634 lines
19 KiB
HTML
634 lines
19 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
|
||
|
<title>WinPcap: Filtering expression syntax</title>
|
||
|
<link href="tabs.css" rel="stylesheet" type="text/css"/>
|
||
|
<link href="style.css" rel="stylesheet" type="text/css"/>
|
||
|
</head>
|
||
|
<body>
|
||
|
<!-- Generated by Doxygen 1.6.1 -->
|
||
|
<div class="navigation" id="top">
|
||
|
<div class="tabs">
|
||
|
<ul>
|
||
|
<li><a href="main.html"><span>Main Page</span></a></li>
|
||
|
<li><a href="pages.html"><span>Related Pages</span></a></li>
|
||
|
<li><a href="modules.html"><span>Modules</span></a></li>
|
||
|
<li><a href="annotated.html"><span>Data Structures</span></a></li>
|
||
|
<li><a href="files.html"><span>Files</span></a></li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="contents">
|
||
|
<h1>Filtering expression syntax<br/>
|
||
|
<small>
|
||
|
[<a class="el" href="group__wpcap.html">WinPcap user's manual</a>]</small>
|
||
|
</h1><table border="0" cellpadding="0" cellspacing="0">
|
||
|
</table>
|
||
|
<html>
|
||
|
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||
|
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
|
||
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
|
<title></title>
|
||
|
</head>
|
||
|
|
||
|
<body>
|
||
|
<DL COMPACT>
|
||
|
<DT>Note: this document has been drawn from the tcpdump man page. The original version can
|
||
|
be found at <a href="http://www.tcpdump.org">www.tcpdump.org</a>.
|
||
|
<dd> </dd>
|
||
|
<DT>wpcap filters are based on a declarative predicate syntax. A filter is
|
||
|
an ASCII string containing a filtering <I>expression</I>. pcap_compile()
|
||
|
takes the expression and translates it in a program for the kernel-level
|
||
|
packet filter.
|
||
|
</DL>
|
||
|
<p>The expression selects which packets will be dumped.
|
||
|
If no expression
|
||
|
is given, all packets on the net will be accepted by the kernel-level filtering
|
||
|
engine.
|
||
|
Otherwise,
|
||
|
only packets for which <I>expression</I> is `true' will be accepted.</p>
|
||
|
<P>
|
||
|
|
||
|
The <I>expression</I> consists of one or more
|
||
|
<I>primitives.</I>
|
||
|
|
||
|
Primitives usually consist of an
|
||
|
<I>id</I>
|
||
|
|
||
|
(name or number) preceded by one or more qualifiers.
|
||
|
There are three
|
||
|
different kinds of qualifier:
|
||
|
<DL COMPACT>
|
||
|
<DT><I>type</I><DD>
|
||
|
qualifiers say what kind of thing the id name or number refers to.
|
||
|
Possible types are
|
||
|
<B>host</B>,
|
||
|
|
||
|
<B>net</B>
|
||
|
|
||
|
and
|
||
|
<B>port</B>.
|
||
|
|
||
|
E.g., `host foo', `net 128.3', `port 20'.
|
||
|
If there is no type
|
||
|
qualifier,
|
||
|
<B>host</B>
|
||
|
|
||
|
is assumed.
|
||
|
<DT><I>dir</I><DD>
|
||
|
qualifiers specify a particular transfer direction to and/or from
|
||
|
<I>id</I>.
|
||
|
|
||
|
Possible directions are
|
||
|
<B>src</B>,
|
||
|
|
||
|
<B>dst</B>,
|
||
|
|
||
|
<B>src or dst</B>
|
||
|
|
||
|
and
|
||
|
<B>src and</B>
|
||
|
|
||
|
<B>dst</B>.
|
||
|
|
||
|
E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'.
|
||
|
If
|
||
|
there is no dir qualifier,
|
||
|
<B>src or dst</B>
|
||
|
|
||
|
is assumed.
|
||
|
For `null' link layers (i.e. point to point protocols such as slip) the
|
||
|
<B>inbound</B>
|
||
|
|
||
|
and
|
||
|
<B>outbound</B>
|
||
|
|
||
|
qualifiers can be used to specify a desired direction.
|
||
|
<DT><I>proto</I><DD>
|
||
|
qualifiers restrict the match to a particular protocol.
