Wireshark-users: Re: [Wireshark-users] limit of IP filters in dumpcap

From: Jianhong Xia <jianhong.xia@xxxxxxxxxxx>
Date: Tue, 18 Apr 2017 17:22:18 +0000
Thanks Peter and Ian. 

Aggregation from IP address to subnet is not applicable here because IP address is not continuous to each other. Also looping through individually filtering may not be scalable and efficient. 

I think ipsets and nflog might be the solution for my case. I will take a look and try it out. 

Thanks again,
Jianhong
  

On 4/18/17, 6:50 AM, "wireshark-users-bounces@xxxxxxxxxxxxx on behalf of Peter Wu" <wireshark-users-bounces@xxxxxxxxxxxxx on behalf of peter@xxxxxxxxxxxxx> wrote:

    On Tue, Apr 18, 2017 at 02:08:40AM +0000, Jianhong Xia wrote:
    > Hi,
    > 
    > I am not sure if anyone asked this question before.
    > 
    > I am using dumpcap to capture network traffic with thousands of
    > clients from local sub-network. I would like to use IP filter to
    > capture the traffic from/to selectively IP addresses. I know if I have
    > a few IP addresses to capture, I can use
    > 
    > dumpcap -i en0 -f 'host x.a.b.c and host x.d.e.f and host x.g.h.i'  -w traffic.pcap
    > 
    > 
    > However, if I have thousands of IP addresses that I want to capture
    > their traffic, how many IP address filters that dumpcap can support?
    
    Not sure what the exact limit is, but I don't think that it scales to
    1000s of addresses. Since you mentioned a local subnetwork, there is
    another option. To match all addresses within the 192.168.0.0/24 net,
    use the "net 192.168.0.0/16" capture filter.
    
    If that is not applicable, perhaps you can have a look at using ipsets
    and nflog. With the "ipset" program you create a set of IP addresses
    which you can then match with "iptables" and send matching packets to
    the NFLOG target. Then you can capture from the "nflog" interface.
    
    See also:
    http://ipset.netfilter.org/ipset.man.html
    http://ipset.netfilter.org/iptables-extensions.man.html
    https://wiki.wireshark.org/CaptureSetup/NFLOG
    -- 
    Kind regards,
    Peter Wu
    https://lekensteyn.nl
    ___________________________________________________________________________
    Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
    Archives:    https://www.wireshark.org/lists/wireshark-users
    Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
                 mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe