Solved

How can I use the display filter in Network Monitor to include a protocol I specify that excludes address ranges I trust?

Posted on 2011-09-12
4
3,751 Views
Last Modified: 2012-05-12
Folks -

I'm interested in doing a capture using Network Monitor 3.4 where I'd like to see ICMP/PING traffic that is destined for addresses I do not trust.

So for instance... let us say that I trust segment 192.168.x.x/24 and I trust 167.80.x.x/24 but I want to see ICMP traffic destined for *ALL ADDRESS THAT DO NOT FALL INTO THOSE SEGMENTS*... how can I do this?

Sadly, Network Monitor doesn't support simple wildcarding.  So I'd like help crafting a query.  I have a server that is attempting to ping strange addresses and in my enterprise, I only have a few trusted segments.  I want to find where it's going above and beyond my trusted segments.

Hopefully this makes sense.  Thanks in advance.
0
Comment
Question by:amendala
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 5

Expert Comment

by:FirstSentinel
ID: 36537199
I hope you're not too partial to M$ free tools.  :^p

Though Network Monitor has its place, it takes an excessive amount of work to accomplish what other products offer in a few clicks of a button. Network Monitor has limited capabilities.  

I'd like to suggest using the open-source/free edition industry standard WireShark

Here's the filter to use with WireShark

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 and ip.src==167.80.0.0/16 and  ip.dst==167.80.0.0/16


Most filters can be created on the fly!

WireShark's Filters can be found HERE.


If you're still insistent on using Network Monitor, I will assist with the solution.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 36546429
I am insistent on using Network Monitor.  :)  I personally find WireShark to be quite a disaster and honestly negligibly more more powerful than Network Monitor - at least for what I do.  This particular filter though is one I've never had to define so it stumped me for a bit.  I do very much appreciate your reply, thank you for taking the time to write.

The following filter is what I used (with my real segment addresses removed):

--- BEGIN FILTER TEXT ---
!ARP AND !DHCP AND !DHCPV6 AND !LLMNR
AND
!(IPv4.DestinationAddress > 177.22.0.0 AND IPv4.DestinationAddress < 177.22.255.255)
AND
!(IPv4.DestinationAddress > 172.0.0.0 AND IPv4.DestinationAddress < 172.255.255.255)
--- END FILTER TEXT ---

This removes the most common noise and excludes my "trusted" segments.  It shows me precisely what I'm after.  If I wanted to see ICMP traffic only, I could add "AND ICMP" to the end.
0
 

Author Closing Comment

by:amendala
ID: 36565526
Answered my own question.  The filter I requested, I provided the text for.
0
 

Author Comment

by:amendala
ID: 36546442
Additionally, if further "trusted" segments needed to be added, the last two lines can be repeated over and over again with other segments.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question