I must admit that I build IP address filters more than any other address filter. When I go onsite and do the 'laying on of hands,' I undoubtedly find some rogue traffic that I want to look more closely at. For example, consider the piece of a matrix screen shown in Figure 13 - see anything that looks strange?
Figure 13: What the heck is this doing on the wire?
Here’s that really strange communication that I talked about in Chapter 1. Hey! 127.0.0.1 is the loopback address - you shouldn't ever see traffic to or from 127.0.0.1! Yipes! Seeing this on the matrix immediately prompted me to build a filter on all traffic to or from 127.0.0.1, as shown in Figure 14. All decent analyzers have a simple way to select the address type - on the Sniffer and EtherPeek, you just click on the label "IP."
Figure 14: Include traffic to and from to loopback address to nail this loser.
This was really soooo much fun to catch. Consider building a '127' filter to be prepared in case you ever see this type of traffic.