Solved

How can I use the display filter in Network Monitor to include a protocol I specify that excludes address ranges I trust?

Posted on 2011-09-12
4
3,543 Views
Last Modified: 2012-05-12
Folks -

I'm interested in doing a capture using Network Monitor 3.4 where I'd like to see ICMP/PING traffic that is destined for addresses I do not trust.

So for instance... let us say that I trust segment 192.168.x.x/24 and I trust 167.80.x.x/24 but I want to see ICMP traffic destined for *ALL ADDRESS THAT DO NOT FALL INTO THOSE SEGMENTS*... how can I do this?

Sadly, Network Monitor doesn't support simple wildcarding.  So I'd like help crafting a query.  I have a server that is attempting to ping strange addresses and in my enterprise, I only have a few trusted segments.  I want to find where it's going above and beyond my trusted segments.

Hopefully this makes sense.  Thanks in advance.
0
Comment
Question by:amendala
  • 3
4 Comments
 
LVL 5

Expert Comment

by:FirstSentinel
ID: 36537199
I hope you're not too partial to M$ free tools.  :^p

Though Network Monitor has its place, it takes an excessive amount of work to accomplish what other products offer in a few clicks of a button. Network Monitor has limited capabilities.  

I'd like to suggest using the open-source/free edition industry standard WireShark

Here's the filter to use with WireShark

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 and ip.src==167.80.0.0/16 and  ip.dst==167.80.0.0/16


Most filters can be created on the fly!

WireShark's Filters can be found HERE.


If you're still insistent on using Network Monitor, I will assist with the solution.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 36546429
I am insistent on using Network Monitor.  :)  I personally find WireShark to be quite a disaster and honestly negligibly more more powerful than Network Monitor - at least for what I do.  This particular filter though is one I've never had to define so it stumped me for a bit.  I do very much appreciate your reply, thank you for taking the time to write.

The following filter is what I used (with my real segment addresses removed):

--- BEGIN FILTER TEXT ---
!ARP AND !DHCP AND !DHCPV6 AND !LLMNR
AND
!(IPv4.DestinationAddress > 177.22.0.0 AND IPv4.DestinationAddress < 177.22.255.255)
AND
!(IPv4.DestinationAddress > 172.0.0.0 AND IPv4.DestinationAddress < 172.255.255.255)
--- END FILTER TEXT ---

This removes the most common noise and excludes my "trusted" segments.  It shows me precisely what I'm after.  If I wanted to see ICMP traffic only, I could add "AND ICMP" to the end.
0
 

Author Closing Comment

by:amendala
ID: 36565526
Answered my own question.  The filter I requested, I provided the text for.
0
 

Author Comment

by:amendala
ID: 36546442
Additionally, if further "trusted" segments needed to be added, the last two lines can be repeated over and over again with other segments.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now