Snoop is a network sniffer avaiable on the Solaris OS. To be able to use it, you need to open a terminal console on the appgate server and become root. The manual can be found with the command "man snoop".
Running the command in foreground produces a condesed packet overview of the ones currently captured. If you would like to capture whole packages you can run snoop with "-o <filename>" and it captures packets to the file called filename. You can then analyze the capture with a GUI like wireshark on your local computer.
Snooping client-traffic when using iptunning
Every client connected to an appgate server with iptunneling has an iptunnel IP address. Traffic sent to a resource behind the appgate system is sent to that iptunneling interface on the client machine. On the appgate server the traffic is then sent to the ressource. The source IP from which the packets are sent to the resource, on the appgate server, has the IP address of the client's iptunneling interface.
Example: Client has 172.24.0.7 on the IP tunneling interface. This IP will appear as a source address when the appgate server is forwarding the clients traffic to the requested resource.
The Traffic does flow out on the interface for which the target resource can be reached (according to routing). To analyse traffic, for example dedicated to the DNS server, you need to identify the interface name, which then can be used as an argument to snoop. You find the interface name by either finding network to interface mapping in the appgate console or in a terminal window of the appgate server. The simplest way to find out what interface the traffic is flowing on you can use the command "route get" in a terminal window. For example I would like to know on which interface the DNS Server is connected (routed) too:
appgate:~#route get dns.cryptzone.int
route to: dns.cryptzone.int
recvpipe sendpipe ssthresh rtt,ms rttvar,ms hopcount mtu expire
0 0 0 0 0 0 0 0
The answer is bge3.
Snooping traffic on the server
- Find out what you are looking for, e.g IP, protocols, ports
- Find out on what interface where that traffic is routed to respectively is expected to be.
snoop -d <interface_name> <ip_address>
As an example:
snoop -d bge2 172.24.0.7
The command will show all packets on the interface bge2 which have src or dst address with 172.24.0.7.
snoop -d bge2 172.24.0.7 port 53
172.24.0.7 -> dns.cryptzone.int DNS C cryptzone.com. Internet Addr ?
dns.cryptzone.int -> 172.24.0.7 DNS R
The command will show all packets on the interface bge2 which have src or dst address with 172.24.0.7, and packets have src or dst port 53.