LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   ngrep filter port (https://www.linuxquestions.org/questions/linux-newbie-8/ngrep-filter-port-817432/)

qwertyjjj 07-01-2010 11:04 AM
ngrep filter port
 
I am trying to list all traffic from 1 IP address but filter out port 1057.
ANy ideas?
I keep getting syntax errors. I've tried:

Code:
ngrep -e host xx.xx.xxx.170 not port 1057
ngrep -e port 1057 -x host xx.xx.xxx.170
ngrep -e not port 1057 -x host xx.xx.xxx.170
etc.

unSpawn 07-01-2010 11:51 AM
BPF filters are always placed at the end of the command line and I always use single quotes: ngrep -switch -otherswitch 'host somehost and not tcp port portnumber'.

qwertyjjj 07-01-2010 11:59 AM
Quote:
Originally Posted by unSpawn (Post 4020751)
BPF filters are always placed at the end of the command line and I always use single quotes: ngrep -switch -otherswitch 'host somehost and not tcp port portnumber'.
So,
ngrep -e 'host xx.xx.xxx.170 and not udp port 22'

udp is for ssh?

unSpawn 07-01-2010 01:15 PM
'getent services ssh'?

qwertyjjj 07-01-2010 07:42 PM
Quote:
Originally Posted by unSpawn (Post 4020856)
'getent services ssh'?
Nah, I'm trying to track packets on port 443 as I redirected 443 to my OpenVPN port 1194 but it's being blocked. I need to trace what is happening but haven;t got wireshark.
Just trying to block ay packets from SSH in the trace so I can see it clearly...

qwertyjjj 07-02-2010 11:45 AM
Quote:
Originally Posted by qwertyjjj (Post 4021146)
Nah, I'm trying to track packets on port 443 as I redirected 443 to my OpenVPN port 1194 but it's being blocked. I need to trace what is happening but haven;t got wireshark.
Just trying to block ay packets from SSH in the trace so I can see it clearly...
Any ideas?

unSpawn 07-03-2010 04:36 AM
Quote:
Originally Posted by qwertyjjj (Post 4021905)
Any ideas?
Yeah. You asked if SSH uses UDP. I showed you where you can look that up for yourself. Your reply then starts with "Nah", which means "no". So from that point on you're free to do research yourself.

qwertyjjj 07-03-2010 07:24 AM
Quote:
Originally Posted by unSpawn (Post 4022552)
Yeah. You asked if SSH uses UDP. I showed you where you can look that up for yourself. Your reply then starts with "Nah", which means "no". So from that point on you're free to do research yourself.
Eh?
Must be a misundestanding.
I was asking how to list the packets from that source IP exluding SSH using ngrep.
I looked up getent but I don't understand what it has to do with ngrep in this case...I'm just trying to exlude port 22 from the results.
The code above for ngrep works but it is also listing ports 80 and 8080, which I need to exlcude.
Do I just add a load of and staments on the end?

The ngrep command does not seem to exclude the other IP addresses.
ngrep -e 'host xx.xx.xxx.170 and not udp port 22 and not port 80 and not port 8080'

Code:
T xx.xxx.xxx.198:16040 -> 213.155.157.118:80 [A]
##
T xx.xxx.xxx.198:16040 -> 213.155.157.118:80 [A]
####################################
T xx.xxx.xxx.198:16040 -> 213.155.157.118:80 [A]
########################
T xx.xxx.xxx.198:16040 -> 213.155.157.118:80 [A]
#####
T xx.xxx.xxx.198:16040 -> 213.155.157.118:80 [A]
####################################################exit
6125 received, 0 dropped


All times are GMT -5. The time now is 10:38 PM.