Log filter for RANGE of IP's or Ports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Log filter for RANGE of IP's or Ports

L4 Transporter

Does anyone know the syntax used to create filters for port or IP ranges?

For example, I want to filter on IP's 10.0.0.1-10.0.0.5 9same for port ranges).

Thanks in advance

2 REPLIES 2

L4 Transporter

for port ranges, you can combine the geq (greater than or equal to) and leq (less than or equal to) with an AND operator, e.g:

 

 (port.dst geq 53) and (port.dst leq 442)

will show DNS and HTTP but not HTTPS or SSH requests

 

for IP, I believe your only option is to use CIDR notation, but you can get as specific as you need to with the subnet mask.

 

for example,

 

( addr.src in 10.0.0.0/29 )

will show IPs in the range of 10.0.0.0 - 10.0.0.7 (though .0 is the network and .7 is the broadcast in this case, so those 2 shouldn't show up in results)

 

--
CCNA Security, PCNSE7

L4 Transporter

*edit* Woops, @bradk14 beat me to it!

 

 

If you're referring to one of the tabs/pages that has access to the filter builder then I'd do something like this:

 

( addr.src in 192.168.1.0/24 ) and ((port.dst geq 60) and (port.dst leq 450))

 

This is just an example that does both functions but you could easily break that up.  This basically searches for everything between 192.168.1.0-192.168.1.255 that goes to a destination port between and including 60 through 450.

 

With the ports you just use geq and leq ("greater than or equal to" and "less than or equal to" respectively).

 

With the IP I don't think you can use those same operators... it looks just just be a "in" or "not in" and it won't accept a range (192.168.1.0-192.168.1.255) so you do it as a subnet instead (192.168.1.0/24).

  • 10565 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!