[Winpcap-users] Filter in winpcap

Fri Jul 1 17:01:53 GMT 2005

Alessandro wrote:

> I want to apply a filter to capture....and this filter is:
> 
> - capture only packet that go to internet...outside..

"Outside" meaning "to a host that's not on your LAN segment", or "to a 
host that's on the Internet, beyond your Internet gateway"?

*Either* of those would *REQUIRE* that you know the address and network 
mask of your network; there's no magic flag in a packet saying it's 
going to the Internet.  You could get that from the GUI (the exact path 
through the GUI depends on the version of Windows you're running), or 
you could get it from the command line with ipconfig/all - or, if this 
is your own program, you could get that by calling "pcap_lookupnet()" on 
the adapter on which you're capturing.

"To a host that's not on your LAN segment" could be done with

	(not src net {address} mask {netmask} and dst net {address} mask 
{netmask}) or (not dst net {address} mask {netmask} and src net 
{address} mask {netmask})

where {address} is the network address of your LAN and {netmask} is the 
netmask of your LAN.

"To a host that's on the Internet" is harder, as that would mean 
excluding the address of all the networks at your site.

If this is at home, on a small network, that might be the same as "to a 
host that's not on your LAN segment" or might be "to a host that's not 
on your small set of LAN segments" - take expressions of the sort given 
above and "or" them together (you probably want to parenthesize them 
before "or"ing them together, just to make it clearer where the "or"s 
and "and"s are happening - I can never remember which has higher 
precedence; yes, I know I can read the tcpdump/WinDump man page, but 
it's best if you don't *have* to look that up to interpret the expression).

On a large institutional (corporate/government/academic/etc.) network, 
that might be difficult.  If the internal network is using RFC 1918 
private addresses, you could just use "not net" to exclude all the 
addresses in the RFC 1918 range you're using, such as

	(not src net 10.0.0.0/8 and dst net 10.0.0.0/8) or (not dst net 
10.0.0.0/8 and src net 10.0.0.0/8)
	(not src net 172.16.0.0/12 and dst net 172.16.0.0/12) or (not dst net 
172.16.0.0/12 and and src net 172.16.0.0/12)
	(not src net 192.168.0.0/16 and dst net 192.168.0.0/16) or (not src net 
192.168.0.0/16 and dst net 192.168.0.0/16)

(or, if you're using more than one such range, "or" multiple such 
expressions together).

If your institution has been assigned a given range or ranges of IP 
addresses, and it's using addresses in that range on your internal 
network, use those ranges in expressions such as the ones above.

> - discard packet from two PC of my LAN

Add in "and not host {IP address of the PC} for each of the PC's (or, if 
you even want to exclude non-IPv4 packets from those PC's, use the MAC 
addresses of the PC's adapters instead).

> My problem is, I want this filter generic...in other words, I don't know the 
> address of the PC where it runs, and neither if its IP is in a net of Class A,B 
> or C, how could I make this?

You can't - as noted, there's no magic "this goes off the local segment" 
or "this goes to the Internet" flag in packets to test, you can only 
rule out packets on the local segment by ruling out packets to hosts 
with addresses on that segment, and rule out packets on your internal 
network by ruling out packets to hosts