tcpdump mailing list archives

Re: Sniffing ranges of ips

From: Miguel Matos <razielukain () gmail com>
Date: Sat, 20 Nov 2004 23:02:01 +0000

On Sat, 20 Nov 2004 16:29:29 -0500, Jefferson Ogata
<jefferson.ogata () noaa gov> wrote:

MMatos wrote:

Note: I'm resending this message because i've sent it 20 hours ago and
it  wasn't arrived to the list (at least i wasn't received it yet).


I saw it yesterday.

Alexander Dupuy wrote:

Jefferson Ogata wrote:

Or you can do something more utilitarian, such as:

tcpdump [options] '( ip[12:4] >= 0xc0a8020f ) and ( ip[12:4] <=
0xc0a80228 )'


This doesn't support non-power-of-two ranges; for example addresses
between 192.168.1.10 and 192.168.1.19.  For something like that, with
IPv4 you can use a hack like "(ip[12:4] >= 0x01020304) and (ip[12:4]
<= 0x01020506)" to express that the source IP address should be within
the range of 1.2.3.4 to 1.2.5.6 (inclusive).  No simple expression
exists for non-power-of-two IPv6 address ranges, but you could
probably cobble up something only fairly heinous by computing
enclosing power-of-two ranges using an adaptation of Jefferson Ogata's
genrange.pl and aggregate.pl scripts and doing something similar with
comparisons on low-order four-byte pieces of the address.

Yes solving that problem of unsopported non-power-of-two-ranges wouldn't
be much difficult


The aggregate.pl script I sent earlier did in fact have bugs (I
apparently hadn't actually tested it in days of yore), so attached find
a more correct implementation.


I haven't tested it too hard to discover its bugs :)

How can I know that a given bpf filter is correct for a given range by
analysing its opcodes? Maybe a link to to a doc lying somewhere?


Usually we trust it. But the code generator is a snarly rat's nest, and
the optimizer is terrifying to behold. So it helps to know the virtual
machine semantics. You can find them here, among other places:

http://www.tcpdump.org/papers/bpf-usenix93.pdf
http://www.freebsd.org/cgi/man.cgi?query=bpf&apropos=0&sektion=0&manpath=FreeBSD+5.3-RELEASE+and+Ports&format=html


Thanks a lot for those links in particular the pdf as it explains the
inner workings of the filter:)

MMatos
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Current thread:

Re: Sniffing ranges of ips, (continued)
- Re: Sniffing ranges of ips Avelino Rego (Nov 18)
  - Re: Sniffing ranges of ips Avelino Rego (Nov 18)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
  - Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
    - Re: Sniffing ranges of ips Alexander Dupuy (Nov 19)
    - Re: Sniffing ranges of ips Guy Harris (Nov 19)
    - Re: Sniffing ranges of ips Alexander Dupuy (Nov 19)
    - Re: Sniffing ranges of ips MMatos (Nov 19)
    - Re: Sniffing ranges of ips MMatos (Nov 20)
    - Re: Sniffing ranges of ips Jefferson Ogata (Nov 20)
    - Re: Sniffing ranges of ips Miguel Matos (Nov 20)
    - Re: Sniffing ranges of ips MMatos (Nov 19)
    - Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
    - Re: Sniffing ranges of ips Robert Lowe (Nov 19)