Traffic to Ignore
This section specifies traffic that the device must explicitly
ignore. Even if a host-port pair in this list meets the criterion
in the Desired Traffic section, the device does not capture it. To
ignore all traffic for a host, enter * or All
as
the port.
When you specify host and port combinations to ignore, you are adding restrictions that matched packets must not be one of the host and port combinations. For example, suppose you wanted to capture all traffic to and from hosts that are communicating on ports 1, 2, and 3 except for the following host and port combinations:
- Host
- Port
- 1.2.3.4
- 4
- 5.6.7.8
- 5
The description of that traffic is the same as running the following single command:
tcpdump -n -i eth0 "((port 1) or (port 2) or (port 3)) and not \
((host 1.2.3.4 and port 4) or (host 5.6.7.8 and port 5))"
In the dcx-conf.xml
, the example translates into
the following XML:
<Ignores>
<Ignore>
<Address>1.2.3.4</Address>
<Port>4</Port>
</Ignore>
<Ignore>
<Address>5.6.7.8</Address>
<Port>5</Port>
</Ignore>
</Ignores>
<ListenTos>
<ListenTo>
<Port>1</Port>
</ListenTo>
<ListenTo>
<Port>2</Port>
</ListenTo>
<ListenTo>
<Port>3</Port>
</ListenTo>
</ListenTos>