Wireshark mailing list archives
Re: limit of IP filters in dumpcap
From: Jianhong Xia <jianhong.xia () zingbox com>
Date: Tue, 18 Apr 2017 17:22:18 +0000
Thanks Peter and Ian. Aggregation from IP address to subnet is not applicable here because IP address is not continuous to each other. Also looping through individually filtering may not be scalable and efficient. I think ipsets and nflog might be the solution for my case. I will take a look and try it out. Thanks again, Jianhong On 4/18/17, 6:50 AM, "wireshark-users-bounces () wireshark org on behalf of Peter Wu" <wireshark-users-bounces () wireshark org on behalf of peter () lekensteyn nl> wrote: On Tue, Apr 18, 2017 at 02:08:40AM +0000, Jianhong Xia wrote: > Hi, > > I am not sure if anyone asked this question before. > > I am using dumpcap to capture network traffic with thousands of > clients from local sub-network. I would like to use IP filter to > capture the traffic from/to selectively IP addresses. I know if I have > a few IP addresses to capture, I can use > > dumpcap -i en0 -f 'host x.a.b.c and host x.d.e.f and host x.g.h.i' -w traffic.pcap > > > However, if I have thousands of IP addresses that I want to capture > their traffic, how many IP address filters that dumpcap can support? Not sure what the exact limit is, but I don't think that it scales to 1000s of addresses. Since you mentioned a local subnetwork, there is another option. To match all addresses within the 192.168.0.0/24 net, use the "net 192.168.0.0/16" capture filter. If that is not applicable, perhaps you can have a look at using ipsets and nflog. With the "ipset" program you create a set of IP addresses which you can then match with "iptables" and send matching packets to the NFLOG target. Then you can capture from the "nflog" interface. See also: http://ipset.netfilter.org/ipset.man.html http://ipset.netfilter.org/iptables-extensions.man.html https://wiki.wireshark.org/CaptureSetup/NFLOG -- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- limit of IP filters in dumpcap Jianhong Xia (Apr 17)
- Re: limit of IP filters in dumpcap Peter Wu (Apr 18)
- Re: limit of IP filters in dumpcap Jianhong Xia (Apr 18)
- Re: limit of IP filters in dumpcap Peter Wu (Apr 18)