[Oisf-users] Avoid inspecting intra lan traffic with BPF filter expression

Chris Boley ilgtech75 at gmail.com
Thu Jun 30 17:36:11 UTC 2016


Awesome, thank you. I'll try it out.

On Thu, Jun 30, 2016 at 1:22 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> See this article on monitoring VLAN tagged traffic:
>
> > http://taosecurity.blogspot.com/2008/12/bpf-for-ip-or-vlan-traffic.html
>
> This is how you want to structure your bpf filters, assuming you have
> three internal networks:
>
> not ((src net1 or net2 or net3) and (dst net1 or net2 or net3))
>
> What you are doing is still going pass traffic from the dst net to the
> src net.
>
> -Coop
>
> On 6/30/2016 8:31 AM, Chris Boley wrote:
> > Please bear in mind all traffic is VLAN tagged. I saw mentions on the
> pevma
> > blog page of specialized expressions for BPF filtering where VLANs were
> > concerned. I'm looking for some guidance.
> >
> >
> > I created a 'best guess' filter syntax and I'm sure it's very wrong.
> >
> > I'm asking for someone to help me get going in the right direction on
> this:
> >
> > Thanks in advance!!
> > My guess at the filter follows:
> >
> > not((src net 10.200.104.0/25 and dst net 10.200.104.192/28) or ( src net
> > 10.200.104.192/28 and dst net 10.200.104.0/25))
> >     or
> >    (not ((vlan and src net 10.200.104.0/25 and dst net 10.200.104.192/28
> )
> > or (vlan and src net 10.200.104.192/28 and dst net 10.200.104.0/25)))
> >
> > Ideas?
> >
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160630/e720314a/attachment-0002.html>


More information about the Oisf-users mailing list