Cryptzone Support

If you wish to submit a support ticket please sign in to your customer portal or use the “submit a ticket” button at the top menu.
If you need to find documentation about our Sheriff Suite please login to the Hive- Click Here




« Go Back

Using snoop

Snoop is a network sniffer avaiable on the Solaris OS. To be able to use it, you need to open a terminal console on the appgate server and become root. The manual can be found with the command "man snoop".

Running the command in foreground produces a condesed packet overview of the ones currently captured. If you would like to capture whole packages you can run snoop with "-o <filename>" and it captures packets to the file called filename. You can then analyze the capture with a GUI like wireshark on your local computer.

Snooping client-traffic when using iptunning

Every client connected to an appgate server with iptunneling has an iptunnel IP address. Traffic sent to a resource behind the appgate system is sent to that iptunneling interface on the client machine. On the appgate server the traffic is then sent to the ressource. The source IP from which the packets are sent to the resource, on the appgate server, has the IP address of the client's iptunneling interface. 

Example: Client has on the IP tunneling interface. This IP will appear as a source address when the appgate server is forwarding the clients traffic to the requested resource.

The Traffic does flow out on the interface for which the target resource can be reached (according to routing). To analyse traffic, for example dedicated to the DNS server, you need to identify the interface name, which then can be used as an argument to snoop. You find the interface name by either finding network to interface mapping in the appgate console or in a terminal window of the appgate server. The simplest way to find out what interface the traffic is flowing on you can use the command "route get" in a terminal window. For example I would like to know on which interface the DNS Server is connected (routed) too:

appgate:~#route get
 route to:
 interface: bge3
 recvpipe sendpipe ssthresh rtt,ms rttvar,ms hopcount mtu expire
 0 0 0 0 0 0 0 0

The answer is bge3. 

Snooping traffic on the server

  1. Find out what you are looking for, e.g IP, protocols, ports
  2. Find out on what interface where that traffic is routed to respectively is expected to be.
snoop -d <interface_name> <ip_address>

As an example:

snoop -d bge2

The command will show all packets on the interface bge2 which have src or dst address with 

Another example:

snoop -d bge2 port 53 -> DNS C Internet Addr ? -> DNS R

The command will show all packets on the interface bge2 which have src or dst address with, and packets have src or dst port 53. 


Article Info
3/13/2015 8:43 AM
3/13/2015 8:43 AM



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255