From owner-freebsd-net@FreeBSD.ORG Thu Mar 5 20:36:01 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C87A1A9A for ; Thu, 5 Mar 2015 20:36:01 +0000 (UTC) Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8AF8E3D7 for ; Thu, 5 Mar 2015 20:36:01 +0000 (UTC) Received: by igbhl2 with SMTP id hl2so45050537igb.0 for ; Thu, 05 Mar 2015 12:36:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=OYYJ8QuY5DxyzzLc9hKVtU4eEJWvfftlCz2BGjgVoy0=; b=wUS3GMVOvVnZ2kdDNJLcAvvpnbrWwewgD9VhXx6fBZdsZp06/QVv8cH7RHQ2JK5GUF YcbZT9Cbgc399iNTuPAFbiiXYq29FH6k4Efx7gwRYALIaeAW6H0FBibPsCyX/xHHUowe u3sHYovr2tuXWklUl945PO83Pi7IZsdyC4A5jWgOJVq8sPdyu5PvxsBIxrFIm++lbw3O XJZ7g9gdMFRK5E5SL7fNE3MPYItAemY/f/ZwL1Zkb+td8uumvJN5WryIfFCMGjZ5y6Ww psdFDiuv+tkb+PHtJCKtw1mKTSMIEIstJnheUYxcoyFMDuBWNv4AOcLCEOTrO/rC0HnB Wz6Q== MIME-Version: 1.0 X-Received: by 10.42.229.132 with SMTP id ji4mr6043948icb.23.1425587760953; Thu, 05 Mar 2015 12:36:00 -0800 (PST) Sender: kob6558@gmail.com Received: by 10.107.174.86 with HTTP; Thu, 5 Mar 2015 12:36:00 -0800 (PST) In-Reply-To: <20150305202050.24042973@rsbsd.rsb> References: <20150305202050.24042973@rsbsd.rsb> Date: Thu, 5 Mar 2015 12:36:00 -0800 X-Google-Sender-Auth: xyLeJeLLlnkdLYfGPlEQUxO_E3M Message-ID: Subject: Re: tcpdump filter not ignoring jail subnet From: Kevin Oberman To: Beeblebrox Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2015 20:36:01 -0000 On Thu, Mar 5, 2015 at 10:20 AM, Beeblebrox wrote: > I'm using "tcpdump -i re0 -tq -F bin/tcpdump.txt" on my workstation for > real-time traffic analysis. The current filter file has: > > (src not net 192.168.1.0/24 and not ip6 and not net 192.168.2.97/32) or > (src host mybsd and not port imap and not port imaps and not port 6667) > > I'd like to create the filter such that traffic sources deemed reasonably > sane do not get listed in the output. Where I'm stuck: > * "net 192.168.2.97/32" is a DNS jail and I don't need to monitor that > host. Yet, the "not net" (or not src net) keyword does not work and traffic > to/from that net gets displayed anyway (I've also tried host keyword). > * I would like to include a URL whitelist in the filter (for example, do > not show any *.FreeBSD.org traffic). Is this even possible with tcpdump? > > Regards. > > 192.168.2.97 is not a net. Any /32 is a host... even if it is anycast. So filter on "host 192.168.2.9". Most anything any filter is possible with tcpdump, but they can get really, really ugly. I'd suggest building filters with a syntax checking tool like wireshark. The real issue is that, while hostnames are allowed, I am not sure whether they can be wildcards. That would require lookups at capture time and I don't think that is possible. At very least, the delays would make it fail. If you choose to look up addresses for FreeBSD systems, or build a list of freebsd.org names. That might work, but it would be a bit painful. Especially since there may multiple addresses for a single name. -- Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com