[tcpdump-workers] noting & packet filter of libpcap

2015-01-23 Thread Gerhard Mourani
Hello list, I’m using ntopng which rely on libpcap for the filtering expression. Below is what I think to be valide to use into my ntopng configuration file but seem to not working at all. --packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 2

Re: [tcpdump-workers] ntopng & packet filter of libpcap

2015-01-23 Thread Guy Harris
On Jan 23, 2015, at 12:25 PM, Gerhard Mourani wrote: > I’m using ntopng which rely on libpcap for the filtering expression. Below is > what I think to be valide to use into my ntopng configuration file but seem > to not working at all. > > --packet-filter "ip and not proto ipv6 and not ether

Re: [tcpdump-workers] ntopng & packet filter of libpcap

2015-01-23 Thread Gerhard Mourani
Yes, it is what I want but seem that ntopng doesn’t take it in consideration because I can still view packet sent to or from 192.168.2.10! Therfore, I’m presuming that maybe some () or other characters are missing in my filtering. > On Jan 23, 2015, at 4:07 PM, Guy Harris wrote: > > > On Jan

Re: [tcpdump-workers] ntopng & packet filter of libpcap

2015-01-23 Thread Guy Harris
On Jan 23, 2015, at 1:23 PM, Gerhard Mourani wrote: > Yes, it is what I want but seem that ntopng doesn’t take it in consideration > because I can still view packet sent to or from 192.168.2.10! > Therfore, I’m presuming that maybe some () or other characters are missing in > my filtering. No

Re: [tcpdump-workers] ntopng & packet filter of libpcap

2015-01-23 Thread Gerhard Mourani
On mine I get: (000) ldh [12] (001) jeq #0x800 jt 2jf 29 (002) ldb [23] (003) jeq #0x29jt 29 jf 4 (004) ld [8] (005) jeq #0x jt 6jf 8 (006) ldh [6] (007) jeq #0x jt 29 jf 8 (008) ld [2] (009)

Re: [tcpdump-workers] ntopng & packet filter of libpcap

2015-01-23 Thread Guy Harris
On Jan 23, 2015, at 5:44 PM, Gerhard Mourani wrote: > On mine I get: The same code. If you're seeing packets to or from 192.168.2.10, is there some form of tunneling involved, so that the outermost IP addresses, which the filter checks, aren't 192.168.2.10, but some innermore IP addresses ar

Re: [tcpdump-workers] ntopng & packet filter of libpcap

2015-01-23 Thread Gerhard Mourani
All packets received come from sFlow protocol activated on remote switches (3 switches on the LAN). Even if I change IP 192.168.2.10 for 192.168.2.209 which is the one used by the machine where the program run in other to exclude statistics from this IP (192.168.2.209), I still see it on the list.

Re: [tcpdump-workers] ntopng & packet filter of libpcap

2015-01-23 Thread Guy Harris
On Jan 23, 2015, at 6:19 PM, Gerhard Mourani wrote: > All packets received come from sFlow protocol activated on remote switches (3 > switches on the LAN). Even if I change IP 192.168.2.10 for 192.168.2.209 > which is the one used by the machine where the program run in other to > exclude sta