tcpdump mailing list archives
Re: Sniffing ranges of ips
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Fri, 19 Nov 2004 16:43:53 -0500
MMatos wrote:
Jefferson Ogata wrote:Jefferson Ogata wrote:MMatos wrote:For example I want to dump all traffic that arrives to my box from ips 192.168.2.15 to 192.168.2.40 I could write all the ips in the range but that's not a good solution, so how can implement that filter correctly using the range?Use the attached perl scripts, e.g.:tcpdump [options] `./genrange.pl 192.168.2.15 192.168.2.40 | ./aggregate.pl | ./iptcpdump.pl src`Or you can do something more utilitarian, such as:tcpdump [options] '( ip[12:4] >= 0xc0a8020f ) and ( ip[12:4] <= 0xc0a80228 )'First of all thanks for the precious help you give me !
You're welcome.
I' ve been analysing the scripts and they expand the ranges to all ips and then work around with the netmasks ..
Correct.
Indead i like the 2nd way you're sugesting but i've a little doubt: Lets pick ip[12:4]The ip is self explanatory; the 4 represents the 4th word of the ip datagram wich corresponds to the source adress (right?) but i'm unable to find out the purpose of the number 12 .Can you enlight me about that?
ip[12:4] means the four bytes starting at offset 12 in the IP header. tcpdump will extract these bytes as a 32-bit integer in network order. The four-byte value at offset 12 in the IP header is the IP source address. The destination IP address can be found at ip[16:4].
The rest is simple integer comparisons with hex-encoded integers representing the IP range you're interested in. This technique is more efficient than the netmask technique, although the netmask technique is somewhat cooler, in a dark sunglasses kind of way, if you're into that sort of thing. You might want to keep the aggregation script around for other things. (Assuming it works correctly; I wrote it a long time ago and I don't remember if I ever actually finished and tested it. On the face of it it does what it's supposed to.)
-- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Re: Sniffing ranges of ips, (continued)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
- Re: Sniffing ranges of ips Alexander Dupuy (Nov 19)
- Re: Sniffing ranges of ips Guy Harris (Nov 19)
- Re: Sniffing ranges of ips Alexander Dupuy (Nov 19)
- Re: Sniffing ranges of ips MMatos (Nov 19)
- Re: Sniffing ranges of ips MMatos (Nov 20)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 20)
- Re: Sniffing ranges of ips Miguel Matos (Nov 20)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
- Re: Sniffing ranges of ips MMatos (Nov 19)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
- Re: Sniffing ranges of ips Robert Lowe (Nov 19)