[tcpdump-workers] noting & packet filter of libpcap
Hello list, I’m using ntopng which rely on libpcap for the filtering expression. Below is what I think to be valide to use into my ntopng configuration file but seem to not working at all. --packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.10)" Does someone can see something wrong in my filtering line ? Gerhard, ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] ntopng & packet filter of libpcap
On Jan 23, 2015, at 12:25 PM, Gerhard Mourani wrote:
> I’m using ntopng which rely on libpcap for the filtering expression. Below is
> what I think to be valide to use into my ntopng configuration file but seem
> to not working at all.
>
> --packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff
> and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.10)"
This means:
if the packet isn't IPv4 ("ip" doesn't mean "IPv4 or IPv6", it means
"IPv4"), don't accept it
if the packet is IPv6 over IPv4, don't accept it
if the packet is sent to (or from) the MAC broadcast address, don't
accept it
if the packet is sent to or from the 224.0.0.0/8 or 239.0.0.0/8
"network" (multicast), don't accept it
if the packet is sent to or from 192.168.210, don't accept it
otherwise accept it
Is this what you want?
If not, what do you want?
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] ntopng & packet filter of libpcap
Yes, it is what I want but seem that ntopng doesn’t take it in consideration
because I can still view packet sent to or from 192.168.2.10!
Therfore, I’m presuming that maybe some () or other characters are missing in
my filtering.
> On Jan 23, 2015, at 4:07 PM, Guy Harris wrote:
>
>
> On Jan 23, 2015, at 12:25 PM, Gerhard Mourani wrote:
>
>> I’m using ntopng which rely on libpcap for the filtering expression. Below
>> is what I think to be valide to use into my ntopng configuration file but
>> seem to not working at all.
>>
>> --packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff
>> and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.10)"
>
> This means:
>
> if the packet isn't IPv4 ("ip" doesn't mean "IPv4 or IPv6", it means
> "IPv4"), don't accept it
>
> if the packet is IPv6 over IPv4, don't accept it
>
> if the packet is sent to (or from) the MAC broadcast address, don't
> accept it
>
> if the packet is sent to or from the 224.0.0.0/8 or 239.0.0.0/8
> "network" (multicast), don't accept it
>
> if the packet is sent to or from 192.168.210, don't accept it
>
> otherwise accept it
>
> Is this what you want?
>
> If not, what do you want?
>
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] ntopng & packet filter of libpcap
On Jan 23, 2015, at 1:23 PM, Gerhard Mourani wrote: > Yes, it is what I want but seem that ntopng doesn’t take it in consideration > because I can still view packet sent to or from 192.168.2.10! > Therfore, I’m presuming that maybe some () or other characters are missing in > my filtering. Not according to tcpdump -d "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.10)" on my machine: (000) ldh [12] (001) jeq #0x800 jt 2jf 29 (002) ldb [23] (003) jeq #0x29jt 29 jf 4 (004) ld [8] (005) jeq #0x jt 6jf 8 (006) ldh [6] (007) jeq #0x jt 29 jf 8 (008) ld [2] (009) jeq #0x jt 10 jf 12 (010) ldh [0] (011) jeq #0x jt 29 jf 12 (012) ld [26] (013) and #0xff00 (014) jeq #0xe000 jt 29 jf 15 (015) ld [26] (016) and #0xff00 (017) jeq #0xef00 jt 29 jf 18 (018) ld [30] (019) and #0xff00 (020) jeq #0xe000 jt 29 jf 21 (021) ld [30] (022) and #0xff00 (023) jeq #0xef00 jt 29 jf 24 (024) ld [26] (025) jeq #0xc0a8020a jt 29 jf 26 (026) ld [30] (027) jeq #0xc0a8020a jt 29 jf 28 (028) ret #65535 (029) ret #0 which only gets to instruction 28, the "return a non-zero value so the packet is accepted" instruction if *all* the tests pass, including (024) ld [26] (025) jeq #0xc0a8020a jt 29 jf 26 (026) ld [30] (027) jeq #0xc0a8020a jt 29 jf 28 which are the tests for 192.168.2.10. It gets to instruction 29, the "return zero so the packet is rejected" instruction, if other tests fail. What does that command print on your machine? ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] ntopng & packet filter of libpcap
