the example
116.101.156.160 HOSTNAME02 HOSTNAME02-app loghost
116.101.156.161 HOSTNAME02-oracle
116.101.150.128 HOSTNAME02-mgmt HOSTNAME02.backup
116.101.146.134 HOSTNAME02-hb1

IDENTIFY THE IPMP NAME OF THE HOST NAME

cd /etc

grep HOSTNAME01-hb1 hostname.*

hostname.nxge1:116.101.146.129/27 broadcast + group db_vlan -failover deprecated up addif HOSTNAME01-hb1/27
broadcast + up                                      _______  
                                                       |____________ This is the IPMP name

IDENTIFY WHICH NICS ARE USING THE IPMPM NAME

ifconfig -a | grep db_vlan

lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
e1000g0: flags=209040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,CoS> mtu 1500 index 2  
        inet 116.101.156.154 netmask fffffe00 broadcast 116.101.157.255
        groupname app_vlan                                                                     
e1000g0:1: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
        inet 116.101.156.156 netmask fffffe00 broadcast 116.101.157.255
e1000g0:3: flags=201040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,CoS> mtu 1500 index 2
        inet 116.101.156.157 netmask ffffff00 broadcast 116.101.156.255
e1000g1: flags=269040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,STANDBY,INACTIVE,CoS> 
        mtu 1500 index 3 inet 116.101.146.130 netmask ffffffe0 broadcast 116.101.146.159
        groupname db_vlan                                                           <--- This is the first NIC
e1000g3: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 4
        inet 116.101.150.126 netmask ffffff00 broadcast 116.101.150.255
nxge0: flags=269040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,STANDBY,INACTIVE,CoS> 
        mtu 1500 index 5 inet 116.101.156.155 netmask fffffe00 broadcast 116.101.157.255
        groupname app_vlan
nxge1: flags=209040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,CoS> mtu 1500 index 6
        inet 116.101.146.129 netmask ffffffe0 broadcast 116.101.146.159
        groupname db_vlan                                                            <--- This is the second NIC
nxge1:1: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 6
        inet 116.101.146.131 netmask ffffffe0 broadcast 116.101.146.159

SNIFF THE NIC

  • WARNING! - Sniffing a busy NIC can generate huge amounts of output.
  • WARNING! - Sniffing a Production NIC may impact performance, therefore only sniff here under a change control.
su - root

snoop -r -d e1000g1 icmp

Using device /dev/e1000g1 (promiscuous mode)
116.101.146.130 -> 116.101.146.134 ICMP Echo request (ID: 9907 Sequence number: 59894)<--- Ping to 1st reference 
116.101.146.134 -> 116.101.146.130 ICMP Echo reply (ID: 9907 Sequence number: 59894)  <--- Reply from 1st reference 
116.101.146.130 -> 116.101.146.133 ICMP Echo request (ID: 9907 Sequence number: 59895)<--- Ping to 2nd reference 
116.101.146.133 -> 116.101.146.130 ICMP Echo reply (ID: 9907 Sequence number: 59895)  <--- Reply from 2nd reference

  Use Ctrl-C to stop the snoop command

snoop -r -d nxge1 icmp

Using device /dev/nxge1 (promiscuous mode)
116.101.146.129 -> 116.101.146.134 ICMP Echo request (ID: 9910 Sequence number: 60655)<--- Ping to 1st reference
116.101.146.134 -> 116.101.146.129 ICMP Echo reply (ID: 9910 Sequence number: 60655)  <--- Reply from 1st reference
116.101.146.129 -> 116.101.146.133 ICMP Echo request (ID: 9910 Sequence number: 60656)<--- Ping to 2nd reference
116.101.146.133 -> 116.101.146.129 ICMP Echo reply (ID: 9910 Sequence number: 60656)  <--- Reply from 2nd reference
  Use Ctrl-C to stop the snoop command
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License