Solved

How can I use the display filter in Network Monitor to include a protocol I specify that excludes address ranges I trust?

Posted on 2011-09-12
4
3,642 Views
Last Modified: 2012-05-12
Folks -

I'm interested in doing a capture using Network Monitor 3.4 where I'd like to see ICMP/PING traffic that is destined for addresses I do not trust.

So for instance... let us say that I trust segment 192.168.x.x/24 and I trust 167.80.x.x/24 but I want to see ICMP traffic destined for *ALL ADDRESS THAT DO NOT FALL INTO THOSE SEGMENTS*... how can I do this?

Sadly, Network Monitor doesn't support simple wildcarding.  So I'd like help crafting a query.  I have a server that is attempting to ping strange addresses and in my enterprise, I only have a few trusted segments.  I want to find where it's going above and beyond my trusted segments.

Hopefully this makes sense.  Thanks in advance.
0
Comment
Question by:amendala
  • 3
4 Comments
 
LVL 5

Expert Comment

by:FirstSentinel
ID: 36537199
I hope you're not too partial to M$ free tools.  :^p

Though Network Monitor has its place, it takes an excessive amount of work to accomplish what other products offer in a few clicks of a button. Network Monitor has limited capabilities.  

I'd like to suggest using the open-source/free edition industry standard WireShark

Here's the filter to use with WireShark

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 and ip.src==167.80.0.0/16 and  ip.dst==167.80.0.0/16


Most filters can be created on the fly!

WireShark's Filters can be found HERE.


If you're still insistent on using Network Monitor, I will assist with the solution.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 36546429
I am insistent on using Network Monitor.  :)  I personally find WireShark to be quite a disaster and honestly negligibly more more powerful than Network Monitor - at least for what I do.  This particular filter though is one I've never had to define so it stumped me for a bit.  I do very much appreciate your reply, thank you for taking the time to write.

The following filter is what I used (with my real segment addresses removed):

--- BEGIN FILTER TEXT ---
!ARP AND !DHCP AND !DHCPV6 AND !LLMNR
AND
!(IPv4.DestinationAddress > 177.22.0.0 AND IPv4.DestinationAddress < 177.22.255.255)
AND
!(IPv4.DestinationAddress > 172.0.0.0 AND IPv4.DestinationAddress < 172.255.255.255)
--- END FILTER TEXT ---

This removes the most common noise and excludes my "trusted" segments.  It shows me precisely what I'm after.  If I wanted to see ICMP traffic only, I could add "AND ICMP" to the end.
0
 

Author Closing Comment

by:amendala
ID: 36565526
Answered my own question.  The filter I requested, I provided the text for.
0
 

Author Comment

by:amendala
ID: 36546442
Additionally, if further "trusted" segments needed to be added, the last two lines can be repeated over and over again with other segments.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

822 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question