Ask Your Question
0

Excluding specific IP within many Subnets

asked 2019-10-29 01:16:08 +0000

dave47 gravatar image

updated 2019-10-29 04:46:31 +0000

Within a VM environment, Have have a capture setup that captures at different parts, excludes duplicates and merges files to a final pcap. Trying to carve out some noise during the capture which I have done to a point, now I have a specific pattern of IPs to remove which is around the monitoring systems. Many /24 networks with the Monitoring IP always on last octet .37 IE 172.16.x.37/24 (eg 172.16.1.37, 172.16.2.37, 172.16.3.37)

Any steer on logic to achieve would be greatly appropriated.

thank you

edit retag flag offensive close merge delete

Comments

"during the capture"
You're looking for a capture filter or a display filter?

Chuckc gravatar imageChuckc ( 2019-10-29 13:15:10 +0000 )edit

4 Answers

Sort by ยป oldest newest most voted
1

answered 2019-10-29 05:19:13 +0000

Jaap gravatar image

Have a look at the Slice and Membership operators in the Users Guide. These should allow you to compose something suitable.

edit flag offensive delete link more
0

answered 2019-10-29 16:07:41 +0000

Chuckc gravatar image

updated 2019-10-29 16:11:52 +0000

Example for capture filter. Might be messy to maintain but did not find a way to wildcard with BPF.
To exclude the "monhost" addresses change "not host monhost".

host host
    True if either the IPv4/v6 source or destination of the packet is host.
<snip>
    If host is a name with multiple IP addresses, each address will be checked for a match.

[email protected]:~# tail /etc/hosts
# Tue Oct 29 15:58:08 UTC 2019 - test for dumpcap -f "host monhost" -d
172.16.1.37     monhost
172.16.2.37     monhost
172.16.3.37     monhost
172.16.4.37     monhost

172.16.11.37    monhost
172.16.12.37    monhost
172.16.13.37    monhost
172.16.14.37    monhost
[email protected]:~#

[email protected]:~# dumpcap -f "host monhost" -d
Capturing on 'eth0'
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 13
(002) ld       [26]
(003) jeq      #0xac100125      jt 33   jf 4
(004) jeq      #0xac100225      jt 33   jf 5
(005) jeq      #0xac100325      jt 33   jf 6
(006) jeq      #0xac100425      jt 33   jf 7
(007) jeq      #0xac100b25      jt 33   jf 8
(008) jeq      #0xac100c25      jt 33   jf 9
(009) jeq      #0xac100d25      jt 33   jf 10
(010) jeq      #0xac100e25      jt 33   jf 11
(011) ld       [30]
(012) jeq      #0xac100125      jt 33   jf 26
(013) jeq      #0x806           jt 15   jf 14
(014) jeq      #0x8035          jt 15   jf 34
(015) ld       [28]
(016) jeq      #0xac100125      jt 33   jf 17
(017) jeq      #0xac100225      jt 33   jf 18
(018) jeq      #0xac100325      jt 33   jf 19
(019) jeq      #0xac100425      jt 33   jf 20
(020) jeq      #0xac100b25      jt 33   jf 21
(021) jeq      #0xac100c25      jt 33   jf 22
(022) jeq      #0xac100d25      jt 33   jf 23
(023) jeq      #0xac100e25      jt 33   jf 24
(024) ld       [38]
(025) jeq      #0xac100125      jt 33   jf 26
(026) jeq      #0xac100225      jt 33   jf 27
(027) jeq      #0xac100325      jt 33   jf 28
(028) jeq      #0xac100425      jt 33   jf 29
(029) jeq      #0xac100b25      jt 33   jf 30
(030) jeq      #0xac100c25      jt 33   jf 31
(031) jeq      #0xac100d25      jt 33   jf 32
(032) jeq      #0xac100e25      jt 33   jf 34
(033) ret      #262144
(034) ret      #0
[email protected]:~#
edit flag offensive delete link more
0

answered 2019-10-29 06:20:10 +0000

updated 2019-10-29 06:25:46 +0000

As an example of what @Jaap said:

!(ip.addr[0-1] == AC.10 and ip.addr[3] == 25)

Filter out all addresses with first 2 octets of 172.16 and 4th octet of 37 (octets converted to Hex).

edit flag offensive delete link more
0

answered 2019-10-29 07:10:47 +0000

SYN-bit gravatar image

You can use a regular expression on ip.host. This is the resolved version of ip.addr and with resolving disabled for the network layer, it becomes the string representation of ip.addr. I did exactly the same thing for anything 10.x.24.x.

In your case you can use ip.host matches "^172\\.16\\..*\\.37$" (make sure you turn off network layer name resolving)

edit flag offensive delete link more

Comments

Oh, and as for the BPF equivalent for capturing, you can use the follwing filter

$ tcpdump -i en0 -d "ip[12:4] & 0xffff00ff = 0xac100025 or ip[16:4] & 0xffff00ff = 0xac100025"
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 9
(002) ld       [26]
(003) and      #0xffff00ff
(004) jeq      #0xac100025      jt 8    jf 5
(005) ld       [30]
(006) and      #0xffff00ff
(007) jeq      #0xac100025      jt 8    jf 9
(008) ret      #262144
(009) ret      #0
$

Which will mask out the 3rd octet so it always becomes 0 and then checks against 172.16.0.37 (0xac100025 in hex).

But reading your question another time I see that you DON'T want to capture these IP's, so you can use the capture filter not (ip[12:4] & 0xffff00ff = 0xac100025 or ip[16:4] & 0xffff00ff = 0xac100025)

SYN-bit gravatar imageSYN-bit ( 2019-10-29 22:54:59 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-10-29 01:16:08 +0000

Seen: 137 times

Last updated: Oct 29 '19