Simpler IP Range Matching with Tshark Display Filters
In today's SANS ISC journal, the story IP Address Range Search with libpcap wonders how to accomplish the following: ...how to find SYN packets directed to natted addresses where an attempt was made to connect or scan a service natted to an internal resource. I used this filter for addresses located in the range 192.168.25.6 to 192.168.25.35. The proposed answer is this: tcpdump -nr file '((ip[16:2] = 0xc0a8 and ip[18] = 0x19 and ip[19] > 0x06)\ and (ip[16:2] = 0xc0a8 and ip[18] = 0x19 and ip[19] < 0x23) and tcp[13] = 0x02)' I am sure it's clear to everyone what that means! Given my low success rate in getting comments posted to the SANS ISC blog, I figured I would reply here. Last fall I wrote Using Wireshark and Tshark display filters for troubleshooting . Wireshark display filters make writing such complex Berkeley Packet Filter syntax a thing of the past. Using Wireshark display filters, a mere mortal could write the following: tshark -nr file 'tcp.flag