View unanswered posts | View active topics It is currently Sat Oct 19, 2019 10:22 am



Post new topic Reply to topic  [ 6 posts ] 
 Ignore some IPs in live capturing 
Author Message

Joined: Thu May 20, 2010 11:29 pm
Posts: 28
Reply with quote
Post Ignore some IPs in live capturing
Hello,

I'd like to know if there is a way to ignore some IPs when I have a LIve Capturing enabled.
My switch is generating too much traffic, and I'd like to reduce it by ignoring some IPs that does not matter for me...
Is there some blacklist for that ?

Thanks...


Tue Jun 29, 2010 9:51 am
Profile

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: Ignore some IPs in live capturing
There is an option to filter IPs, or more exactly to filter all the traffic but one host. It is a combobox at the box "Session data", at the left of the combo where you select the network interface for sniffing data.

Another solution, perhaps more suitable for your need, may be be using iptables.


Tue Jun 29, 2010 10:15 am
Profile

Joined: Thu May 20, 2010 11:29 pm
Posts: 28
Reply with quote
Post Re: Ignore some IPs in live capturing
That option is only for visualization. I'd like it not even analyse the flow from some IPs, or receive it.
I tried iptables, but it does not work, since xplico must be sniffing direct the interface, it receives all packets, regardless the filters iptables are configured...

Maybe there's somewhere inside xplico where I can edit and put a filter sento to libpcap, or something else....


Tue Jun 29, 2010 11:41 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Ignore some IPs in live capturing
Hi Alex,
the rtlm and rtlm_pol capture modules can filter the input traffic (tcpdump style). This feature is not public but if someone runs:
./xplico -m rltm
then he can view the help ;) .
Talking with Carlos, we found a quick solution to your problem.
The steps are these (as root):
Code:
cd /opt/xplico/bin
mv xplico xplico_bin
cp ~/xplico_filt.sh .
ln -s xplico_filt.sh xplico

The xplico_filt.sh file is attached to this post. If you edit xplico_filt.sh you can change the filter.
Attachment:
xplico_filt.sh.gz

Ciao.
Gianluca


You do not have the required permissions to view the files attached to this post.


Fri Jul 02, 2010 4:19 pm
Profile WWW

Joined: Thu May 20, 2010 11:29 pm
Posts: 28
Reply with quote
Post Re: Ignore some IPs in live capturing
Thankyou, Gianluca, I'll test.

I tried but did not find where I can put these parameters directly to xplico.
I put my installation on /etc/rc.d with the scripts that I found in /opt/xplico/scripts. I copied the xplico to /etc/init.d and ran
Code:
update-rc.d xplico defaults


Inside the script, there's a call to dema, but not the xplico bin.

What do I do ?

----------- Update --------------------
I think I did it. Correct me if I am wrong.

1) substituted the xplico to the script as you passed me (puting my own filters).
2) copied /opt/xplico.rtlm.console to /etc/init.d
3) Ran update-rc.d to install on boot.
4) executed the command: sudo service xplico.offline start

All seems to work, but I cannot access the web gui...


Last edited by lexlth on Fri Jul 02, 2010 5:46 pm, edited 1 time in total.



Fri Jul 02, 2010 5:18 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Ignore some IPs in live capturing
Hi
In fact the feature is present but it can be used only in CLI and not with XI.
In the Xplico System is the dema that runs xplico (and all manipulators).

if you follow the instructions (that it is an hack) you can solve your problem.

Ciao.
Gianluca


Fri Jul 02, 2010 5:30 pm
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.