How to Sniff a NIC
Table of Contents
BACKGROUND
This procedure is useful when trying to track what traffic is passing through a Network Interface Card (NIC).
This may be necessary if trying to identify which address a NIC is using as a point if reference for IP Multi-Pathing (IPMP).
WORKED EXAMPLE
IDENTIFY THE IP ADDRESSES TO BE CHECKED
cat /etc/hosts
#
# Internet host table
#
::1 localhost
127.0.0.1 localhost
116.101.156.156 HOSTNAME01 HOSTNAME01-app loghost
116.101.156.157 HOSTNAME01-oracle
116.101.150.126 HOSTNAME01-mgmt HOSTNAME01.backup
116.101.146.131 HOSTNAME01-hb1 <---- This host name is used for the example
116.101.156.160 HOSTNAME02 HOSTNAME02-app loghost
116.101.156.161 HOSTNAME02-oracle
116.101.150.128 HOSTNAME02-mgmt HOSTNAME02.backup
116.101.146.134 HOSTNAME02-hb1
IDENTIFY THE IPMP NAME OF THE HOST NAME
cd /etc
grep HOSTNAME01-hb1 hostname.*
hostname.nxge1:116.101.146.129/27 broadcast + group db_vlan -failover deprecated up addif HOSTNAME01-hb1/27
broadcast + up _______
|____________ This is the IPMP name
IDENTIFY WHICH NICS ARE USING THE IPMPM NAME
ifconfig -a | grep db_vlan
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
e1000g0: flags=209040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,CoS> mtu 1500 index 2
inet 116.101.156.154 netmask fffffe00 broadcast 116.101.157.255
groupname app_vlan
e1000g0:1: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
inet 116.101.156.156 netmask fffffe00 broadcast 116.101.157.255
e1000g0:3: flags=201040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,CoS> mtu 1500 index 2
inet 116.101.156.157 netmask ffffff00 broadcast 116.101.156.255
e1000g1: flags=269040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,STANDBY,INACTIVE,CoS>
mtu 1500 index 3 inet 116.101.146.130 netmask ffffffe0 broadcast 116.101.146.159
groupname db_vlan <--- This is the first NIC
e1000g3: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 4
inet 116.101.150.126 netmask ffffff00 broadcast 116.101.150.255
nxge0: flags=269040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,STANDBY,INACTIVE,CoS>
mtu 1500 index 5 inet 116.101.156.155 netmask fffffe00 broadcast 116.101.157.255
groupname app_vlan
nxge1: flags=209040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,CoS> mtu 1500 index 6
inet 116.101.146.129 netmask ffffffe0 broadcast 116.101.146.159
groupname db_vlan <--- This is the second NIC
nxge1:1: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 6
inet 116.101.146.131 netmask ffffffe0 broadcast 116.101.146.159
SNIFF THE NIC
- WARNING! - Sniffing a busy NIC can generate huge amounts of output.
- WARNING! - Sniffing a Production NIC may impact performance, therefore only sniff here under a change control.
su - root
snoop -r -d e1000g1 icmp
Using device /dev/e1000g1 (promiscuous mode)
116.101.146.130 -> 116.101.146.134 ICMP Echo request (ID: 9907 Sequence number: 59894)<--- Ping to 1st reference
116.101.146.134 -> 116.101.146.130 ICMP Echo reply (ID: 9907 Sequence number: 59894) <--- Reply from 1st reference
116.101.146.130 -> 116.101.146.133 ICMP Echo request (ID: 9907 Sequence number: 59895)<--- Ping to 2nd reference
116.101.146.133 -> 116.101.146.130 ICMP Echo reply (ID: 9907 Sequence number: 59895) <--- Reply from 2nd reference
Use Ctrl-C to stop the snoop command
snoop -r -d nxge1 icmp
Using device /dev/nxge1 (promiscuous mode)
116.101.146.129 -> 116.101.146.134 ICMP Echo request (ID: 9910 Sequence number: 60655)<--- Ping to 1st reference
116.101.146.134 -> 116.101.146.129 ICMP Echo reply (ID: 9910 Sequence number: 60655) <--- Reply from 1st reference
116.101.146.129 -> 116.101.146.133 ICMP Echo request (ID: 9910 Sequence number: 60656)<--- Ping to 2nd reference
116.101.146.133 -> 116.101.146.129 ICMP Echo reply (ID: 9910 Sequence number: 60656) <--- Reply from 2nd reference
Use Ctrl-C to stop the snoop command