However the only solution I could find in pcap-filter syntax was to specify blocks of ip's by netmask.
After looking into filtering ip addressea by inspecting the packets themselves, (http://isc.sans.edu/diary.html?storyid=6667) I finally came across a comment on the bottom of the previous link which suggested using a script cidr_range.pl (http://archives.neohapsis.com/archives/postfix/2005-06/att-1279/cidr_range__charset_iso-8859-15) which translated ip ranges into a series of ip/cidr netmasks that can them be used to filter tcpdump (or in my case darkstat).
Therefore
steve@dell-laptop:~$ perl cidr_range.pl 192.168.0.100 192.168.0.200can then be translated to
192.168.0.100/30
192.168.0.104/29
192.168.0.112/28
192.168.0.128/26
192.168.0.192/29
192.168.0.200/32
not (net 192.168.0.100/30 or net 192.168.0.104/29 or net 192.168.0.112/28 or net 192.168.0.128/26 or net 192.168.0.192/29 or net 192.168.0.200/32)
which then filters out all traffic to or from hosts within the range 192.168.0.100-200.
Steve
Refs:
http://archives.neohapsis.com/archives/postfix/2005-06/att-1279/cidr_range__charset_iso-8859-15
http://isc.sans.edu/diary.html?storyid=6667
http://www.manpagez.com/man/7/pcap-filter/
http://www.tcpdump.org/tcpdump_man.html
That's not a very elegant solution, but it still manages to keep it simple, which is nice.
ReplyDeleteAnother approach would be to match the address bytes in the IP header. Not sure that's an improvement though :
not ((src net 192.168.0 and ip[15]>=100 and ip[15]<=200) or (dst net 192.168.0 and ip[19]>=100 and ip[19]<=200))
I like it, thanks!
Delete