Solved

How can I use the display filter in Network Monitor to include a protocol I specify that excludes address ranges I trust?

Posted on 2011-09-12
4
3,484 Views
Last Modified: 2012-05-12
Folks -

I'm interested in doing a capture using Network Monitor 3.4 where I'd like to see ICMP/PING traffic that is destined for addresses I do not trust.

So for instance... let us say that I trust segment 192.168.x.x/24 and I trust 167.80.x.x/24 but I want to see ICMP traffic destined for *ALL ADDRESS THAT DO NOT FALL INTO THOSE SEGMENTS*... how can I do this?

Sadly, Network Monitor doesn't support simple wildcarding.  So I'd like help crafting a query.  I have a server that is attempting to ping strange addresses and in my enterprise, I only have a few trusted segments.  I want to find where it's going above and beyond my trusted segments.

Hopefully this makes sense.  Thanks in advance.
0
Comment
Question by:amendala
  • 3
4 Comments
 
LVL 5

Expert Comment

by:FirstSentinel
ID: 36537199
I hope you're not too partial to M$ free tools.  :^p

Though Network Monitor has its place, it takes an excessive amount of work to accomplish what other products offer in a few clicks of a button. Network Monitor has limited capabilities.  

I'd like to suggest using the open-source/free edition industry standard WireShark

Here's the filter to use with WireShark

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 and ip.src==167.80.0.0/16 and  ip.dst==167.80.0.0/16


Most filters can be created on the fly!

WireShark's Filters can be found HERE.


If you're still insistent on using Network Monitor, I will assist with the solution.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 36546429
I am insistent on using Network Monitor.  :)  I personally find WireShark to be quite a disaster and honestly negligibly more more powerful than Network Monitor - at least for what I do.  This particular filter though is one I've never had to define so it stumped me for a bit.  I do very much appreciate your reply, thank you for taking the time to write.

The following filter is what I used (with my real segment addresses removed):

--- BEGIN FILTER TEXT ---
!ARP AND !DHCP AND !DHCPV6 AND !LLMNR
AND
!(IPv4.DestinationAddress > 177.22.0.0 AND IPv4.DestinationAddress < 177.22.255.255)
AND
!(IPv4.DestinationAddress > 172.0.0.0 AND IPv4.DestinationAddress < 172.255.255.255)
--- END FILTER TEXT ---

This removes the most common noise and excludes my "trusted" segments.  It shows me precisely what I'm after.  If I wanted to see ICMP traffic only, I could add "AND ICMP" to the end.
0
 

Author Closing Comment

by:amendala
ID: 36565526
Answered my own question.  The filter I requested, I provided the text for.
0
 

Author Comment

by:amendala
ID: 36546442
Additionally, if further "trusted" segments needed to be added, the last two lines can be repeated over and over again with other segments.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now