Sunday, 23 September 2012

Specifying IP range for tcpdump

I recently came across the need to specify a IP range for tcpdump (setting up an install of darkstat to monitor network usage by host - but ignoring traffic within my local network).

However the only solution I could find in pcap-filter syntax was to specify blocks of ip's by netmask.

After looking into filtering ip addressea by inspecting the packets themselves, (http://isc.sans.edu/diary.html?storyid=6667) I finally came across a comment on the bottom of the previous link which suggested using a script cidr_range.pl (http://archives.neohapsis.com/archives/postfix/2005-06/att-1279/cidr_range__charset_iso-8859-15) which translated ip ranges into a series of ip/cidr netmasks that can them be used to filter tcpdump (or in my case darkstat).

Therefore

steve@dell-laptop:~$ perl cidr_range.pl 192.168.0.100 192.168.0.200
192.168.0.100/30
192.168.0.104/29
192.168.0.112/28
192.168.0.128/26
192.168.0.192/29
192.168.0.200/32
can then be translated to

not (net 192.168.0.100/30 or net 192.168.0.104/29 or net 192.168.0.112/28 or net 192.168.0.128/26 or net 192.168.0.192/29 or net 192.168.0.200/32)

which then filters out all traffic to or from hosts within the range 192.168.0.100-200.

Steve

Refs:
http://archives.neohapsis.com/archives/postfix/2005-06/att-1279/cidr_range__charset_iso-8859-15
http://isc.sans.edu/diary.html?storyid=6667
http://www.manpagez.com/man/7/pcap-filter/
http://www.tcpdump.org/tcpdump_man.html
Posted by at 2 comments:
Labels: , , , , , , , ,
Location: UK

Intentions

To anyone that finds this blog on the interwebs,

After a upgrading my home server I have decided to publish my notes on the blogger platform instead of internally. These are mainly intended for personal reference, however if anyone else finds them useful, all the better.

Steve
Posted by at 1 comment:
Subscribe to: Posts (Atom)