[TriLUG] Ignoring 1e100.net with ntop or other pcap based tools
Matt Hicks
mghicks at gmail.com
Sun Dec 16 01:07:06 EST 2012
Hi All,
Google's 1e100.net can take over my ntop output at times. I'm able to
ignore ALL Google traffic (seemingly) using the filter
*not (src net (74.125/16 or 173.194/16) or dst net (74.125/16 or
173.194/16))*
*
*
Three questions:
*
*
1. Is anyone else ignoring 1e100.net and have different blocks or a better
method? I'm not sure my blocks are correct.
*
*
2. Is there any way to specify the domain in pcap filter syntax? I'd
rather specifically ignore only the 1e100.net domain. Anything that
resolved to Google.com (or others) would be of interest.
3. I'd rather just filter this in ntop's host display and still collect
all the data for aggregation purposes. Any thoughts on how to accomplish
that? Basically, I'm pondering a userscript and was hoping someone's
already cooked up one.
TIA!
More information about the TriLUG
mailing list