Operation Manual
Snoop Commands
Snoop Commands
23 – 511
Defaults
No snoop filters are configured by default.
Access
Enabled.
History
Usage
Traffic that matches a snoop filter is copied after it is decrypted. The decrypted (clear)
version is sent to the observer.
For best results:
● Do not specify an observer that is associated with the MP configured with the snoop filter. This
configuration causes an endless cycle of snoop traffic.
● If the snoop filter is running on a Distributed MP, and the MP used a DHCP server in its local
subnet to configure the IP information, and the MP did not receive a default router (gateway)
address as a result, the observer must also be in the same subnet. Without a default router,
the MP cannot find the observer.
● The MP with a snoop filter forwards snooped packets directly to the observer. This is a
one-way communication, from the MP to the observer. If the observer is not present, the MP
still sends the snoop packets, which uses bandwidth. If the observer is present but is not
listening to TZSP traffic, the observer continuously sends ICMP error indications back to the
MP. These ICMP messages can affect network and MP performance.
Examples
The following command configures a snoop filter named snoop1 that matches on all
traffic, and copies the traffic to the device that has IP address 10.10.30.2:
MX# set snoop snoop1 observer 10.10.30.2 snap-length 100
The following command configures a snoop filter named snoop2 that matches on all data traffic
between the device with MAC address aa:bb:cc:dd:ee:ff and the device with MAC address
11:22:33:44:55:66, and copies the traffic to the device that has IP address 10.10.30.3:
MX# set snoop snoop2 frame-type eq data mac-pair aa:bb:cc:dd:ee:ff 11:22:33:44:55:66
observer 10.10.30.3 snap-length 100
See Also
● clear snoop on page 23-509
● set snoop map on page 23-511
● set snoop mode on page 23-512
● show snoop info on page 23-513
● show snoop stats on page 23-514
set snoop map
Maps a snoop filter to a radio on an MP. A snoop filter does not take effect until you map it to a
radio and enable the filter.
Examples
set snoop map filter-name ap apnum radio {1 | 2}
observer ip-addr Specifies the IP address of the station where the protocol analyzer is located. If you do
not specify an observer, the MP radio still counts the packets that match the filter.
snap-length num Specifies the maximum number of bytes to capture. If you do not specify a length, the
entire packet is copied and sent to the observer. Trapeze Networks recommends
specifying a snap length of 100 bytes or less.
Version 4.0 Command introduced
Version 5.0 New Boolean operators: lt (less than) and gt (greater than). The new options
apply to src-mac, dest-mac, and host-mac.
Version 6.0 Direction filter added.