tcpdump mailing list archives
Filter not working?
From: "Gisle Vanem" <giva () bgnett no>
Date: Fri, 7 Feb 2003 15:25:11 +0100
I have the following filter to log "suspicious traffic" to my PC: icmp || (udp && (host not 217.13.7.136 and host not 217.13.4.21)) || ( (tcp[13] & 3 != 0) && (port not (25 || 80 || 110 || 119 || 6346 || 6347)) ) "windump -dF suspicious.filter" says: (000) ldh [12] (001) jeq #0x800 jt 2 jf 11 (002) ldb [23] (003) jeq #0x1 jt 14 jf 4 (004) jeq #0x11 jt 5 jf 15 (005) ld [26] (006) jeq #0xd90d0788 jt 15 jf 7 (007) jeq #0xd90d0415 jt 15 jf 8 (008) ld [30] (009) jeq #0xd90d0788 jt 15 jf 10 (010) jeq #0xd90d0415 jt 15 jf 14 (011) jeq #0x86dd jt 12 jf 15 ; IPv6 enabled windump (012) ldb [20] (013) jeq #0x11 jt 14 jf 15 (014) ret #96 (015) ret #0 ------------------------------ Why are the tcp SYN/FIN and ports not evaluated? I guess the filter spec is wrong, but what? Gisle V. # rm /bin/laden /bin/laden: Not found - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Filter not working? Gisle Vanem (Feb 07)
- Re: Filter not working? Guy Harris (Feb 07)
- Re: Filter not working? Guy Harris (Feb 07)
- Re: Filter not working? Gisle Vanem (Feb 07)
- Re: Filter not working? Guy Harris (Feb 07)
- Re: Filter not working? Guy Harris (Feb 07)
- Re: Filter not working? Guy Harris (Feb 07)