[tcpdump-workers] noting & packet filter of libpcap
Hello list, I’m using ntopng which rely on libpcap for the filtering expression. Below is what I think to be valide to use into my ntopng configuration file but seem to not working at all. --packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.10)" Does someone can see something wrong in my filtering line ? Gerhard, ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] ntopng & packet filter of libpcap
Yes, it is what I want but seem that ntopng doesn’t take it in consideration
because I can still view packet sent to or from 192.168.2.10!
Therfore, I’m presuming that maybe some () or other characters are missing in
my filtering.
> On Jan 23, 2015, at 4:07 PM, Guy Harris wrote:
>
>
> On Jan 23, 2015, at 12:25 PM, Gerhard Mourani wrote:
>
>> I’m using ntopng which rely on libpcap for the filtering expression. Below
>> is what I think to be valide to use into my ntopng configuration file but
>> seem to not working at all.
>>
>> --packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff
>> and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.10)"
>
> This means:
>
> if the packet isn't IPv4 ("ip" doesn't mean "IPv4 or IPv6", it means
> "IPv4"), don't accept it
>
> if the packet is IPv6 over IPv4, don't accept it
>
> if the packet is sent to (or from) the MAC broadcast address, don't
> accept it
>
> if the packet is sent to or from the 224.0.0.0/8 or 239.0.0.0/8
> "network" (multicast), don't accept it
>
> if the packet is sent to or from 192.168.210, don't accept it
>
> otherwise accept it
>
> Is this what you want?
>
> If not, what do you want?
>
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] ntopng & packet filter of libpcap
On mine I get: (000) ldh [12] (001) jeq #0x800 jt 2jf 29 (002) ldb [23] (003) jeq #0x29jt 29 jf 4 (004) ld [8] (005) jeq #0x jt 6jf 8 (006) ldh [6] (007) jeq #0x jt 29 jf 8 (008) ld [2] (009) jeq #0x jt 10 jf 12 (010) ldh [0] (011) jeq #0x jt 29 jf 12 (012) ld [26] (013) and #0xff00 (014) jeq #0xe000 jt 29 jf 15 (015) ld [26] (016) and #0xff00 (017) jeq #0xef00 jt 29 jf 18 (018) ld [30] (019) and #0xff00 (020) jeq #0xe000 jt 29 jf 21 (021) ld [30] (022) and #0xff00 (023) jeq #0xef00 jt 29 jf 24 (024) ld [26] (025) jeq #0xc0a8020a jt 29 jf 26 (026) ld [30] (027) jeq #0xc0a8020a jt 29 jf 28 (028) ret #65535 (029) ret #0 > On Jan 23, 2015, at 5:48 PM, Guy Harris wrote: > > > On Jan 23, 2015, at 1:23 PM, Gerhard Mourani wrote: > >> Yes, it is what I want but seem that ntopng doesn’t take it in consideration >> because I can still view packet sent to or from 192.168.2.10! >> Therfore, I’m presuming that maybe some () or other characters are missing >> in my filtering. > > Not according to > > tcpdump -d "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff > and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.10)" > > on my machine: > > (000) ldh [12] > (001) jeq #0x800 jt 2jf 29 > (002) ldb [23] > (003) jeq #0x29jt 29 jf 4 > (004) ld [8] > (005) jeq #0x jt 6jf 8 > (006) ldh [6] > (007) jeq #0x jt 29 jf 8 > (008) ld [2] > (009) jeq #0x jt 10 jf 12 > (010) ldh [0] > (011) jeq #0x jt 29 jf 12 > (012) ld [26] > (013) and #0xff00 > (014) jeq #0xe000 jt 29 jf 15 > (015) ld [26] > (016) and #0xff00 > (017) jeq #0xef00 jt 29 jf 18 > (018) ld [30] > (019) and #0xff00 > (020) jeq #0xe000 jt 29 jf 21 > (021) ld [30] > (022) and #0xff00 > (023) jeq #0xef00 jt 29 jf 24 > (024) ld [26] > (025) jeq #0xc0a8020a jt 29 jf 26 > (026) ld [30] > (027) jeq #0xc0a8020a jt 29 jf 28 > (028) ret #65535 > (029) ret #0 > > which only gets to instruction 28, the "return a non-zero value so the packet > is accepted" instruction if *all* the tests pass, including > > (024) ld [26] > (025) jeq #0xc0a8020a jt 29 jf 26 > (026) ld [30] > (027) jeq #0xc0a8020a jt 29 jf 28 > > which are the tests for 192.168.2.10. It gets to instruction 29, the "return > zero so the packet is rejected" instruction, if other tests fail. > > What does that command print on your machine? ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] ntopng & packet filter of libpcap
All packets received come from sFlow protocol activated on remote switches (3 switches on the LAN). Even if I change IP 192.168.2.10 for 192.168.2.209 which is the one used by the machine where the program run in other to exclude statistics from this IP (192.168.2.209), I still see it on the list. So I try to exclude the IP of the probe itself and it still appears in the result! On Fri, Jan 23, 2015 at 9:03 PM, Guy Harris wrote: > > On Jan 23, 2015, at 5:44 PM, Gerhard Mourani wrote: > > > On mine I get: > > The same code. > > If you're seeing packets to or from 192.168.2.10, is there some form of > tunneling involved, so that the outermost IP addresses, which the filter > checks, aren't 192.168.2.10, but some innermore IP addresses are? > > ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
