LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-01-2010, 12:04 PM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Rep: Reputation: 30
ngrep filter port


I am trying to list all traffic from 1 IP address but filter out port 1057.
ANy ideas?
I keep getting syntax errors. I've tried:

Code:
ngrep -e host xx.xx.xxx.170 not port 1057
ngrep -e port 1057 -x host xx.xx.xxx.170
ngrep -e not port 1057 -x host xx.xx.xxx.170
etc.
 
Old 07-01-2010, 12:51 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
BPF filters are always placed at the end of the command line and I always use single quotes: ngrep -switch -otherswitch 'host somehost and not tcp port portnumber'.
 
Old 07-01-2010, 12:59 PM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
BPF filters are always placed at the end of the command line and I always use single quotes: ngrep -switch -otherswitch 'host somehost and not tcp port portnumber'.
So,
ngrep -e 'host xx.xx.xxx.170 and not udp port 22'

udp is for ssh?
 
Old 07-01-2010, 02:15 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
'getent services ssh'?
 
Old 07-01-2010, 08:42 PM   #5
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
'getent services ssh'?
Nah, I'm trying to track packets on port 443 as I redirected 443 to my OpenVPN port 1194 but it's being blocked. I need to trace what is happening but haven;t got wireshark.
Just trying to block ay packets from SSH in the trace so I can see it clearly...
 
Old 07-02-2010, 12:45 PM   #6
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by qwertyjjj View Post
Nah, I'm trying to track packets on port 443 as I redirected 443 to my OpenVPN port 1194 but it's being blocked. I need to trace what is happening but haven;t got wireshark.
Just trying to block ay packets from SSH in the trace so I can see it clearly...
Any ideas?
 
Old 07-03-2010, 05:36 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by qwertyjjj View Post
Any ideas?
Yeah. You asked if SSH uses UDP. I showed you where you can look that up for yourself. Your reply then starts with "Nah", which means "no". So from that point on you're free to do research yourself.
 
Old 07-03-2010, 08:24 AM   #8
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
Yeah. You asked if SSH uses UDP. I showed you where you can look that up for yourself. Your reply then starts with "Nah", which means "no". So from that point on you're free to do research yourself.
Eh?
Must be a misundestanding.
I was asking how to list the packets from that source IP exluding SSH using ngrep.
I looked up getent but I don't understand what it has to do with ngrep in this case...I'm just trying to exlude port 22 from the results.
The code above for ngrep works but it is also listing ports 80 and 8080, which I need to exlcude.
Do I just add a load of and staments on the end?

The ngrep command does not seem to exclude the other IP addresses.
ngrep -e 'host xx.xx.xxx.170 and not udp port 22 and not port 80 and not port 8080'

Code:
T xx.xxx.xxx.198:16040 -> 213.155.157.118:80 [A]
##
T xx.xxx.xxx.198:16040 -> 213.155.157.118:80 [A]
####################################
T xx.xxx.xxx.198:16040 -> 213.155.157.118:80 [A]
########################
T xx.xxx.xxx.198:16040 -> 213.155.157.118:80 [A]
#####
T xx.xxx.xxx.198:16040 -> 213.155.157.118:80 [A]
####################################################exit
6125 received, 0 dropped

Last edited by qwertyjjj; 07-03-2010 at 09:14 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
https and ngrep sniffer_raghav Linux - Networking 1 06-25-2008 04:54 AM
on ngrep spx2 Linux - Networking 4 05-27-2007 05:17 AM
ngrep usage sailu_mvn Linux - Networking 0 01-17-2006 12:18 AM
how to add & register filter for intercepting the packets outgoing on port 80? jayashri Programming 2 11-08-2004 02:30 PM
How to filter traffic using port+process in IPTables muath Linux - Security 10 03-01-2004 12:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration