0

I have my PCap filter set to "dst net 10.36.95.0 mask 255.255.255.0". This works in that it filters out most traffic with a destination outside of the 10.36.95.0/24 subnet, the exception being that it still captures traffic going to 0.0.0.0.

Any idea why this happens or what I can do to filter out 0.0.0.0 as well?

Some additional infos: 

$ sudo tcpdump -d dst net 10.36.95.0 mask 255.255.255.0 -i eth0
(000) ldj      [12]
(001) jeq      #0x800           jt 2    jf 5
(002) ld       [30]
(003) and      #0xffffff00
(004) jeq      #0xa245f00       jt 10   jf 11
(005) jeq      #0x806           jt 7    jf 6
(006) jeq      #0x8035          jt 7    jf 11
(007) ld       [38]
(008) and      #0xffffff00      jt 10   jf 11
(009) jeq      #0xa245f00
(010) ret      #65535
(011) ret      #0
exxodus7
  • 95
  • 1
  • 8
  • What does `tcpdump -d dst net 10.36.95.0 mask 255.255.255.0` print? (If you were capturing on a particular interface, add `-i` with that interface name to the command. You may have to run it as root.) –  Apr 10 '15 at 18:41
  • @GuyHarris Output included in question! – exxodus7 Apr 10 '15 at 19:00
  • So it's capturing *IPv4* packets going to 0.0.0.0? They're not ARP packets? –  Apr 11 '15 at 03:09
  • Ooh they might just be arp packets! Filtered out arp packets and haven't seen them since... Even if they were, why weren't they filtered out with my destination filter? does the dst filter only work with ip packets and arp packets can ignore it? – exxodus7 Apr 14 '15 at 13:39
  • The "dst" (destination) address in an ARP request doesn't indicate the IP address to which the packet is being sent - it's probably being sent as a MAC-layer broadcast to all hosts on the network segment - it indicates the IP address whose MAC address the sending host wants, i.e. it's the IP address to which it would *like* to send a packet. ARP packets aren't sent to IP addresses, so what made them look as if they were going to 0.0.0.0? –  Apr 14 '15 at 18:16
  • Ah ok that helps. I was looking at the source and destination in the PcapPacket header in Java. So packet.getHeader(new Ip4()).source(). – exxodus7 Apr 15 '15 at 14:51

1 Answers1

1

I was looking at the source and destination in the PcapPacket header in Java.

I.e., you're using jNetPcap?

Don't use any IPv4-related packet parsing code with packets that aren't IPv4 packets, as they will give you garbage. ARP packets aren't IPv4 packets; use the Arp class, not the Ip4 class, for packets with an Ethernet type of 0x0806.