This week, I received a request to search for a range of destination addresses that cannot easily done using libpcap conventional macro filters but can be done using an IP protocol filter. It is quite easy to filter for a CIDR range (i.e. /23, /24) with a libpcap macro filter but when it comes to search for an unusual list of addresses such as 192.168.25.6 to 192.168.25.35, there is no simple macro to easily do it. Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September |
Guy 522 Posts ISC Handler Jun 28th 2009 |
Thread locked Subscribe |
Jun 28th 2009 1 decade ago |
Alternatively, there is a perl script called cidr_range.pl that I found. It takes a range of IPs and converts them to CIDR. Your range would be the same as these four CIDR ranges: 192.168.25.6/31, 192.168.25.8/29, 192.168.25.16/28, and 192.168.25.32/30. That's not nearly as elegant, but for someone who is afraid of digging into the bits, they can get the same result with less brain hurting.
|
Jasey 93 Posts |
Quote |
Jun 29th 2009 1 decade ago |
Richard Bejtlich blogged about an alternative approach that is easier to read, using wireshark/tshark display filters:
http://taosecurity.blogspot.com/2009/06/simpler-ip-range-matching-with-tshark.html |
Andrew 41 Posts |
Quote |
Jun 29th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!