Re: [tcpdump-workers] ntopng & packet filter of libpcap

Gerhard Mourani Fri, 23 Jan 2015 17:46:54 -0800

On mine I get:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 29
(002) ldb      [23]
(003) jeq      #0x29            jt 29   jf 4
(004) ld       [8]
(005) jeq      #0xffffffff      jt 6    jf 8
(006) ldh      [6]
(007) jeq      #0xffff          jt 29   jf 8
(008) ld       [2]
(009) jeq      #0xffffffff      jt 10   jf 12
(010) ldh      [0]
(011) jeq      #0xffff          jt 29   jf 12
(012) ld       [26]
(013) and      #0xff000000
(014) jeq      #0xe0000000      jt 29   jf 15
(015) ld       [26]
(016) and      #0xff000000
(017) jeq      #0xef000000      jt 29   jf 18
(018) ld       [30]
(019) and      #0xff000000
(020) jeq      #0xe0000000      jt 29   jf 21
(021) ld       [30]
(022) and      #0xff000000
(023) jeq      #0xef000000      jt 29   jf 24
(024) ld       [26]
(025) jeq      #0xc0a8020a      jt 29   jf 26
(026) ld       [30]
(027) jeq      #0xc0a8020a      jt 29   jf 28
(028) ret      #65535
(029) ret      #0



> On Jan 23, 2015, at 5:48 PM, Guy Harris <g...@alum.mit.edu> wrote:
> 
> 
> On Jan 23, 2015, at 1:23 PM, Gerhard Mourani <gmour...@gmail.com> wrote:
> 
>> Yes, it is what I want but seem that ntopng doesn’t take it in consideration 
>> because I can still view packet sent to or from 192.168.2.10!
>> Therfore, I’m presuming that maybe some () or other characters are missing 
>> in my filtering.
> 
> Not according to
> 
>       tcpdump -d "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff 
> and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.10)"
> 
> on my machine:
> 
> (000) ldh      [12]
> (001) jeq      #0x800           jt 2    jf 29
> (002) ldb      [23]
> (003) jeq      #0x29            jt 29   jf 4
> (004) ld       [8]
> (005) jeq      #0xffffffff      jt 6    jf 8
> (006) ldh      [6]
> (007) jeq      #0xffff          jt 29   jf 8
> (008) ld       [2]
> (009) jeq      #0xffffffff      jt 10   jf 12
> (010) ldh      [0]
> (011) jeq      #0xffff          jt 29   jf 12
> (012) ld       [26]
> (013) and      #0xff000000
> (014) jeq      #0xe0000000      jt 29   jf 15
> (015) ld       [26]
> (016) and      #0xff000000
> (017) jeq      #0xef000000      jt 29   jf 18
> (018) ld       [30]
> (019) and      #0xff000000
> (020) jeq      #0xe0000000      jt 29   jf 21
> (021) ld       [30]
> (022) and      #0xff000000
> (023) jeq      #0xef000000      jt 29   jf 24
> (024) ld       [26]
> (025) jeq      #0xc0a8020a      jt 29   jf 26
> (026) ld       [30]
> (027) jeq      #0xc0a8020a      jt 29   jf 28
> (028) ret      #65535
> (029) ret      #0
> 
> which only gets to instruction 28, the "return a non-zero value so the packet 
> is accepted" instruction if *all* the tests pass, including
> 
> (024) ld       [26]
> (025) jeq      #0xc0a8020a      jt 29   jf 26
> (026) ld       [30]
> (027) jeq      #0xc0a8020a      jt 29   jf 28
> 
> which are the tests for 192.168.2.10.  It gets to instruction 29, the "return 
> zero so the packet is rejected" instruction, if other tests fail.
> 
> What does that command print on your machine?

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] ntopng & packet filter of libpcap

Reply via email to