Date: Fri, 6 Mar 2015 09:09:19 +0200 From: Beeblebrox <zaphod@berentweb.com> To: Kevin Oberman <rkoberman@gmail.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, smithi@nimnet.asn.au Subject: Re: tcpdump filter not ignoring jail subnet Message-ID: <20150306090919.0d221096@rsbsd.rsb> In-Reply-To: <CAN6yY1uQdSgUTvSeYqUJZr=FUGBUtCvgpB4RpfEWsF52epS2hQ@mail.gmail.com> References: <20150305202050.24042973@rsbsd.rsb> <CAN6yY1uQdSgUTvSeYqUJZr=FUGBUtCvgpB4RpfEWsF52epS2hQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. Thanks for the input.
> 192.168.2.97 is not a net. Any /32 is a host... even if it is
> anycast. So filter on "host 192.168.2.9".
I assume that specifying one of {src | dst} is not required and that "host =
192.168.2.97" will remove all (in and out) from that IP?
> The real issue is that, while hostnames
> are allowed, I am not sure whether they can be wildcards. That would
> require lookups at capture time and I don't think that is possible.
> At very least, the delays would make it fail. If you choose to look
> up addresses for FreeBSD systems, or build a list of freebsd.org
> names. That might work, but it would be a bit painful. Especially
> since there may multiple addresses for a single name. --
That's an excellent point - I had not considered that.
The solution then would be to pipe the output through awk or a ready tool l=
ike sysutils/ccze I think. I was planning on looking into smart-colorizatio=
n anyway (for easy flagging), but as the second step of my little project. =
With this, I would have awk check against the white list, so that URL's wou=
ld get included but filtered out by the awk pipe.
Thanks also to Ian for the off-list input. I do have a bit of a "brain-fart=
" problem with getting the filter to work however. What I posted is the 5th=
or 6th variation, and at this point I'm just chasing my tail. Here's what =
I'd like to monitor:
* I want none of the traffic displayed from these:
src net not 192.168.1.0/24 (outward-facing nic is on this subnet)
not ip6 (the above net pumps IP6 chatter which I don't need)
host not 192.168.2.97 (my DNS jail running unbound + dnscrypt on 443)
* I don't need to monitor any of the traffic on these ports
not port imap and not port imaps and not port 6667 (irc)
* With the exception of above, I want to see all remaining traffic on
host mybsd (src and dst. Normally not necessary to specify since we're list=
ening on re0 which is the outward-facing nic, but we also requested "net no=
t" the entire subnet this nic belongs to)
Thanks and Regards
--=20
FreeBSD_amd64_11-Current_RadeonKMS
Please CC my email when responding, mail from list is not delivered.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150306090919.0d221096>