|
||
|
Possible
|
||
|
protos are:
|
||
|
<B>ether</B>,
|
||
|
|
||
|
<B>fddi</B>,
|
||
|
|
||
|
<B>tr</B>,
|
||
|
|
||
|
<B>ip</B>,
|
||
|
|
||
|
<B>ip6</B>,
|
||
|
|
||
|
<B>arp</B>,
|
||
|
|
||
|
<B>rarp</B>,
|
||
|
|
||
|
<B>decnet</B>,
|
||
|
|
||
|
<B>tcp</B>
|
||
|
|
||
|
and
|
||
|
<B>udp</B>.
|
||
|
|
||
|
E.g., `ether src foo', `arp net 128.3', `tcp port 21'.
|
||
|
If there is
|
||
|
no proto qualifier, all protocols consistent with the type are
|
||
|
assumed.
|
||
|
E.g., `src foo' means `(ip or arp or rarp) src foo'
|
||
|
(except the latter is not legal syntax), `net bar' means `(ip or
|
||
|
arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
|
||
|
</DL>
|
||
|
<P>
|
||
|
|
||
|
[`fddi' is actually an alias for `ether'; the parser treats them
|
||
|
identically as meaning ``the data link level used on the specified
|
||
|
network interface.'' FDDI headers contain Ethernet-like source
|
||
|
and destination addresses, and often contain Ethernet-like packet
|
||
|
types, so you can filter on these FDDI fields just as with the
|
||
|
analogous Ethernet fields.
|
||
|
FDDI headers also contain other fields,
|
||
|
but you cannot name them explicitly in a filter expression.
|
||
|
<P>
|
||
|
|
||
|
Similarly, `tr' is an alias for `ether'; the previous paragraph's
|
||
|
statements about FDDI headers also apply to Token Ring headers.]
|
||
|
<P>
|
||
|
|
||
|
In addition to the above, there are some special `primitive' keywords
|
||
|
that don't follow the pattern:
|
||
|
<B>gateway</B>,
|
||
|
|
||
|
<B>broadcast</B>,
|
||
|
|
||
|
<B>less</B>,
|
||
|
|
||
|
<B>greater</B>
|
||
|
|
||
|
and arithmetic expressions.
|
||
|
All of these are described below.
|
||
|
<P>
|
||
|
|
||
|
More complex filter expressions are built up by using the words
|
||
|
<B>and</B>,
|
||
|
|
||
|
<B>or</B>
|
||
|
|
||
|
and
|
||
|
<B>not</B>
|
||
|
|
||
|
to combine primitives.
|
||
|
E.g., `host foo and not port ftp and not port ftp-data'.
|
||
|
To save typing, identical qualifier lists can be omitted.
|
||
|
E.g.,
|
||
|
`tcp dst port ftp or ftp-data or domain' is exactly the same as
|
||
|
`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
|
||
|
<P>
|
||
|
|
||
|
Allowable primitives are:
|
||
|
<DL COMPACT>
|
||
|
<DT><B>dst host </B><I>host</I><DD>
|
||
|
True if the IPv4/v6 destination field of the packet is <I>host</I>,
|
||
|
which may be either an address or a name.
|
||
|
<DT><B>src host </B><I>host</I><DD>
|
||
|
True if the IPv4/v6 source field of the packet is <I>host</I>.
|
||
|
<DT><B>host </B><I>host</I><DD>
|
||
|
True if either the IPv4/v6 source or destination of the packet is <I>host</I>.
|
||
|
Any of the above host expressions can be prepended with the keywords,
|
||
|
<B>ip</B>, <B>arp</B>, <B>rarp</B>, or <B>ip6</B> as in:
|
||
|
<dl COMPACT>
|
||
|
<dd>
|
||
|
|
||
|
<PRE><B>ip host </B><I>host</I></PRE>
|
||
|
|
||
|
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
|
||
|
which is equivalent to:
|
||
|
<dl COMPACT>
|
||
|
<dd>
|
||
|
|
||
|
<PRE><B>ether proto </B><I>\ip</I><B> and host </B><I>host</I></PRE>
|
||
|
|
||
|
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
|
||
|
If <I>host</I> is a name with multiple IP addresses, each address will
|
||
|
be checked for a match.
