Sounds right - you can drop the src xxx or dst xxx and just use xxx
-B "host bozo.clown.school.edu and not net xxx.yyy.zzz.0/24"
Read up on the filter syntax in the tcpdump stuff - everything that uses libpcap has the same 'BPF' syntax.
Still reading the tcpdump material - some of it is a bit obtuse, but I've picked up a few things.
However, in the shorter term, I tried
-B "host bozo.clown.school.edu and not net xxx.yyy.zzz.0/24"
and got the following error message:
**FATAL_ERROR** Wrong filter '(host xxx.yyy.zzz.123 and not (host xxx.yyy.zzz.0/24)' (Mask syntax for networks only) on interface eth0
Hmmm....I don't think this is an interface issue (since I get the same message even if I try -i eth0).
So, I tried ... and not (host xxx.yyy.zzz.0) (i.e., dropping the /24), and I don't get a fatal error, but its also not filtering what I want (it seems to record any traffic from within xxx.yyy.zzz.
Again, basically, trying to record all traffic to/from xxx.yyy.zzz.123, but excluding any traffic from any other machine in the xxx.yyy.zzz domain). In other words, all I'm interested in is traffic to/from external hosts, and not from any internally generated traffic.
Suggestions?
_______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
