[clue] [tech] arpwatch patch to exclude DHCP range of IP addresses
David L. Anselmi
anselmi at anselmi.us
Mon Mar 4 13:07:40 MST 2013
Jim Ockers wrote:
> (arp or rarp) and not host 192.168.1.100 and not host 192.168.1.101 and not host 192.168.1.102 and
> not host 192.168.1.103 and so on and so forth ad nauseum.
You could say (for source address):
(arp or rarp) and not (ip[15] > 99 and ip[15] < 251)
Or you could also perhaps write an include filter rather than an exclude one, depending which range
is easier to represent. I don't think it's as big as you think.
And if nothing else, get arpwatch to print its output and filter it with grep or such.
Dave
More information about the clue
mailing list