4

I'm using nfsen and I need to apply a filter to get specific ip range and I can't find the syntax. I searched in the doc of nfdump and tcpdump but nothing.

For now the netflows captured provides from multiples address and the ip range I want to get (and only those address) is from 130.190.0.0 to 130.190.127.255 with a mask /17

Or another way to explain this, I only want adress that start by 130.190 I don't care about other like 216.58, 51.254...etc there are a lot more

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
klaypez
  • 303
  • 1
  • 2
  • 9
  • Did you mean 130.190.0.0 to 130.190.127.255? That would be the /17 block. – ilkkachu May 16 '17 at 13:09
  • @ilkkachu yes that's right, the /17 is the mask of my network – klaypez May 16 '17 at 13:15
  • What is the range you are wanting to capture? By the way your question is worded it looks to me like all of 130.190.0.0/17 (why is your range so big, by the way?) – cutrightjm May 16 '17 at 13:20
  • I want to capture all the flows which concerns ip address starting by 130.190.X.X this is what I want. The problem is when I enter `net 130.190.0.0/17` as filter, it still captures adress like 216.58.198.46 but I don't want them – klaypez May 16 '17 at 13:24
  • You may want to specify `src net` or `dst net` as appropriate. – Ferenc Wágner May 17 '17 at 09:14
  • @FerencWágner This don't solve my problem, if you want another way to explain what I want, I want to capture all the flows that concerns ip address starting by 130.190. – klaypez May 17 '17 at 10:00
  • net is great for ip ranges that align with CIDR subnet boundaries. what about random range numbers. I want to sniff all traffic from the four hosts .6 through .9 in 10.4.20.6-9 – Billy left SE for Codidact Aug 12 '20 at 04:25

1 Answers1

9

If you want a filter to capture on packets mathing 130.190.0.0/17:

tcpdump net 130.190.0.0/17
slass100
  • 173
  • 2
  • yeah already tried this but this filter capture other ip address like 216.58.198.46 and I don't know why – klaypez May 16 '17 at 13:29
  • 1
    It will capture 216.58.198.46 if the other end (ie. source or destination) is in 130.190.0.0/17. If you want to only catch packets where the source and destination are in 130.190.0.0/17: `tcpdump src net 130.190.0.0/17 and dst net 130.190.0.0/17` – slass100 May 17 '17 at 14:06
  • @slass100 thanks for responding I tried the command you gave me and I only get 2 flows ? Could you explain me why please ? `2017-05-17 23:34:58.547 0.000 any 130.190.64.115 1(100.0) 1(100.0) 1028(100.0) 0 0 1028` `2017-05-17 23:34:58.547 0.000 any 130.190.65.254 1(100.0) 1(100.0) 1028(100.0) 0 0 1028` – klaypez May 18 '17 at 09:44
  • Without a diagram of your network, I can only guess. If your system running nfsen is connected to a switch (vs. a hub or span port) it will only "see" packets to or from your system (not packets between 2 hosts connected to the same switch as your device). – slass100 May 19 '17 at 12:19
  • Hm I guess you don't understand because my english is poor sorry about that but no matters if my machine is connected to a switch or a hub no ? I just want a filter that display machine which has their IP starting byt 130.190 from source or destination. I don't know, maybe I'm looking for something doesn't exist, maybe just no filter who does what I want – klaypez May 19 '17 at 14:02