At 08:24 AM 8/10/2006, King, John \(Greg\) \(LMIT-HOU\) wrote:
For some reason this filter is not working like I expect it to
# Local Site
192.168.18.0/24 #servers
192.168.19.0/24 #workstation
# Remote Sites
Anything not in the local site
I am wanting to capture any traffic to and from local workstation as
long as the following requirements are met
1. the source is a local workstation and the destination is not a local
workstation or local server
2. the source is not a local workstation or local server and the
destination is a local workstation
My filter looks like this with commenting
/opt/bin/tethereal -s 65535 -i eth1 -n -w /path/test.cap -a
filesize:5000 -f
"ip and not broadcast and not multicast and
(
#source is not a local server or workstation and destination not
a local server
( (src net not 192.168.19.0/24 or src net not 192.168.18.0/24)
and dst net not 192.168.18.0/24)
or
#source is a local workstation and destination is not a local
workstation or local server
( (src net 192.168.19.0/24 and (dst net not 192.168.19.0/24 or
192.168.18.0/24) ) )
)"
Use an example IP address and work through your filter. For example, src
ip 1.1.1.1 and dest ip 1.1.1.2. This passes the first part of your filter
because 1.1.1.1 is not in either of your local networks - (src net not
192.168.19.0/24 or src net not 192.168.18.0/24) passes any ip address that
is not local.
I think you want (because your workstation and server subnets are
contiguous you can use a netmask of 23 bits to cover both):
(src net 192.168.19.0/24 and dst net not 192.168.18.0/23) or
(src net not 192.168.18.0/23 and dst net 192.168.19.0/24)
