[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Tcpdump filter
From:       Subba Rao <subba9 () home ! com>
Date:       2001-08-17 11:16:07
[Download RAW message or body]

Hi,

I have written a filter to avoid logging,
	- ARP broadcasts
	- ESP packets
	- POP3 mail packets
	- News packets

not arp and not ip[9] = 50 and
 (
   (not (src host 1.1.1.1 and dst port 110)) and
   (not (src host M.M.M.M and src port 110))
 )
and
 (
   (not (src host 1.1.1.1 and dst port 119)) and
   (not (src host N.N.N.N and src port 119))
 )

This filter is not capturing the Code Red probes. IPChains is logging the
Code Red attempts on this machine but the filter fails to capture it.
Can anyone spot what I am doing wrong here? The outbound Web access is being
captured but not the Code Red access. Apart from the above listed packets, I
would like to capture the rest of the packets.

Thank you in advance.
-- 

Subba Rao
subba9@home.com
http://members.home.net/subba9/

GPG public key ID 27FC9217
Key fingerprint = 2B4C 498E 1860 5A2B 6570  5852 7527 882A 27FC 9217

[prev in list] [next in list] [prev in thread] [next in thread]