On Thu, Mar 5, 2015 at 10:20 AM, Beeblebrox <zap...@berentweb.com> wrote:
> I'm using "tcpdump -i re0 -tq -F bin/tcpdump.txt" on my workstation for > real-time traffic analysis. The current filter file has: > > (src not net 192.168.1.0/24 and not ip6 and not net 192.168.2.97/32) or > (src host mybsd and not port imap and not port imaps and not port 6667) > > I'd like to create the filter such that traffic sources deemed reasonably > sane do not get listed in the output. Where I'm stuck: > * "net 192.168.2.97/32" is a DNS jail and I don't need to monitor that > host. Yet, the "not net" (or not src net) keyword does not work and traffic > to/from that net gets displayed anyway (I've also tried host keyword). > * I would like to include a URL whitelist in the filter (for example, do > not show any *.FreeBSD.org traffic). Is this even possible with tcpdump? > > Regards. > > 192.168.2.97 is not a net. Any /32 is a host... even if it is anycast. So filter on "host 192.168.2.9". Most anything any filter is possible with tcpdump, but they can get really, really ugly. I'd suggest building filters with a syntax checking tool like wireshark. The real issue is that, while hostnames are allowed, I am not sure whether they can be wildcards. That would require lookups at capture time and I don't think that is possible. At very least, the delays would make it fail. If you choose to look up addresses for FreeBSD systems, or build a list of freebsd.org names. That might work, but it would be a bit painful. Especially since there may multiple addresses for a single name. -- Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
