[TriLUG] 1e100.net

[Yodawatt gigaFusion]

Season's Greetings! 
FYI, this article www.pcmech.com/article/the-mysterious-1e100-net/ 
goes into some detail about what kind of things Google is doing with 1e100.net and why it shows up so often, plus some things you can do to avoid it if it really concerns you. 
-- Regards --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
To raise new questions, new possibilities, to regard old 
problems from a new angle, requires creative imagination 
and marks real advance in science. -- Albert Einstein 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 


From: mghicks at gmail.com
To: trilug at trilug.org
Date: Sun, 16 Dec 2012 01:07:06 -0500
Subject: [TriLUG] Ignoring 1e100.net with ntop or other pcap based tools

Hi All,
 
Google's 1e100.net can take over my ntop output at times.  I'm able to
ignore ALL Google traffic (seemingly) using the filter
 
*not (src net (74.125/16 or 173.194/16) or dst net (74.125/16 or
173.194/16))*
*
*
Three questions:
*
*
1. Is anyone else ignoring 1e100.net and have different blocks or a better
method?  I'm not sure my blocks are correct.
*
*
2.  Is there any way to specify the domain in pcap filter syntax?   I'd
rather specifically ignore only the 1e100.net domain.  Anything that
resolved to Google.com (or others) would be of interest.
 
3.  I'd rather just filter this in ntop's host display and still collect
all the data for aggregation purposes.  Any thoughts on how to accomplish
that?  Basically, I'm pondering a userscript and was hoping someone's
already cooked up one.
 
 
TIA!