Tcpdump Filters

Hi,

I am using a sniffer called darkstat (I can use tcpdump filters with
it) to look at my network traffic - specifically I want to see
traffic to and from the local network and the Internet.

I want to negate (not see) local traffic - specifically I want to not
see in the sniffer log local traffic to and from a local media server
and local computers on my home network. It streams a lot locally only
and I don't need to see that.

My local router only deals out local addresses of the kind
192.167.1.xxx. The media server is statically assigned 192.168.1.7.
Could you verify that the following command will negate seeing this
local streaming, or to be more precise not see traffic between the
local media server and local computers?

$ sudo darkstat -i eth0 -f "not ((src net 192.168.1.7 and dst net
192.168.1.0/24) or (src net 192.168.1.0/24 and dst net 192.168.1.7))"

Thanks

 

192.168.1.7 is just a subset of 192.168.1/24 and you've said you don't
need to see any local traffic (?) so perhaps something like:

"(not src net 192.168.1.0/24) or (not dst net 192.168.1.0/24)"

Presumably, that filter expression should show you everything that has
either source or destination IP other than those in 192.168.1.0/24.

rick jones