tcpdump filter that excludes private ip traffic

Posted by Kyle Brandt on Server Fault See other posts from Server Fault or by Kyle Brandt
Published on 2010-03-17T19:26:49Z Indexed on 2010/03/17 19:31 UTC
Read the original article Hit count: 557

Filed under:
|

For a generic filter to exclude all traffic in my dump that is between private IP address, I came up with the following:

sudo tcpdump -n '
(not
    (
        (src net 172.16.0.0/20 or src net 10.0.0.0/8 or src net 192.168.0.0/16)
    and
        (dst net 172.16.0.0/20 or dst net 10.0.0.0/8 or dst net 192.168.0.0/16)
    )
) and 
(not
    (
        (dst net 172.16.0.0/20 or dst net 10.0.0.0/8 or dst net 192.168.0.0/16)
    and
        (src net 172.16.0.0/20 or src net 10.0.0.0/8 or src net 192.168.0.0/16)    
    )
)' -w test2.dump

Seems pretty excessive, but it also seems to work, is this filter a lot longer than it needs to be and there is better way to express this logic, or is there anything wrong with the filter?

© Server Fault or respective owner

Related posts about tcpdump

Related posts about libpcap