Wireshark-users: Re: [Wireshark-users] limit of IP filters in dumpcap

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Tue, 18 Apr 2017 15:50:14 +0200
On Tue, Apr 18, 2017 at 02:08:40AM +0000, Jianhong Xia wrote:
> Hi,
> 
> I am not sure if anyone asked this question before.
> 
> I am using dumpcap to capture network traffic with thousands of
> clients from local sub-network. I would like to use IP filter to
> capture the traffic from/to selectively IP addresses. I know if I have
> a few IP addresses to capture, I can use
> 
> dumpcap -i en0 -f 'host x.a.b.c and host x.d.e.f and host x.g.h.i'  -w traffic.pcap
> 
> 
> However, if I have thousands of IP addresses that I want to capture
> their traffic, how many IP address filters that dumpcap can support?

Not sure what the exact limit is, but I don't think that it scales to
1000s of addresses. Since you mentioned a local subnetwork, there is
another option. To match all addresses within the 192.168.0.0/24 net,
use the "net 192.168.0.0/16" capture filter.

If that is not applicable, perhaps you can have a look at using ipsets
and nflog. With the "ipset" program you create a set of IP addresses
which you can then match with "iptables" and send matching packets to
the NFLOG target. Then you can capture from the "nflog" interface.

See also:
http://ipset.netfilter.org/ipset.man.html
http://ipset.netfilter.org/iptables-extensions.man.html
https://wiki.wireshark.org/CaptureSetup/NFLOG
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl