Solved

How can I use the display filter in Network Monitor to include a protocol I specify that excludes address ranges I trust?

Posted on 2011-09-12
4
3,691 Views
Last Modified: 2012-05-12
Folks -

I'm interested in doing a capture using Network Monitor 3.4 where I'd like to see ICMP/PING traffic that is destined for addresses I do not trust.

So for instance... let us say that I trust segment 192.168.x.x/24 and I trust 167.80.x.x/24 but I want to see ICMP traffic destined for *ALL ADDRESS THAT DO NOT FALL INTO THOSE SEGMENTS*... how can I do this?

Sadly, Network Monitor doesn't support simple wildcarding.  So I'd like help crafting a query.  I have a server that is attempting to ping strange addresses and in my enterprise, I only have a few trusted segments.  I want to find where it's going above and beyond my trusted segments.

Hopefully this makes sense.  Thanks in advance.
0
Comment
Question by:amendala
  • 3
4 Comments
 
LVL 5

Expert Comment

by:FirstSentinel
ID: 36537199
I hope you're not too partial to M$ free tools.  :^p

Though Network Monitor has its place, it takes an excessive amount of work to accomplish what other products offer in a few clicks of a button. Network Monitor has limited capabilities.  

I'd like to suggest using the open-source/free edition industry standard WireShark

Here's the filter to use with WireShark

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 and ip.src==167.80.0.0/16 and  ip.dst==167.80.0.0/16


Most filters can be created on the fly!

WireShark's Filters can be found HERE.


If you're still insistent on using Network Monitor, I will assist with the solution.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 36546429
I am insistent on using Network Monitor.  :)  I personally find WireShark to be quite a disaster and honestly negligibly more more powerful than Network Monitor - at least for what I do.  This particular filter though is one I've never had to define so it stumped me for a bit.  I do very much appreciate your reply, thank you for taking the time to write.

The following filter is what I used (with my real segment addresses removed):

--- BEGIN FILTER TEXT ---
!ARP AND !DHCP AND !DHCPV6 AND !LLMNR
AND
!(IPv4.DestinationAddress > 177.22.0.0 AND IPv4.DestinationAddress < 177.22.255.255)
AND
!(IPv4.DestinationAddress > 172.0.0.0 AND IPv4.DestinationAddress < 172.255.255.255)
--- END FILTER TEXT ---

This removes the most common noise and excludes my "trusted" segments.  It shows me precisely what I'm after.  If I wanted to see ICMP traffic only, I could add "AND ICMP" to the end.
0
 

Author Closing Comment

by:amendala
ID: 36565526
Answered my own question.  The filter I requested, I provided the text for.
0
 

Author Comment

by:amendala
ID: 36546442
Additionally, if further "trusted" segments needed to be added, the last two lines can be repeated over and over again with other segments.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question