What is snoop ?
The /usr/sbin/snoop utility is an executable that reads frames from your network interface or from a previously saved capture file. In addition, snoop allows you to filter the data it is collecting. For example, you can specify that you want to capture TCP segments to or from port 389 (such as LDAP traffic). You must be root to capture data from a network interface due to the device permissions (for example, permissions on the /dev/hme device). What makes snoop so powerful is the detail of information it provides, and the flexibility of the tool.
Using the snoop command results in one of the following objectives:
When snoop is reading packets (capturing network packets, or reading from a capture file) it allows you to filter specific packets you are interested in. For example: to select the telnet traffic between hosta and hostb you might issue the following command:
# snoop port 23 between hosta hostb