DBpulse Manual - sniff_ip


sniff_ip - utility that records TCP/IP information by capturing network packets


sniff_ip -h hostname -p port [-c packet_count_limit] [-d device] [-i input_file | -o output_file] [-s skip_packet_count] [-x debug_value]


sniff_ip captures network (TCP) packets going in to and out of a server. It can be viewed as tcpdump with a very restricted expression (host {hostname} and tcp port {port} ).

It's main use is to store TCP packets into a file for future processing. sniff_ip capture files can be played back through dbpulse using the -i option. It can also be used to analyze new application protocols before the full decoding process is completed.


-h hostname
Specify the hostname of the server. It can also be an IP address.

-p port
Specify the TCP port of the server.

-c packet_count_limit
Specify the maximum number of packets to capture. After sniff_ip sniffs this many packets, it terminates. Commonly used with the -i and -s options for debugging certain portions of the packet stream.

-d device_name
Specify the network device to use to capture packets. The default value is the first ethernet device found. For Unix, values include: lo (loopback; only supported under linux, other OSs optimize loopback performance and don't provide a standard API), eth0 (linux), hme0 (Solaris), and \Device\NPF_{DD215891-995C-44B6-9E7A-6EB3566D9E04} (Windows).

For a list of valid device names, run find_all_devices(1).

-i input_filename
Specify the input file to read network packets in from rather than sniffing a network device.

-o output_filename
Specify the output file to write network packets out to. When using this option, no processing is performed. Network packets are read from a network device and written immediately to the output file. Primarily used for debugging or capturing demo data. The -i option and -o option are mutually exclusive.

-s packet_skip_count
Specify the number of packets to skip before starting to pro- cess. Commonly used with the -i and -c options for debugging certain portions of the packet stream.

-x debug_value
Specify the value of debugging output. Valid values range from 1 to 255. Any debug value above seven (7) will slow down the data capture and potentially use up a lot of CPU.


The Unix version of sniff_ip should run properly right out of the box. Please make sure you have root access. sniff_ip will set the ethernet port to promiscuous mode in order to operate properly.

The Windows version of sniff_ip requires a kernel-level packet filter and some packet capture DLLs to be installed before it will work properly. If you see a message about pcap.dll not found, then you may need to install the libpcap software. It is included with the distribution in C:/foresight/bin . In addition, you must have Administrator priviledges to run sniff_ip properly.


Tells where the head of the software distribution is. Typically this is /foresight for Unix and C:/foresight for Windows. Without this value set, sniff_ip does not know where to access its configuration and log files.


Stop file. To terminate sniff_ip , create this file. There are easier ways to stop sniff_ip.

Error log file for server XXXXX, and port NNNNN


dbpulse1(1), find_all_devices(1)