Re: limit of IP filters in dumpcap

[Peter Wu <peter () lekensteyn nl>]

On Tue, Apr 18, 2017 at 02:08:40AM +0000, Jianhong Xia wrote:
> Hi,
>
> I am not sure if anyone asked this question before.
>
> I am using dumpcap to capture network traffic with thousands of
> clients from local sub-network. I would like to use IP filter to
> capture the traffic from/to selectively IP addresses. I know if I have
> a few IP addresses to capture, I can use
>
> dumpcap -i en0 -f 'host x.a.b.c and host x.d.e.f and host x.g.h.i'  -w traffic.pcap
>
>
> However, if I have thousands of IP addresses that I want to capture
> their traffic, how many IP address filters that dumpcap can support?

Not sure what the exact limit is, but I don't think that it scales to
1000s of addresses. Since you mentioned a local subnetwork, there is
another option. To match all addresses within the 192.168.0.0/24 net,
use the "net 192.168.0.0/16" capture filter.

If that is not applicable, perhaps you can have a look at using ipsets
and nflog. With the "ipset" program you create a set of IP addresses
which you can then match with "iptables" and send matching packets to
the NFLOG target. Then you can capture from the "nflog" interface.

See also:
http://ipset.netfilter.org/ipset.man.html
http://ipset.netfilter.org/iptables-extensions.man.html
https://wiki.wireshark.org/CaptureSetup/NFLOG
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe