locked
creating filters RRS feed

  • Question

  • Here are a few filter rules that I have put together. The last one has given me some problem. I'm attempting to filter out much of the noise leaving only questionable or external connection to local computer(s)

    How can I filter out a connection between two computers. The last example doesn't quite work. We do NOT want to see traffic between ourself and the server. .1 and .200. Any ideas?

    // Multiple lines, indent the next line

    IPv4.Address == 192.168.0.100 and
     IPv4.Address == 192.168.0.99


    Use ! infront of the service to eliminate the service
    !SMB AND !ARP AND !LLMNR AND !LLC AND
     !TCP.FLAGS.SYN AND !KerberosV5 AND
       IPv4.SourceAddress != 0.0.0.0 AND IPv4.DestinationAddress != 255.255.255.255

    Filters---

    // Show traffic To or From a specific IPv4 address:  
    IPv4.Address == 192.168.0.100

    //filter address range
    and IPv4.SourceAddress != 74.125.196.0/255 and ipv4.DestinationAddress != 74.125.196.0/255

    // Show traffic between two IPv4 addresses.  Both addresses
    // must be in the packet for it to display with this filter.
    IPv4.Address == 192.168.0.100 AND IPv4.Address == 192.168.0.200

    // Show traffic From a source IPv4 address:
    IPv4.SourceAddress == 192.168.0.100

    // Show traffic To a destination IPv4 address:
    IPv4.DestinationAddress == 192.168.0.100

    // Exlclude specific IP Addresses
    IPv4.Address != 192.168.0.100

    //filter out process names
    and Conversation.ProcessName != "chrome.exe"

    //between two machines
    IPv4.Address == 192.168.1.1 && IPv4.Address == 10.0.0.1

    Thursday, December 11, 2014 6:17 PM

Answers

  • !(IPv4.Address == 192.168.1.1 && IPv4.Address == 10.0.0.1)

    Should get rid of all traffic between the two machines, assuming there is no NON IPv4 traffic.

    Paul

    • Marked as answer by Paul E Long Tuesday, February 3, 2015 6:39 PM
    Tuesday, December 16, 2014 7:03 PM