Date: Thu, 5 Mar 2015 12:36:00 -0800 From: Kevin Oberman <rkoberman@gmail.com> To: Beeblebrox <zaphod@berentweb.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: tcpdump filter not ignoring jail subnet Message-ID: <CAN6yY1uQdSgUTvSeYqUJZr=FUGBUtCvgpB4RpfEWsF52epS2hQ@mail.gmail.com> In-Reply-To: <20150305202050.24042973@rsbsd.rsb> References: <20150305202050.24042973@rsbsd.rsb>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 5, 2015 at 10:20 AM, Beeblebrox <zaphod@berentweb.com> wrote: > I'm using "tcpdump -i re0 -tq -F bin/tcpdump.txt" on my workstation for > real-time traffic analysis. The current filter file has: > > (src not net 192.168.1.0/24 and not ip6 and not net 192.168.2.97/32) or > (src host mybsd and not port imap and not port imaps and not port 6667) > > I'd like to create the filter such that traffic sources deemed reasonably > sane do not get listed in the output. Where I'm stuck: > * "net 192.168.2.97/32" is a DNS jail and I don't need to monitor that > host. Yet, the "not net" (or not src net) keyword does not work and traffic > to/from that net gets displayed anyway (I've also tried host keyword). > * I would like to include a URL whitelist in the filter (for example, do > not show any *.FreeBSD.org traffic). Is this even possible with tcpdump? > > Regards. > > 192.168.2.97 is not a net. Any /32 is a host... even if it is anycast. So filter on "host 192.168.2.9". Most anything any filter is possible with tcpdump, but they can get really, really ugly. I'd suggest building filters with a syntax checking tool like wireshark. The real issue is that, while hostnames are allowed, I am not sure whether they can be wildcards. That would require lookups at capture time and I don't think that is possible. At very least, the delays would make it fail. If you choose to look up addresses for FreeBSD systems, or build a list of freebsd.org names. That might work, but it would be a bit painful. Especially since there may multiple addresses for a single name. -- Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1uQdSgUTvSeYqUJZr=FUGBUtCvgpB4RpfEWsF52epS2hQ>