From owner-freebsd-net@FreeBSD.ORG Fri Mar 6 08:29:50 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A58C6589 for ; Fri, 6 Mar 2015 08:29:50 +0000 (UTC) Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.201.169]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D3B1279 for ; Fri, 6 Mar 2015 08:29:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 44048E1C1 for ; Fri, 6 Mar 2015 03:29:42 -0500 (EST) X-Virus-Scanned: Debian amavisd-new at mailout.easymail.ca X-Spam-Flag: NO X-Spam-Score: -3.848 X-Spam-Level: X-Spam-Status: No, score=-3.848 required=5 tests=[ALL_TRUSTED=-1.8, AWL=-0.141, BAYES_00=-2.599, DNS_FROM_AHBL_RHSBL=0.692] Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (easymail-mailout.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pj7wA11DjMtU for ; Fri, 6 Mar 2015 03:29:42 -0500 (EST) Received: from bsddt1241.lv01.astrodoggroup.com (unknown [40.141.24.126]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id E28D8E1B8 for ; Fri, 6 Mar 2015 03:29:41 -0500 (EST) Message-ID: <54F963F2.8090809@astrodoggroup.com> Date: Fri, 06 Mar 2015 00:23:14 -0800 From: Harrison Grundy User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: tcpdump filter not ignoring jail subnet References: <20150305202050.24042973@rsbsd.rsb> <20150306090919.0d221096@rsbsd.rsb> In-Reply-To: <20150306090919.0d221096@rsbsd.rsb> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2015 08:29:50 -0000 On 03/05/15 23:09, Beeblebrox wrote: > Hi. Thanks for the input. > >> 192.168.2.97 is not a net. Any /32 is a host... even if it is >> anycast. So filter on "host 192.168.2.9". > > I assume that specifying one of {src | dst} is not required and > that "host 192.168.2.97" will remove all (in and out) from that > IP? > >> The real issue is that, while hostnames are allowed, I am not >> sure whether they can be wildcards. That would require lookups at >> capture time and I don't think that is possible. At very least, >> the delays would make it fail. If you choose to look up addresses >> for FreeBSD systems, or build a list of freebsd.org names. That >> might work, but it would be a bit painful. Especially since there >> may multiple addresses for a single name. -- > > That's an excellent point - I had not considered that. The solution > then would be to pipe the output through awk or a ready tool like > sysutils/ccze I think. I was planning on looking into > smart-colorization anyway (for easy flagging), but as the second > step of my little project. With this, I would have awk check > against the white list, so that URL's would get included but > filtered out by the awk pipe. > > Thanks also to Ian for the off-list input. I do have a bit of a > "brain-fart" problem with getting the filter to work however. What > I posted is the 5th or 6th variation, and at this point I'm just > chasing my tail. Here's what I'd like to monitor: > > * I want none of the traffic displayed from these: src net not > 192.168.1.0/24 (outward-facing nic is on this subnet) not ip6 (the > above net pumps IP6 chatter which I don't need) host not > 192.168.2.97 (my DNS jail running unbound + dnscrypt on 443) > > * I don't need to monitor any of the traffic on these ports not > port imap and not port imaps and not port 6667 (irc) > > * With the exception of above, I want to see all remaining traffic > on host mybsd (src and dst. Normally not necessary to specify since > we're listening on re0 which is the outward-facing nic, but we also > requested "net not" the entire subnet this nic belongs to) > > Thanks and Regards > This seems to do do what you want: root@bsddt1241:/home/astrodog # tcpdump -w - src net not 192.168.1.0/24 | tcpdump -r - -w - not ip6 | tcpdump -r - -w - host not 192.168.2.97 | tcpdump -r - not port imap and not port imaps and not port 6667 Terrible as it is... --- Harrison