On mine I get: (000) ldh [12] (001) jeq #0x800 jt 2jf 29 (002) ldb [23] (003) jeq #0x29jt 29 jf 4 (004) ld [8] (005) jeq #0x jt 6jf 8 (006) ldh [6] (007) jeq #0x jt 29 jf 8 (008) ld [2] (009) jeq #0x jt 10 jf 12 (010) ldh [0] (011) jeq #0x jt 29 jf 12 (012) ld [26] (013) and #0xff00 (014) jeq #0xe000 jt 29 jf 15 (015) ld [26] (016) and #0xff00 (017) jeq #0xef00 jt 29 jf 18 (018) ld [30] (019) and #0xff00 (020) jeq #0xe000 jt 29 jf 21 (021) ld [30] (022) and #0xff00 (023) jeq #0xef00 jt 29 jf 24 (024) ld [26] (025) jeq #0xc0a8020a jt 29 jf 26 (026) ld [30] (027) jeq #0xc0a8020a jt 29 jf 28 (028) ret #65535 (029) ret #0 > On Jan 23, 2015, at 5:48 PM, Guy Harris wrote: > > > On Jan 23, 2015, at 1:23 PM, Gerhard Mourani wrote: > >> Yes, it is what I want but seem that ntopng doesn’t take it in consideration >> because I can still view packet sent to or from 192.168.2.10! >> Therfore, I’m presuming that maybe some () or other characters are missing >> in my filtering. > > Not according to > > tcpdump -d "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff > and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.10)" > > on my machine: > > (000) ldh [12] > (001) jeq #0x800 jt 2jf 29 > (002) ldb [23] > (003) jeq #0x29jt 29 jf 4 > (004) ld [8] > (005) jeq #0x jt 6jf 8 > (006) ldh [6] > (007) jeq #0x jt 29 jf 8 > (008) ld [2] > (009) jeq #0x jt 10 jf 12 > (010) ldh [0] > (011) jeq #0x jt 29 jf 12 > (012) ld [26] > (013) and #0xff00 > (014) jeq #0xe000 jt 29 jf 15 > (015) ld [26] > (016) and #0xff00 > (017) jeq #0xef00 jt 29 jf 18 > (018) ld [30] > (019) and #0xff00 > (020) jeq #0xe000 jt 29 jf 21 > (021) ld [30] > (022) and #0xff00 > (023) jeq #0xef00 jt 29 jf 24 > (024) ld [26] > (025) jeq #0xc0a8020a jt 29 jf 26 > (026) ld [30] > (027) jeq #0xc0a8020a jt 29 jf 28 > (028) ret #65535 > (029) ret #0 > > which only gets to instruction 28, the "return a non-zero value so the packet > is accepted" instruction if *all* the tests pass, including > > (024) ld [26] > (025) jeq #0xc0a8020a jt 29 jf 26 > (026) ld [30] > (027) jeq #0xc0a8020a jt 29 jf 28 > > which are the tests for 192.168.2.10. It gets to instruction 29, the "return > zero so the packet is rejected" instruction, if other tests fail. > > What does that command print on your machine? ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] ntopng & packet filter of libpcap
On Jan 23, 2015, at 5:44 PM, Gerhard Mourani wrote: > On mine I get: The same code. If you're seeing packets to or from 192.168.2.10, is there some form of tunneling involved, so that the outermost IP addresses, which the filter checks, aren't 192.168.2.10, but some innermore IP addresses are? ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] ntopng & packet filter of libpcap
All packets received come from sFlow protocol activated on remote switches (3 switches on the LAN). Even if I change IP 192.168.2.10 for 192.168.2.209 which is the one used by the machine where the program run in other to exclude statistics from this IP (192.168.2.209), I still see it on the list. So I try to exclude the IP of the probe itself and it still appears in the result! On Fri, Jan 23, 2015 at 9:03 PM, Guy Harris wrote: > > On Jan 23, 2015, at 5:44 PM, Gerhard Mourani wrote: > > > On mine I get: > > The same code. > > If you're seeing packets to or from 192.168.2.10, is there some form of > tunneling involved, so that the outermost IP addresses, which the filter > checks, aren't 192.168.2.10, but some innermore IP addresses are? > > ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] ntopng & packet filter of libpcap
On Jan 23, 2015, at 6:19 PM, Gerhard Mourani wrote: > All packets received come from sFlow protocol activated on remote switches (3 > switches on the LAN). Even if I change IP 192.168.2.10 for 192.168.2.209 > which is the one used by the machine where the program run in other to > exclude statistics from this IP (192.168.2.209), I still see it on the list. > So I try to exclude the IP of the probe itself and it still appears in the > result! What happens if you run tcpdump on the network, with the same filter? Do the packets show up in the tcpdump output? If so, what happens if you run tcpdump with the -xx (two x's) flag? Do the hex dumps show packets with c0a8 020a at an offset of 26 or 30 into the packet? (I.e., does it show packets with the outermost IP source or destination address being 192.168.2.10?) ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