|
||
|
<DT><B>ether dst </B><I>ehost</I><DD>
|
||
|
True if the ethernet destination address is <I>ehost</I>.
|
||
|
<I>Ehost</I>
|
||
|
may be either a name from /etc/ethers or a number (see
|
||
|
<I>ethers</I>(3N)
|
||
|
|
||
|
for numeric format).
|
||
|
<DT><B>ether src </B><I>ehost</I><DD>
|
||
|
True if the ethernet source address is <I>ehost</I>.
|
||
|
<DT><B>ether host </B><I>ehost</I><DD>
|
||
|
True if either the ethernet source or destination address is <I>ehost</I>.
|
||
|
<DT><B>gateway</B> <I>host</I><DD>
|
||
|
True if the packet used <I>host</I> as a gateway.
|
||
|
I.e., the ethernet
|
||
|
source or destination address was <I>host</I> but neither the IP source
|
||
|
nor the IP destination was <I>host</I>.
|
||
|
<I>Host</I> must be a name and
|
||
|
must be found both by the machine's host-name-to-IP-address resolution
|
||
|
mechanisms (host name file, DNS, NIS, etc.) and by the machine's
|
||
|
host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.).
|
||
|
(An equivalent expression is
|
||
|
<dl COMPACT>
|
||
|
<dd>
|
||
|
|
||
|
<PRE><B>ether host </B><I>ehost </I><B>and not host </B><I>host</I></PRE>
|
||
|
|
||
|
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
|
||
|
which can be used with either names or numbers for <I>host / ehost</I>.)
|
||
|
This syntax does not work in IPv6-enabled configuration at this moment.
|
||
|
<DT><B>dst net </B><I>net</I><DD>
|
||
|
True if the IPv4/v6 destination address of the packet has a network
|
||
|
number of <I>net</I>.
|
||
|
<I>Net</I> may be either a name from /etc/networks
|
||
|
or a network number (see <I>networks(4)</I> for details).
|
||
|
<DT><B>src net </B><I>net</I><DD>
|
||
|
True if the IPv4/v6 source address of the packet has a network
|
||
|
number of <I>net</I>.
|
||
|
<DT><B>net </B><I>net</I><DD>
|
||
|
True if either the IPv4/v6 source or destination address of the packet has a network
|
||
|
number of <I>net</I>.
|
||
|
<DT><B>net </B><I>net</I> <B>mask </B><I>netmask</I><DD>
|
||
|
True if the IP address matches <I>net</I> with the specific <I>netmask</I>.
|
||
|
May be qualified with <B>src</B> or <B>dst</B>.
|
||
|
Note that this syntax is not valid for IPv6 <I>net</I>.
|
||
|
<DT><B>net </B><I>net</I>/<I>len</I><DD>
|
||
|
True if the IPv4/v6 address matches <I>net</I> with a netmask <I>len</I>
|
||
|
bits wide.
|
||
|
May be qualified with <B>src</B> or <B>dst</B>.
|
||
|
<DT><B>dst port </B><I>port</I><DD>
|
||
|
True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a
|
||
|
destination port value of <I>port</I>.
|
||
|
The <I>port</I> can be a number or a name used in /etc/services (see
|
||
|
<I>tcp</I>(4P)
|
||
|
|
||
|
and
|
||
|
<I>udp</I>(4P)).
|
||
|
|
||
|
If a name is used, both the port
|
||
|
number and protocol are checked.
|
||
|
If a number or ambiguous name is used,
|
||
|
only the port number is checked (e.g., <B>dst port 513</B> will print both
|
||
|
tcp/login traffic and udp/who traffic, and <B>port domain</B> will print
|
||
|
both tcp/domain and udp/domain traffic).
|
||
|
<DT><B>src port </B><I>port</I><DD>
|
||
|
True if the packet has a source port value of <I>port</I>.
|
||
|
<DT><B>port </B><I>port</I><DD>
|
||
|
True if either the source or destination port of the packet is <I>port</I>.
|
||
|
Any of the above port expressions can be prepended with the keywords,
|
||
|
<B>tcp</B> or <B>udp</B>, as in:
|
||
|
<dl COMPACT>
|
||
|
<dd>
|
||
|
|
||
|
<PRE><B>tcp src port </B><I>port</I></PRE>
|
||
|
|
||
|
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
|
||
|
which matches only tcp packets whose source port is <I>port</I>.
|
||
|
<DT><B>less </B><I>length</I><DD>
|
||
|
True if the packet has a length less than or equal to <I>length</I>.
|
||
|
This is equivalent to:
|
||
|
<dl COMPACT>
|
||
|
<dd>
|
||
|
|
||
|
<PRE><B>len <= </B><I>length</I>.</PRE>
|
||
|
|
||
|
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
|
||
|
<DT><B>greater </B><I>length</I><DD>
|
||
|
True if the packet has a length greater than or equal to <I>length</I>.
|
||
|
This is equivalent to:
|
||
|
<dl COMPACT>
|
||
|
<dd>
|
||
|
|
||
|
<PRE><B>len >= </B><I>length</I>.</PRE>
|
||
|
|
||
|
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
|
||
|
<DT><B>ip proto </B><I>protocol</I><DD>
|
||
|
True if the packet is an IP packet (see
|
||
|
<I>ip</I>(4P))
|
||
|
|
||
|
of protocol type <I>protocol</I>.
|
||
|
<I>Protocol</I> can be a number or one of the names
|
||
|
<I>icmp</I>, <I>icmp6</I>, <I>igmp</I>, <I>igrp</I>, <I>pim</I>, <I>ah</I>,
|
||
|
<I>esp</I>, <I>vrrp</I>, <I>udp</I>, or <I>tcp</I>.
|
||
|
Note that the identifiers <I>tcp</I>, <I>udp</I>, and <I>icmp</I> are also
|
||
|
keywords and must be escaped via backslash (\), which is \\ in the C-shell.
|
||
|
Note that this primitive does not chase the protocol header chain.
|
||
|
<DT><B>ip6 proto </B><I>protocol</I><DD>
|
||
|
True if the packet is an IPv6 packet of protocol type <I>protocol</I>.
|
||
|
Note that this primitive does not chase the protocol header chain.
|
||
|
<DT><B>ip6 protochain </B><I>protocol</I><DD>
|
||
|
True if the packet is IPv6 packet,
|
||
|
and contains protocol header with type <I>protocol</I>
|
||
|
in its protocol header chain.
|
||
|
For example,
|
||
|
<dl COMPACT>
|
||
|
<dd>
|
||
|
|
||
|
<PRE><B>ip6 protochain 6</B></PRE>
|
||
|
|
||
|
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
|
||
|
matches any IPv6 packet with TCP protocol header in the protocol header chain.
|
||
|
The packet may contain, for example,
|
||
|
authentication header, routing header, or hop-by-hop option header,
|
||
|
between IPv6 header and TCP header.
|
||
|
The BPF code emitted by this primitive is complex and
|
||
|
cannot be optimized by BPF optimizer code in <I>tcpdump</I>,
|
||
|
so this can be somewhat slow.
|
||
|
<DT><B>ip protochain </B><I>protocol</I><DD>
|
||
|
Equivalent to <B>ip6 protochain </B><I>protocol</I>, but this is for IPv4.
|
||
|
<DT><B>ether broadcast</B><DD>
|
||
|
True if the packet is an ethernet broadcast packet.
|
||
|
The <I>ether</I>
|
||
|
keyword is optional.
|
||
|
<DT><B>ip broadcast</B><DD>
|
||
|
True if the packet is an IP broadcast packet.
|
||
|
It checks for both
|
||
|
the all-zeroes and all-ones broadcast conventions, and looks up
|
||
|
the local subnet mask.
|
||
|
<DT><B>ether multicast</B><DD>
|
||
|
True if the packet is an ethernet multicast packet.
|
||
|
The <I>ether</I>
|
||
|
keyword is optional.
|
||
|
This is shorthand for `<B>ether[0] & 1 != 0</B>'.
|
||
|
<DT><B>ip multicast</B><DD>
|
||
|
True if the packet is an IP multicast packet.
|
||
|
<DT><B>ip6 multicast</B><DD>
|
||
|
True if the packet is an IPv6 multicast packet.
|
||
|
<DT><B>ether proto </B><I>protocol</I><DD>
|
||
|
True if the packet is of ether type <I>protocol</I>.
|
||
|
<I>Protocol</I> can be a number or one of the names
|
||
|
<I>ip</I>, <I>ip6</I>, <I>arp</I>, <I>rarp</I>, <I>atalk</I>, <I>aarp</I>,
|
||
|
<I>decnet</I>, <I>sca</I>, <I>lat</I>, <I>mopdl</I>, <I>moprc</I>,
|
||
|
<I>iso</I>, <I>stp</I>, <I>ipx</I>, or <I>netbeui</I>.
|
||
|
Note these identifiers are also keywords
|
||
|
and must be escaped via backslash (\).
|
||
|
<DT><DD>
|
||
|
[In the case of FDDI (e.g., `<B>fddi protocol arp</B>') and Token Ring
|
||
|
(e.g., `<B>tr protocol arp</B>'), for most of those protocols, the
|
||
|
protocol identification comes from the 802.2 Logical Link Control (LLC)
|
||
|
header, which is usually layered on top of the FDDI or Token Ring
|
||
|
header.
|
||
|
<DT><DD>
|
||
|
When filtering for most protocol identifiers on FDDI or Token Ring,
|
||
|
<I>tcpdump</I> checks only the protocol ID field of an LLC header in
|
||
|
so-called SNAP format with an Organizational Unit Identifier (OUI) of
|
||
|
0x000000, for encapsulated Ethernet; it doesn't check whether the packet
|
||
|
is in SNAP format with an OUI of 0x000000.
|
||
|
<DT><DD>
|
||
|
The exceptions are <I>iso</I>, for which it checks the DSAP (Destination
|
||
|
Service Access Point) and SSAP (Source Service Access Point) fields of
|
||
|
the LLC header, <I>stp</I> and <I>netbeui</I>, where it checks the DSAP of
|
||
|
the LLC header, and <I>atalk</I>, where it checks for a SNAP-format
|
||
|
packet with an OUI of 0x080007 and the Appletalk etype.
|
||
|
<DT><DD>
|
||
|
In the case of Ethernet, <I>tcpdump</I> checks the Ethernet type field
|
||
|
for most of those protocols; the exceptions are <I>iso</I>, <I>sap</I>,
|
||
|
and <I>netbeui</I>, for which it checks for an 802.3 frame and then
|
||
|
checks the LLC header as it does for FDDI and Token Ring, <I>atalk</I>,
|
||
|
where it checks both for the Appletalk etype in an Ethernet frame and
|
||
|
for a SNAP-format packet as it does for FDDI and Token Ring, <I>aarp</I>,
|
||
|
where it checks for the Appletalk ARP etype in either an Ethernet frame
|
||
|
or an 802.2 SNAP frame with an OUI of 0x000000, and <I>ipx</I>, where it
|
||
|
checks for the IPX etype in an Ethernet frame, the IPX DSAP in the LLC
|
||
|
header, the 802.3 with no LLC header encapsulation of IPX, and the IPX
|
||
|
etype in a SNAP frame.]
|
||
|
<DT><B>decnet src </B><I>host</I><DD>
|
||
|
True if the DECNET source address is
|
||
|
<I>host</I>,
|
||
|
|
||
|
which may be an address of the form ``10.123'', or a DECNET host
|
||
|
name.
|
||
|
[DECNET host name support is only available on Ultrix systems
|
||
|
that are configured to run DECNET.]
|
||
|
<DT><B>decnet dst </B><I>host</I><DD>
|
||
|
True if the DECNET destination address is
|
||
|
<I>host</I>.
|
||
|
|
||
|
<DT><B>decnet host </B><I>host</I><DD>
|
||
|
True if either the DECNET source or destination address is
|
||
|
<I>host</I>.
|
||
|
|
||
|
<DT><B>ip</B>, <B>ip6</B>, <B>arp</B>, <B>rarp</B>, <B>atalk</B>, <B>aarp</B>, <B>decnet</B>, <B>iso</B>, <B>stp</B>, <B>ipx</B>, <I>netbeui</I><DD>
|
||
|
Abbreviations for:
|
||
|
<dl COMPACT>
|
||
|
<dd>
|
||
|
|
||
|
<PRE><B>ether proto </B><I>p</I></PRE>
|
||
|
|
||
|
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
|
||
|
where <I>p</I> is one of the above protocols.
