Snooping local network traffic

[Clairvoyant1332]

Is it possible to snoop between two ports if both are on the same server? It seems that the snoop command goes down to the physical network layer, where IP packets destined for a local port never reach.

Dennis

 

[bfitzmai]

You can run snoop -d to snoop specific devices.

 

[Clairvoyant1332]

No good. If I try to run "snoop -d lo0" (for the loopback device) is says that /dev/lo does not exist.

 

[bfitzmai]

Look at the files /etc/hostname.<device> to select which network device you want to use. Example: hostname.hme1 is the secondary network card. Then use snoop -d hme1.

 

[Clairvoyant1332]

That's fine if you want to snoop network trafic that goes to a remote machine. That works ok. What I'm looking to do is to snoop a connection where both endpoints are on THE SAME SERVER.

Let's say I have a chat server on machine A listening on port 4444. I then run two chat clients, one on machine A and one on machine B, that both connect to the chat server on A. If I run "snoop port 4444" on A (it says "using device /dev/hme", and hme0 is the only external interface), it will see trafic moving between the server app on A and the client on B, but not between the server app on A and the client on A. I want to see the trafic beetween the chat server and the local chat client.

 

[mdet]

Hi Clairvoyant1332!
Although almost one year went by I post this to ask you whether you found a solution at last.
I'm working on the same thing (trying to "snoop" on localhost). Tried also ethereal but both of them refused that particular interface ("No such file or directory")).
Hope to hear/read from you.