tcpdump mailing list archives

Re: ntopng & packet filter of libpcap

From: Gerhard Mourani <gmourani () gmail com>
Date: Fri, 23 Jan 2015 20:44:02 -0500

On mine I get:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 29
(002) ldb      [23]
(003) jeq      #0x29            jt 29   jf 4
(004) ld       [8]
(005) jeq      #0xffffffff      jt 6    jf 8
(006) ldh      [6]
(007) jeq      #0xffff          jt 29   jf 8
(008) ld       [2]
(009) jeq      #0xffffffff      jt 10   jf 12
(010) ldh      [0]
(011) jeq      #0xffff          jt 29   jf 12
(012) ld       [26]
(013) and      #0xff000000
(014) jeq      #0xe0000000      jt 29   jf 15
(015) ld       [26]
(016) and      #0xff000000
(017) jeq      #0xef000000      jt 29   jf 18
(018) ld       [30]
(019) and      #0xff000000
(020) jeq      #0xe0000000      jt 29   jf 21
(021) ld       [30]
(022) and      #0xff000000
(023) jeq      #0xef000000      jt 29   jf 24
(024) ld       [26]
(025) jeq      #0xc0a8020a      jt 29   jf 26
(026) ld       [30]
(027) jeq      #0xc0a8020a      jt 29   jf 28
(028) ret      #65535
(029) ret      #0

On Jan 23, 2015, at 5:48 PM, Guy Harris <guy () alum mit edu> wrote:


On Jan 23, 2015, at 1:23 PM, Gerhard Mourani <gmourani () gmail com> wrote:

Yes, it is what I want but seem that ntopng doesn’t take it in consideration because I can still view packet sent to 
or from 192.168.2.10!
Therfore, I’m presuming that maybe some () or other characters are missing in my filtering.


Not according to

      tcpdump -d "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) 
and not host (192.168.2.10)"

on my machine:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 29
(002) ldb      [23]
(003) jeq      #0x29            jt 29   jf 4
(004) ld       [8]
(005) jeq      #0xffffffff      jt 6    jf 8
(006) ldh      [6]
(007) jeq      #0xffff          jt 29   jf 8
(008) ld       [2]
(009) jeq      #0xffffffff      jt 10   jf 12
(010) ldh      [0]
(011) jeq      #0xffff          jt 29   jf 12
(012) ld       [26]
(013) and      #0xff000000
(014) jeq      #0xe0000000      jt 29   jf 15
(015) ld       [26]
(016) and      #0xff000000
(017) jeq      #0xef000000      jt 29   jf 18
(018) ld       [30]
(019) and      #0xff000000
(020) jeq      #0xe0000000      jt 29   jf 21
(021) ld       [30]
(022) and      #0xff000000
(023) jeq      #0xef000000      jt 29   jf 24
(024) ld       [26]
(025) jeq      #0xc0a8020a      jt 29   jf 26
(026) ld       [30]
(027) jeq      #0xc0a8020a      jt 29   jf 28
(028) ret      #65535
(029) ret      #0

which only gets to instruction 28, the "return a non-zero value so the packet is accepted" instruction if *all* the 
tests pass, including

(024) ld       [26]
(025) jeq      #0xc0a8020a      jt 29   jf 26
(026) ld       [30]
(027) jeq      #0xc0a8020a      jt 29   jf 28

which are the tests for 192.168.2.10.  It gets to instruction 29, the "return zero so the packet is rejected" 
instruction, if other tests fail.

What does that command print on your machine?


_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

noting & packet filter of libpcap Gerhard Mourani (Jan 23)
- Re: ntopng & packet filter of libpcap Guy Harris (Jan 23)
  - Re: ntopng & packet filter of libpcap Gerhard Mourani (Jan 23)
    - Re: ntopng & packet filter of libpcap Guy Harris (Jan 23)
    - Re: ntopng & packet filter of libpcap Gerhard Mourani (Jan 23)
    - Re: ntopng & packet filter of libpcap Guy Harris (Jan 23)
    - Re: ntopng & packet filter of libpcap Gerhard Mourani (Jan 23)
    - Re: ntopng & packet filter of libpcap Guy Harris (Jan 23)