|
||
|
<DT><B>lat</B>, <B>moprc</B>, <B>mopdl</B><DD>
|
||
|
Abbreviations for:
|
||
|
<dl COMPACT>
|
||
|
<dd>
|
||
|
|
||
|
<PRE><B>ether proto </B><I>p</I></PRE>
|
||
|
|
||
|
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
|
||
|
where <I>p</I> is one of the above protocols.
|
||
|
Note that
|
||
|
<I>tcpdump</I> does not currently know how to parse these protocols.
|
||
|
<DT><B>vlan </B><I>[vlan_id]</I><DD>
|
||
|
True if the packet is an IEEE 802.1Q VLAN packet.
|
||
|
If <I>[vlan_id]</I> is specified, only true is the packet has the specified
|
||
|
<I>vlan_id</I>.
|
||
|
Note that the first <B>vlan</B> keyword encountered in <I>expression</I>
|
||
|
changes the decoding offsets for the remainder of <I>expression</I>
|
||
|
on the assumption that the packet is a VLAN packet.
|
||
|
<DT><B>tcp</B>, <B>udp</B>, <B>icmp</B><DD>
|
||
|
Abbreviations for:
|
||
|
<dl COMPACT>
|
||
|
<dd>
|
||
|
|
||
|
<PRE><B>ip proto </B><I>p</I><B> or ip6 proto </B><I>p</I></PRE>
|
||
|
|
||
|
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
|
||
|
where <I>p</I> is one of the above protocols.
|
||
|
<DT><B>iso proto </B><I>protocol</I><DD>
|
||
|
True if the packet is an OSI packet of protocol type <I>protocol</I>.
|
||
|
<I>Protocol</I> can be a number or one of the names
|
||
|
<I>clnp</I>, <I>esis</I>, or <I>isis</I>.
|
||
|
<DT><B>clnp</B>, <B>esis</B>, <B>isis</B><DD>
|
||
|
Abbreviations for:
|
||
|
<dl COMPACT>
|
||
|
<dd>
|
||
|
|
||
|
<PRE><B>iso proto </B><I>p</I></PRE>
|
||
|
|
||
|
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
|
||
|
where <I>p</I> is one of the above protocols.
|
||
|
Note that <I>tcpdump</I> does an incomplete job of parsing these protocols.
|
||
|
<DT><I>expr relop expr</I><DD>
|
||
|
True if the relation holds, where <I>relop</I> is one of >, <, >=, <=, =, !=,
|
||
|
and <I>expr</I> is an arithmetic expression composed of integer constants
|
||
|
(expressed in standard C syntax), the normal binary operators
|
||
|
[+, -, *, /, &, |], a length operator, and special packet data accessors.
|
||
|
To access
|
||
|
data inside the packet, use the following syntax:
|
||
|
|
||
|
<PRE>
|
||
|
<I>proto</I><B> [ </B><I>expr</I><B> : </B><I>size</I><B> ]</B>
|
||
|
</PRE>
|
||
|
|
||
|
|
||
|
<I>Proto</I> is one of <B>ether, fddi, tr,
|
||
|
ip, arp, rarp, tcp, udp, icmp</B> or <B>ip6</B>, and
|
||
|
indicates the protocol layer for the index operation.
|
||
|
Note that <I>tcp, udp</I> and other upper-layer protocol types only
|
||
|
apply to IPv4, not IPv6 (this will be fixed in the future).
|
||
|
The byte offset, relative to the indicated protocol layer, is
|
||
|
given by <I>expr</I>.
|
||
|
<I>Size</I> is optional and indicates the number of bytes in the
|
||
|
field of interest; it can be either one, two, or four, and defaults to one.
|
||
|
The length operator, indicated by the keyword <B>len</B>, gives the
|
||
|
length of the packet.
|
||
|
<P>
|
||
|
For example, `<B>ether[0] & 1 != 0</B>' catches all multicast traffic.
|
||
|
The expression `<B>ip[0] & 0xf != 5</B>'
|
||
|
catches all IP packets with options.
|
||
|
The expression
|
||
|
`<B>ip[6:2] & 0x1fff = 0</B>'
|
||
|
catches only unfragmented datagrams and frag zero of fragmented datagrams.
|
||
|
This check is implicitly applied to the <B>tcp</B> and <B>udp</B>
|
||
|
index operations.
