On Jan 23, 2015, at 1:23 PM, Gerhard Mourani <gmour...@gmail.com> wrote:
> Yes, it is what I want but seem that ntopng doesn’t take it in consideration
> because I can still view packet sent to or from 192.168.2.10!
> Therfore, I’m presuming that maybe some () or other characters are missing in
> my filtering.
Not according to
tcpdump -d "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff
and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.10)"
on my machine:
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 29
(002) ldb [23]
(003) jeq #0x29 jt 29 jf 4
(004) ld [8]
(005) jeq #0xffffffff jt 6 jf 8
(006) ldh [6]
(007) jeq #0xffff jt 29 jf 8
(008) ld [2]
(009) jeq #0xffffffff jt 10 jf 12
(010) ldh [0]
(011) jeq #0xffff jt 29 jf 12
(012) ld [26]
(013) and #0xff000000
(014) jeq #0xe0000000 jt 29 jf 15
(015) ld [26]
(016) and #0xff000000
(017) jeq #0xef000000 jt 29 jf 18
(018) ld [30]
(019) and #0xff000000
(020) jeq #0xe0000000 jt 29 jf 21
(021) ld [30]
(022) and #0xff000000
(023) jeq #0xef000000 jt 29 jf 24
(024) ld [26]
(025) jeq #0xc0a8020a jt 29 jf 26
(026) ld [30]
(027) jeq #0xc0a8020a jt 29 jf 28
(028) ret #65535
(029) ret #0
which only gets to instruction 28, the "return a non-zero value so the packet
is accepted" instruction if *all* the tests pass, including
(024) ld [26]
(025) jeq #0xc0a8020a jt 29 jf 26
(026) ld [30]
(027) jeq #0xc0a8020a jt 29 jf 28
which are the tests for 192.168.2.10. It gets to instruction 29, the "return
zero so the packet is rejected" instruction, if other tests fail.
What does that command print on your machine?
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
