Since Solaris 11 offers a range of abstractions in the data link layer and IP layer for high availability, scaling and aggregation purposes, It becomes a bit complicated while using snoop command to capture IP or higher level protocol traffic in case if different layers of physical and logical devices configured in a Solaris system.
The abstraction provided by different layers are (but not limited to):
1. Physical - net0, net1, ixgbe0, ixgbe1 etc
2. Data Link - dlmp devices, aggregation (eg: aggr0, aggr1), vnets and vnics
3. IP layer - IP interfaces (eg: net0/v4) and IPMP groups(eg: ipmp0/v4addr1).
snoop provides us option to use a device or IP interface:
from snoop manpage:
snoop [-aqrCDINPSvV] [-t r | a | d] [-c maxcount]
[-d device] [-I IP_interface] [-i filename] [-n filename]
[-o filename] [-p first [, last]] [-s snaplen]
[-x offset [, length]] [expression]
To capture traffic, we can see that we can one of the following switches
But let us assume if we are snooping a higher protocols like NFS, SMB or SSH for instance, then, snooping a logical or physical device would not yield a complete capture.
So it is always recommended to use:
Below is a snoop capture of a host that has IPMP configured over two physical interfaces link0_ipmp0 and link1_ipmp0. The IPMP interface name is ipmp0.
The snoop is of an NFSv3 mount operation
Let us analyze the capture at each layer:
First Physical interface:
# snoop -d link0_ipmp0 hostB
Second Physical interface:
# snoop -d link1_ipmp0 hostB
As you can see, the traffic is split between the two interfaces and does not yield the complete picture and is tedious to analyze.
But instead, if we use the ipmp device to snoop, we get a complete capture of the mount operation:
# snoop -I ipmp0 hostB