i'm curious if ngrep can inverted matched based on ports? i've tried along lines of:
ngrep -d -v port 22 interface: filter: ( port 22 ) , (ip or ip6) and although says filter 'port 22', doesn't pick of ports. tried googling couple of days, , haven't found solution. can familiar ngrep let me know if doable?
wow. ngrep's command-line syntax is greasy hack.
the ngrep man page says:
ngrep {various flags} <match expression> <bpf filter> without indicating how ngrep manages tell what's part of "match expression" , what's part of "bpf filter".
the way determines by:
- taking first shell token after flag arguments, if present, "match expression" and, if there tokens after it, gluing them spaces between them , making "bpf filter";
- if finds "bpf filter", trying compile and:
- if succeeds, using found "match expression" , "bpf filter";
- if fails, assuming there was no "match expression", taking all tokens after flag arguments, gluing them make "bpf filter".
this means if ngrep port 22, first tries use "port" "match expression" , "22" "bpf filter", fails because "22" isn't valid bpf filter, , assumes there isn't "match expression" , "port 22" "bpf filter", works.
however, if ngrep not port 22, first tries use "not" "match expression" , "port 22" "bpf filter", succeeds, end "not" filter tries grepping , "port 22" bpf filter hands libpcap.
sadly, ngrep has no way of saying "there's no match expression, there's bpf filter", have such ngrep "" not port 22, empty match expression have recognize "not port 22" bpf filter.
so, if want see traffic except traffic port 22, try
ngrep -d "" not port 22 -v affects match expression, not bpf filter; means command gave in question match only packets or port 22, not packets not or port 22. want empty match expression match all packets, rather no packets, leave -v flag out.
