Tcpdump Filters

Discussion in 'Linux Networking' started by goldtech, Oct 5, 2012.

  1. goldtech

    goldtech Guest

    Hi,

    I am using a sniffer called darkstat (I can use tcpdump filters with
    it) to look at my network traffic - specifically I want to see
    traffic to and from the local network and the Internet.

    I want to negate (not see) local traffic - specifically I want to not
    see in the sniffer log local traffic to and from a local media server
    and local computers on my home network. It streams a lot locally only
    and I don't need to see that.

    My local router only deals out local addresses of the kind
    192.167.1.xxx. The media server is statically assigned 192.168.1.7.
    Could you verify that the following command will negate seeing this
    local streaming, or to be more precise not see traffic between the
    local media server and local computers?

    $ sudo darkstat -i eth0 -f "not ((src net 192.168.1.7 and dst net
    192.168.1.0/24) or (src net 192.168.1.0/24 and dst net 192.168.1.7))"

    Thanks
     
    goldtech, Oct 5, 2012
    #1
    1. Advertisements

  2. goldtech

    Rick Jones Guest

    192.168.1.7 is just a subset of 192.168.1/24 and you've said you don't
    need to see any local traffic (?) so perhaps something like:

    "(not src net 192.168.1.0/24) or (not dst net 192.168.1.0/24)"

    Presumably, that filter expression should show you everything that has
    either source or destination IP other than those in 192.168.1.0/24.

    rick jones
     
    Rick Jones, Oct 5, 2012
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.