Snort mailing list archives

Re: tcpdump filtered for multiple hosts

From: Richard Bejtlich <taosecurity () gmail com>
Date: Sat, 22 Oct 2005 06:55:12 -0400

Court Graham wrote:

Does anyone know the syntax to screen for multiple hosts using tcpdump
 tcpdump - w filename host ip(this is where i need more than one host)
 ???


Remember that using 'and' for a BPF primitive means the packet needs
to have both IPs.  You probably want to use 'or', e.g.,

tcpdump -n -i fxp0 -s 1515 host 64.233.167.147 or 68.142.226.42
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 1515 bytes
06:53:05.552531 IP 192.168.2.5 > 64.233.167.147: icmp 64: echo request seq 0
06:53:05.588292 IP 64.233.167.147 > 192.168.2.5: icmp 64: echo reply seq 0
06:53:18.905750 IP 192.168.2.5 > 68.142.226.42: icmp 64: echo request seq 0
06:53:18.920278 IP 68.142.226.42 > 192.168.2.5: icmp 64: echo reply seq 0

That sees ICMP to Google or Yahoo, not Google and Yahoo.

Sincerely,

Richard
http://www.taosecurity.com


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

tcpdump filtered for multiple hosts Court Graham (Oct 21)
- RE: tcpdump filtered for multiple hosts Patrick Harper (Oct 21)
  - Re: tcpdump filtered for multiple hosts Harry Hoffman (Oct 21)
- <Possible follow-ups>
- Re: tcpdump filtered for multiple hosts Richard Bejtlich (Oct 22)