|
||
|
For instance, <B>tcp[0]</B> always means the first
|
||
|
byte of the TCP <I>header</I>, and never means the first byte of an
|
||
|
intervening fragment.
|
||
|
<P>
|
||
|
Some offsets and field values may be expressed as names rather than
|
||
|
as numeric values.
|
||
|
The following protocol header field offsets are
|
||
|
available: <B>icmptype</B> (ICMP type field), <B>icmpcode</B> (ICMP
|
||
|
code field), and <B>tcpflags</B> (TCP flags field).
|
||
|
<P>
|
||
|
The following ICMP type field values are available: <B>icmp-echoreply</B>,
|
||
|
<B>icmp-unreach</B>, <B>icmp-sourcequench</B>, <B>icmp-redirect</B>,
|
||
|
<B>icmp-echo</B>, <B>icmp-routeradvert</B>, <B>icmp-routersolicit</B>,
|
||
|
<B>icmp-timxceed</B>, <B>icmp-paramprob</B>, <B>icmp-tstamp</B>,
|
||
|
<B>icmp-tstampreply</B>, <B>icmp-ireq</B>, <B>icmp-ireqreply</B>,
|
||
|
<B>icmp-maskreq</B>, <B>icmp-maskreply</B>.
|
||
|
<P>
|
||
|
The following TCP flags field values are available: <B>tcp-fin</B>,
|
||
|
<B>tcp-syn</B>, <B>tcp-rst</B>, <B>tcp-push</B>, <B>tcp-push</B>,
|
||
|
<B>tcp-ack</B>, <B>tcp-urg</B>.
|
||
|
</DL>
|
||
|
<P>
|
||
|
|
||
|
Primitives may be combined using:
|
||
|
<DL COMPACT>
|
||
|
<DT><DD>
|
||
|
A parenthesized group of primitives and operators
|
||
|
(parentheses are special to the Shell and must be escaped).
|
||
|
<DT><DD>
|
||
|
Negation (`<B>!</B>' or `<B>not</B>').
|
||
|
<DT><DD>
|
||
|
Concatenation (`<B>&&</B>' or `<B>and</B>').
|
||
|
<DT><DD>
|
||
|
Alternation (`<B>||</B>' or `<B>or</B>').
|
||
|
</DL>
|
||
|
<P>
|
||
|
|
||
|
Negation has highest precedence.
|
||
|
Alternation and concatenation have equal precedence and associate
|
||
|
left to right.
|
||
|
Note that explicit <B>and</B> tokens, not juxtaposition,
|
||
|
are now required for concatenation.
|
||
|
<P>
|
||
|
|
||
|
If an identifier is given without a keyword, the most recent keyword
|
||
|
is assumed.
|
||
|
For example,
|
||
|
|
||
|
<blockquote>
|
||
|
|
||
|
<PRE><B>not host vs and ace</B></PRE>
|
||
|
|
||
|
|
||
|
</blockquote>
|
||
|
|
||
|
|
||
|
is short for
|
||
|
<blockquote>
|
||
|
|
||
|
<PRE><B>not host vs and host ace</B></PRE>
|
||
|
|
||
|
|
||
|
</blockquote>
|
||
|
|
||
|
|
||
|
which should not be confused with
|
||
|
<blockquote>
|
||
|
|
||
|
<PRE><B>not ( host vs or ace )</B></PRE>
|
||
|
|
||
|
|
||
|
</blockquote>
|
||
|
|
||
|
|
||
|
<P>
|
||
|
|
||
|
Expression arguments can be passed to <I>tcpdump</I> as either a single
|
||
|
argument or as multiple arguments, whichever is more convenient.
|
||
|
Generally, if the expression contains Shell metacharacters, it is
|
||
|
easier to pass it as a single, quoted argument.
|
||
|
Multiple arguments are concatenated with spaces before being parsed.
|
||
|
<p>
|
||
|
|
||
|
</body>
|
||
|
|
||
|
</html>
|
||
|
</div>
|
||
|
|
||
|
<hr>
|
||
|
<p align="right"><img border="0" src="winpcap_small.gif" align="absbottom" width="91" height="27">
|
||
|
documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005-2009
|
||
|
CACE Technologies. All rights reserved.</p>
|