From owner-freebsd-net@FreeBSD.ORG  Thu Mar  5 18:21:07 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 31C07B9F
 for <freebsd-net@freebsd.org>; Thu,  5 Mar 2015 18:21:07 +0000 (UTC)
Received: from mail-ie0-x230.google.com (mail-ie0-x230.google.com
 [IPv6:2607:f8b0:4001:c03::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id EE15C264
 for <freebsd-net@freebsd.org>; Thu,  5 Mar 2015 18:21:05 +0000 (UTC)
Received: by iery20 with SMTP id y20so25387947ier.13
 for <freebsd-net@freebsd.org>; Thu, 05 Mar 2015 10:21:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=berentweb.com; s=google;
 h=date:from:to:subject:message-id:mime-version:content-type
 :content-transfer-encoding;
 bh=YvfK+hni+zv7ufJ85ftP+0W4+g+WT+B8qNz/QzFilxY=;
 b=ZJaTeFloC9Nnrbm11GTgk458Kyb4bygfSuxUntrjLWqPr/bbMN9rdQEsc1SPtql9qK
 zonJMMCQIlXhGCGzApSjhaULqxuFtRu11Hln4LeTMCDVaniJ9uK+3li8qHUHtdiCXxQM
 pCNMPf6/hANSjgdSOpsGBt67Y51rS8d36Q9jo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:date:from:to:subject:message-id:mime-version
 :content-type:content-transfer-encoding;
 bh=YvfK+hni+zv7ufJ85ftP+0W4+g+WT+B8qNz/QzFilxY=;
 b=FUBtyV93bCysrnKrBJXQntqAcB+iCfI+7y2YzaYBdBr+urAKNLMIakDIFzAmkphIDl
 g5yzfgLblEjcgDXVTgBKbNVGCJZu2YP0cviJQHQJxiHo3/iH/8U0k41TS3+bU6VpxTCT
 ibd8f+hyGBnrUHi3zUOHWCxLJ6Wc0kPt/mcVg5Js0MVSvBhFMcwtlci1h7YnfiVkJmSI
 XD4ixlYPRqZHeClQ36cO/fS3//nLEchqepUpCfsziIa75VnVH0R2cl2sI6oiKS8gfqzh
 MO9ztTof2ILxnJC0eD+d3FfU2wxdULtFEl+U52H7CDF2vkUX0kXf/jmUOGj/8a9veotw
 oDXw==
X-Gm-Message-State: ALoCoQkHpmxJc6Jbu4gdamISnjb29kYRr9u2ZUbdmqYu3wbGGDz5uwse1cIuHcOgv23581wgEKia
X-Received: by 10.107.167.145 with SMTP id q139mr22392949ioe.16.1425579664370; 
 Thu, 05 Mar 2015 10:21:04 -0800 (PST)
Received: from rsbsd.rsb ([31.200.11.128])
 by mx.google.com with ESMTPSA id 192sm5425500ioo.38.2015.03.05.10.21.02
 for <freebsd-net@freebsd.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 05 Mar 2015 10:21:03 -0800 (PST)
Date: Thu, 5 Mar 2015 20:20:50 +0200
From: Beeblebrox <zaphod@berentweb.com>
To: <freebsd-net@freebsd.org>
Subject: tcpdump filter not ignoring jail subnet
Message-ID: <20150305202050.24042973@rsbsd.rsb>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 18:21:07 -0000

I'm using "tcpdump -i re0 -tq -F bin/tcpdump.txt" on my workstation for rea=
l-time traffic analysis. The current filter file has:

(src not net 192.168.1.0/24 and not ip6 and not net 192.168.2.97/32) or (sr=
c host mybsd and not port imap and not port imaps and not port 6667)

I'd like to create the filter such that traffic sources deemed reasonably s=
ane do not get listed in the output. Where I'm stuck:
* "net 192.168.2.97/32" is a DNS jail and I don't need to monitor that host=
. Yet, the "not net" (or not src net) keyword does not work and traffic to/=
from that net gets displayed anyway (I've also tried host keyword).
* I would like to include a URL whitelist in the filter (for example, do no=
t show any *.FreeBSD.org traffic). Is this even possible with tcpdump?

Regards.

--=20
FreeBSD_amd64_11-Current_RadeonKMS
Please CC my email when responding, mail from list is not delivered.