[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ids
Subject: Tcpdump filter
From: Subba Rao <subba9 () home ! com>
Date: 2001-08-17 11:16:07
[Download RAW message or body]
Hi,
I have written a filter to avoid logging,
- ARP broadcasts
- ESP packets
- POP3 mail packets
- News packets
not arp and not ip[9] = 50 and
(
(not (src host 1.1.1.1 and dst port 110)) and
(not (src host M.M.M.M and src port 110))
)
and
(
(not (src host 1.1.1.1 and dst port 119)) and
(not (src host N.N.N.N and src port 119))
)
This filter is not capturing the Code Red probes. IPChains is logging the
Code Red attempts on this machine but the filter fails to capture it.
Can anyone spot what I am doing wrong here? The outbound Web access is being
captured but not the Code Red access. Apart from the above listed packets, I
would like to capture the rest of the packets.
Thank you in advance.
--
Subba Rao
subba9@home.com
http://members.home.net/subba9/
GPG public key ID 27FC9217
Key fingerprint = 2B4C 498E 1860 5A2B 6570 5852 7527 882A 27FC 9217
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic