Date: Fri, 06 Mar 2015 00:23:14 -0800 From: Harrison Grundy <harrison.grundy@astrodoggroup.com> To: freebsd-net@freebsd.org Subject: Re: tcpdump filter not ignoring jail subnet Message-ID: <54F963F2.8090809@astrodoggroup.com> In-Reply-To: <20150306090919.0d221096@rsbsd.rsb> References: <20150305202050.24042973@rsbsd.rsb> <CAN6yY1uQdSgUTvSeYqUJZr=FUGBUtCvgpB4RpfEWsF52epS2hQ@mail.gmail.com> <20150306090919.0d221096@rsbsd.rsb>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/05/15 23:09, Beeblebrox wrote:
> Hi. Thanks for the input.
>
>> 192.168.2.97 is not a net. Any /32 is a host... even if it is
>> anycast. So filter on "host 192.168.2.9".
>
> I assume that specifying one of {src | dst} is not required and
> that "host 192.168.2.97" will remove all (in and out) from that
> IP?
>
>> The real issue is that, while hostnames are allowed, I am not
>> sure whether they can be wildcards. That would require lookups at
>> capture time and I don't think that is possible. At very least,
>> the delays would make it fail. If you choose to look up addresses
>> for FreeBSD systems, or build a list of freebsd.org names. That
>> might work, but it would be a bit painful. Especially since there
>> may multiple addresses for a single name. --
>
> That's an excellent point - I had not considered that. The solution
> then would be to pipe the output through awk or a ready tool like
> sysutils/ccze I think. I was planning on looking into
> smart-colorization anyway (for easy flagging), but as the second
> step of my little project. With this, I would have awk check
> against the white list, so that URL's would get included but
> filtered out by the awk pipe.
>
> Thanks also to Ian for the off-list input. I do have a bit of a
> "brain-fart" problem with getting the filter to work however. What
> I posted is the 5th or 6th variation, and at this point I'm just
> chasing my tail. Here's what I'd like to monitor:
>
> * I want none of the traffic displayed from these: src net not
> 192.168.1.0/24 (outward-facing nic is on this subnet) not ip6 (the
> above net pumps IP6 chatter which I don't need) host not
> 192.168.2.97 (my DNS jail running unbound + dnscrypt on 443)
>
> * I don't need to monitor any of the traffic on these ports not
> port imap and not port imaps and not port 6667 (irc)
>
> * With the exception of above, I want to see all remaining traffic
> on host mybsd (src and dst. Normally not necessary to specify since
> we're listening on re0 which is the outward-facing nic, but we also
> requested "net not" the entire subnet this nic belongs to)
>
> Thanks and Regards
>
This seems to do do what you want:
root@bsddt1241:/home/astrodog # tcpdump -w - src net not
192.168.1.0/24 | tcpdump -r - -w - not ip6 | tcpdump -r - -w - host
not 192.168.2.97 | tcpdump -r - not port imap and not port imaps and
not port 6667
Terrible as it is...
--- Harrison
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54F963F2.8090809>