Tuesday, 6 September 2011

FWMonitor: How to filter by network range

Pretty simple idea, however wildcards don't work in the generic 'src/dst' statements unfortunately.

Let's say I want to capture all traffic sourced from destined to the over port 80, I'd use the following syntax:

fw monitor -e "firstblock={<,>};secondblock={<,>}; accept (src in firstblock, dst in secondblock, sport=80);"

The first IP Block is the starting IP for the network, and the second is the last IP in the block. You can define as many 'groups' as you'd like. Just make sure that the rest of the 'accept' statement ends up between two parent parenthesis.

1 comment: