I'm trying to create a tcpdump(1) filter that will provide simplified output. I'll be running this with:
Here's where I need help:
# tcpdump -i re0 -t -F myfilter.txt
Code:
(src net not 192.168.1.0/24 and not ip6) or (src host mybsd and
not port imap and not port imaps and not ether src 192.168.2.97)
- Omit traffic from jail. IP ending in 2.97 is my DNS jail, while re0 is on subnet 192.168.1.0/24. Therefore above filter results in "illegal link layer address" complaint. How can I omit traffic from & to 192.168.2.97?
- Incoming IMAP traffic still gets displayed. I obviously only have that rule applying to outgoing in above filter. Is there a way to apply this rule both ways without repetition?
- Can I create a whitelist for websites I know/trust and include it in the filter so that I have less to sort trough?
- What is the best way to colorize the output? I'd like to have hostname of my PC displayed as color for example, so I can quickly spot whether traffic is inbound or outbound. I have found solutions ranging from perl to awk. This linked solution seems interesting for example. What do you guys use?
- Some records show as IP instead of hostname and when I do a whois lookup the result comes back as domain name that is completely unrelated to any particular app I have open at that point. How can I dig deeper on that issue?