tcpdump mailing list archives
Re: Sniffing ranges of ips
From: Miguel Matos <razielukain () gmail com>
Date: Sat, 20 Nov 2004 23:02:01 +0000
On Sat, 20 Nov 2004 16:29:29 -0500, Jefferson Ogata <jefferson.ogata () noaa gov> wrote:
MMatos wrote:Note: I'm resending this message because i've sent it 20 hours ago and it wasn't arrived to the list (at least i wasn't received it yet).I saw it yesterday.Alexander Dupuy wrote:Jefferson Ogata wrote:Or you can do something more utilitarian, such as: tcpdump [options] '( ip[12:4] >= 0xc0a8020f ) and ( ip[12:4] <= 0xc0a80228 )'This doesn't support non-power-of-two ranges; for example addresses between 192.168.1.10 and 192.168.1.19. For something like that, with IPv4 you can use a hack like "(ip[12:4] >= 0x01020304) and (ip[12:4] <= 0x01020506)" to express that the source IP address should be within the range of 1.2.3.4 to 1.2.5.6 (inclusive). No simple expression exists for non-power-of-two IPv6 address ranges, but you could probably cobble up something only fairly heinous by computing enclosing power-of-two ranges using an adaptation of Jefferson Ogata's genrange.pl and aggregate.pl scripts and doing something similar with comparisons on low-order four-byte pieces of the address.Yes solving that problem of unsopported non-power-of-two-ranges wouldn't be much difficultThe aggregate.pl script I sent earlier did in fact have bugs (I apparently hadn't actually tested it in days of yore), so attached find a more correct implementation.
I haven't tested it too hard to discover its bugs :)
How can I know that a given bpf filter is correct for a given range by analysing its opcodes? Maybe a link to to a doc lying somewhere?Usually we trust it. But the code generator is a snarly rat's nest, and the optimizer is terrifying to behold. So it helps to know the virtual machine semantics. You can find them here, among other places: http://www.tcpdump.org/papers/bpf-usenix93.pdf http://www.freebsd.org/cgi/man.cgi?query=bpf&apropos=0&sektion=0&manpath=FreeBSD+5.3-RELEASE+and+Ports&format=html
Thanks a lot for those links in particular the pdf as it explains the inner workings of the filter:) MMatos - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Re: Sniffing ranges of ips, (continued)
- Re: Sniffing ranges of ips Avelino Rego (Nov 18)
- Re: Sniffing ranges of ips Avelino Rego (Nov 18)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
- Re: Sniffing ranges of ips Alexander Dupuy (Nov 19)
- Re: Sniffing ranges of ips Guy Harris (Nov 19)
- Re: Sniffing ranges of ips Alexander Dupuy (Nov 19)
- Re: Sniffing ranges of ips MMatos (Nov 19)
- Re: Sniffing ranges of ips MMatos (Nov 20)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 20)
- Re: Sniffing ranges of ips Miguel Matos (Nov 20)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
- Re: Sniffing ranges of ips Avelino Rego (Nov 18)
- Re: Sniffing ranges of ips MMatos (Nov 19)
- Re: Sniffing ranges of ips Jefferson Ogata (Nov 19)
- Re: Sniffing ranges of ips Robert Lowe (Nov 19)