tcpdump filter not ignoring jail subnet

Beeblebrox zaphod at berentweb.com
Fri Mar 6 07:09:26 UTC 2015 

Hi. Thanks for the input.

> 192.168.2.97 is not a net. Any /32 is a host... even if it is
> anycast. So filter on "host 192.168.2.9".

I assume that specifying one of {src | dst} is not required and that "host 192.168.2.97" will remove all (in and out) from that IP?

> The real issue is that, while hostnames
> are allowed, I am not sure whether they can be wildcards. That would
> require lookups at capture time and I don't think that is possible.
> At very least, the delays would make it fail. If you choose to look
> up addresses for FreeBSD systems, or build a list of freebsd.org
> names. That might work, but it would be a bit painful. Especially
> since there may multiple addresses for a single name. --

That's an excellent point - I had not considered that.
The solution then would be to pipe the output through awk or a ready tool like sysutils/ccze I think. I was planning on looking into smart-colorization anyway (for easy flagging), but as the second step of my little project. With this, I would have awk check against the white list, so that URL's would get included but filtered out by the awk pipe.

Thanks also to Ian for the off-list input. I do have a bit of a "brain-fart" problem with getting the filter to work however. What I posted is the 5th or 6th variation, and at this point I'm just chasing my tail. Here's what I'd like to monitor:

* I want none of the traffic displayed from these:
src net not 192.168.1.0/24 (outward-facing nic is on this subnet)
not ip6 (the above net pumps IP6 chatter which I don't need)
host not 192.168.2.97 (my DNS jail running unbound + dnscrypt on 443)

* I don't need to monitor any of the traffic on these ports
not port imap and not port imaps and not port 6667 (irc)

* With the exception of above, I want to see all remaining traffic on
host mybsd (src and dst. Normally not necessary to specify since we're listening on re0 which is the outward-facing nic, but we also requested "net not" the entire subnet this nic belongs to)

Thanks and Regards
-- 
FreeBSD_amd64_11-Current_RadeonKMS
Please CC my email when responding, mail from list is not delivered.

More information about the freebsd-net mailing list