|  | Snoopy reads packets from a packet–source (default /net/ether0),
    matches them to a filter (by default anything matches), and writes
    matching packets to standard output either in human readable form
    (default) or in a binary trace format that can be later read by
    snoopy. Packet–source can be the name of an
    Ethernet (e.g., /net/ether0), an interface (e.g., /net/ipifc/0),
    or a file of captured packets. 
    The human readable format consists of multiple lines per packet.
    The first line contains the milliseconds since the trace was started.
    Subsequent ones are indented with a tab and each contains the
    dump of a single protocol header. The last line contains the dump
    of any contained data. For example, a BOOTP packet
    would look like:
 The binary format consists of:|  |  |  | 324389 ms 
 |  |  |  | ether(s=0000929b1b54 d=ffffffffffff pr=0800 ln=342) ip(s=135.104.9.62 d=255.255.255.255 id=5099 frag=0000...
 udp(s=68 d=67 ck=d151 ln= 308)
 bootp(t=Req ht=1 hl=16 hp=0 xid=217e5f27 sec=0 fl=800...
 dhcp(t=Request clientid=0152415320704e7266238ebf01030...
 
 | 
 | 
 
 Filters are expressions specifying protocols to be traced and
    specific values for fields in the protocol headers. The grammar
    is:|  |  |  | 2 bytes of packet length, msb first 8 bytes of nanosecond time, msb first
 the packet
 
        
     | 
 
 The values for protocol and field can be obtained using the –?
    option. With no arguments, it lists the known protocols. Otherwise
    it prints, for each protocol specified, which subprotocols it
    can multiplex to, and which fields can be used for filtering.
    For example, the listing for ethernet is currently:|  |  |  | expr:      protocol 
 |  |  |  | | field '=' value | field '!=' value
 | protocol '(' expr ')'
 | '(' expr ')'
 | expr '||' expr
 | expr '&&' expr
 | '!' expr
 
 
            
         | 
 | 
 The format of value depends on context. In general, ethernet addresses
    are entered as a string of hex digits; IP numbers in the canonical
    `.' format for v4 and `:' format for v6; and ports in decimal.|  |  |  | ether's filter attributes: 
 ether's subprotos:|  |  |  | s    – source address d    – destination address
 a    – source|destination address
 sd – source|destination address
 t    – type
 
 | 
 
 |  |  |  | 0x0800 ip              0x8863 pppoe_disc 0x0806 arp             0x8864 pppoe_sess
 0x0806 rarp            0x888e eapol
 0x86dd ip6
 
 | 
 | 
 
    Snoopy's options are:–C    compute the correct checksum for each packet; on mismatch, add
    a field !ck=xxxx where xxxx is the correct checksum.
 –D    output will be a binary trace file in Unix pcap format.
 –d    output will be a binary trace file.
 –t    input is a binary trace file as generated with the –d option.
 –p    do not enter promiscuous mode. Only packets to this interface
    will be seen.
 –s    force one output line per packet. The default is multiline.
 –M    discard all but the first m bytes of each packet. The default
    is to keep the entire packet. This option is most useful when
    writing packets to a file with the –d option.
 –N    dump n data bytes per packet. The default is 32.
 –f    use filter–expression to filter the packet stream. The default
    is to match all packets.
 –h    assume the first header per packet to be of the first–header protocol.
    The default is ether.
 
 |