pcap filter selecting packets strictly incoming and outgoing a network

Question

Let's say I am a router of a hub based local network 10.0.0.0/24 providing an access to internet.

+------+
| pc A +-----+
+------+     |
          +--+--+   +-------------+
          | hub +---+ router (me) +---- internet
          +--+--+   +-------------+
+------+     |
| pc B +-----+
+------+

I am implementing a small packet counter using libpcap to know the PPS of users in this network that goes from/to internet. For example, I want to collect packets:

• from A (or any internal, such as B) to stackoverflow.com (or any external)
• from stackoverflow.com to A (i.e. answers)

But I want to filter packets:

• from A to B (this is a hub based network so I see them)
• from A (or any internal) to me or the other way

The best filter I could do is net 10.0.0.0/24 and \( not src net 10.0.0.0/24 or not dst net 10.0.0.0/24 \) but isn't there a better syntax?

Answer 1

Perhaps simpler way to phrase your criteria would be "capture only ip packets between A and the router".

This can be expressed like this:

ip and ether host AA:AA:AA:AA:AA:AA and ether host BB:BB:BB:BB:BB:BB where AA:AA:AA:AA:AA:AA is the MAC address of A. and BB:BB:BB:BB:BB:BB is the router's MAC address.

Or ip and not ether host CC:CC:CC:CC:CC:CC and ether host BB:BB:BB:BB:BB:BB where CC:CC:CC:CC:CC:CC is your MAC. This would capture IP packets between the router and anyone on your network, except yourself.

Another option is ip and host 1.2.3.4 and ether host BB:BB:BB:BB:BB:BB where 1.2.3.4 is A's IP address.

There are many more possibilities.