A request from a colleague was to check if there are traffic coming from a specific host to the local host. Both are running Solaris Unix, one is an Ultra5 (pretty old) and a Sparc Ultra 250, still old.
There are many commands used by many UNIX admins to monitor network traffic going to and from a specific UNIX box.
Here are some of them:
- netstat -k
It all depends on the admin’s approach and the required information that needs to be gathered.
In our case here snoop serves the purpose very well.
“Snoop” capture and inspect network packets. It captures both TCP and UDP traffic. It is a tool that is shipped with Solaris.
Here’s a sample output we did on the Unix box:
Using device /dev/hme (promiscuous mode)
server40 -> serverfs01 TCP D=49678 S=22 Ack=3304463642 Seq=13090730 Len=80 Win=24820
serverfs01 -> server40 TCP D=22 S=49678 Ack=13090810 Seq=3304463642 Len=0 Win=24820
serverws12 -> server40 NIS C MATCH 126.96.36.199 in hosts.byaddr
server40 -> serverws12 NIS R MATCH OK
TCP D=49678 S=22
TCP packet with source port of 22 (ssh) and destination of 49678 (some application)
Here’s link for other third party software used in monitoring network traffic.