From owner-freebsd-net@FreeBSD.ORG Fri Mar 6 07:09:26 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6AE9D9BB for ; Fri, 6 Mar 2015 07:09:26 +0000 (UTC) Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 24DDAA93 for ; Fri, 6 Mar 2015 07:09:26 +0000 (UTC) Received: by iecar1 with SMTP id ar1so83307425iec.11 for ; Thu, 05 Mar 2015 23:09:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=berentweb.com; s=google; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type:content-transfer-encoding; bh=ceo7FXsIk4k9dHhaZ0/SgUzdrxQFmjIhCnVJpYFpPhA=; b=WIR1OJW8DND8kF4EAipxeJdVcZapLOr4rdAf8o/LhFrTiocVbE+Wl5IbRso2k5O6Tl TwOs3DtBtja2vE2SCTYxa9xqLJy8Dbn8rr5epyfYKd18e6Hf8CB08pH+4JHmHQtOEzUl hrx26u+II2uQB9B51mpFFrTkTmi9LRz//QIeU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-type:content-transfer-encoding; bh=ceo7FXsIk4k9dHhaZ0/SgUzdrxQFmjIhCnVJpYFpPhA=; b=mTfXoKpWYPU7l19t0i0K6017RPp8oiyI2qRaUOJDIhafn0ALXxMdfyabvWBSCAE1l1 OsLGmXCr47geKPdf6a/kBii5GZ07QyhABdGaurYIN+1xrTWp8ZcygQtHOMSpjX0NFGin n42gprasQdpo2eq2MRJuPUzoD9VE7KfCmkIywPdHWGKPIEP24efZbELejfSmp6gavB5j NlEWWrbQaN9Gmce+rMNYSWkvEw8gaRQqEDXkCaysURNEvEjxGQ7hWuvrl+MPpKNVgfwS RwLCumnA146X3HQy8MVVqQS2T26zAT7qSqnji9qbZ9DzyUI+oi7Z/LEtxHheQ26JuYzx lzEQ== X-Gm-Message-State: ALoCoQkL+kaRiXZzN0rV8tsYIslPeONbQ4Kb58C0ojIYQzx57ZeBUUWrMlv3hEvIr63TdA7K6f75 X-Received: by 10.107.13.144 with SMTP id 138mr25848143ion.24.1425625765418; Thu, 05 Mar 2015 23:09:25 -0800 (PST) Received: from rsbsd.rsb ([31.200.16.127]) by mx.google.com with ESMTPSA id l11sm6552538ioe.31.2015.03.05.23.09.23 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Mar 2015 23:09:24 -0800 (PST) Date: Fri, 6 Mar 2015 09:09:19 +0200 From: Beeblebrox To: Kevin Oberman Subject: Re: tcpdump filter not ignoring jail subnet Message-ID: <20150306090919.0d221096@rsbsd.rsb> In-Reply-To: References: <20150305202050.24042973@rsbsd.rsb> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-net@freebsd.org" , smithi@nimnet.asn.au X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2015 07:09:26 -0000 Hi. Thanks for the input. > 192.168.2.97 is not a net. Any /32 is a host... even if it is > anycast. So filter on "host 192.168.2.9". I assume that specifying one of {src | dst} is not required and that "host = 192.168.2.97" will remove all (in and out) from that IP? > The real issue is that, while hostnames > are allowed, I am not sure whether they can be wildcards. That would > require lookups at capture time and I don't think that is possible. > At very least, the delays would make it fail. If you choose to look > up addresses for FreeBSD systems, or build a list of freebsd.org > names. That might work, but it would be a bit painful. Especially > since there may multiple addresses for a single name. -- That's an excellent point - I had not considered that. The solution then would be to pipe the output through awk or a ready tool l= ike sysutils/ccze I think. I was planning on looking into smart-colorizatio= n anyway (for easy flagging), but as the second step of my little project. = With this, I would have awk check against the white list, so that URL's wou= ld get included but filtered out by the awk pipe. Thanks also to Ian for the off-list input. I do have a bit of a "brain-fart= " problem with getting the filter to work however. What I posted is the 5th= or 6th variation, and at this point I'm just chasing my tail. Here's what = I'd like to monitor: * I want none of the traffic displayed from these: src net not 192.168.1.0/24 (outward-facing nic is on this subnet) not ip6 (the above net pumps IP6 chatter which I don't need) host not 192.168.2.97 (my DNS jail running unbound + dnscrypt on 443) * I don't need to monitor any of the traffic on these ports not port imap and not port imaps and not port 6667 (irc) * With the exception of above, I want to see all remaining traffic on host mybsd (src and dst. Normally not necessary to specify since we're list= ening on re0 which is the outward-facing nic, but we also requested "net no= t" the entire subnet this nic belongs to) Thanks and Regards --=20 FreeBSD_amd64_11-Current_RadeonKMS Please CC my email when responding, mail from list is not delivered.