suzanne.soy/man-pages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gh-pages
man-pages/man7/pcap-filter.7.html
Suzanne Soy 4c89183f2b Added man pages from my system
2021-03-31 01:06:50 +01:00

1229 lines
37 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of PCAP-FILTER</TITLE>
</HEAD><BODY>
<H1>PCAP-FILTER</H1>
Section: Environments, Tables, and Troff Macros (7)<BR>Updated: 5 November 2017<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
pcap-filter - packet filter syntax
<BR>
<A NAME="lbAC">&nbsp;</A>
<H2>DESCRIPTION</H2>
<P>
<B>pcap_compile()</B>
is used to compile a string into a filter program.
The resulting filter program can then be applied to
some stream of packets to determine which packets will be supplied to
<B>pcap_loop(3PCAP)</B>,
<B>pcap_dispatch(3PCAP)</B>,
<B>pcap_next(3PCAP)</B>,
or
<B>pcap_next_ex(3PCAP)</B>.
<P>
The <I>filter expression</I> consists of one or more
<I>primitives</I>.
Primitives usually consist of an
<I>id</I>
(name or number) preceded by one or more qualifiers.
There are three
different kinds of qualifier:
<DL COMPACT>
<DT id="1"><I>type</I><DD>
<I>type</I>
qualifiers say what kind of thing the id name or number refers to.
Possible types are
<B>host</B>,
<B>net ,</B>
<B>port</B>
and
<B>portrange</B>.
E.g., `host foo', `net 128.3', `port 20', `portrange 6000-6008'.
If there is no type
qualifier,
<B>host</B>
is assumed.
<DT id="2"><I>dir</I><DD>
<I>dir</I>
qualifiers specify a particular transfer direction to and/or from
<I>id</I>.
Possible directions are
<B>src</B>,
<B>dst</B>,
<B>src or dst</B>,
<B>src and dst</B>,
<B>ra</B>,
<B>ta</B>,
<B>addr1</B>,
<B>addr2</B>,
<B>addr3</B>,
and
<B>addr4</B>.
E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'.
If
there is no dir qualifier,
<B>src or dst</B>
is assumed.
The
<B>ra</B>,
<B>ta</B>,
<B>addr1</B>,
<B>addr2</B>,
<B>addr3</B>,
and
<B>addr4</B>
qualifiers are only valid for IEEE 802.11 Wireless LAN link layers.
<DT id="3"><I>proto</I><DD>
<I>proto</I>
qualifiers restrict the match to a particular protocol.
Possible
protos are:
<B>ether</B>,
<B>fddi</B>,
<B>tr</B>,
<B>wlan</B>,
<B>ip</B>,
<B>ip6</B>,
<B>arp</B>,
<B>rarp</B>,
<B>decnet</B>,
<B>tcp</B>
and
<B>udp</B>.
E.g., `ether src foo', `arp net 128.3', `tcp port 21', `udp portrange
7000-7009', `wlan addr2 0:2:3:4:5:6'.
If there is
no proto qualifier, all protocols consistent with the type are
assumed.
E.g., `src foo' means `(ip or arp or rarp) src foo'
(except the latter is not legal syntax), `net bar' means `(ip or
arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
</DL>
<P>
[`fddi' is actually an alias for `ether'; the parser treats them
identically as meaning ``the data link level used on the specified
network interface.'' FDDI headers contain Ethernet-like source
and destination addresses, and often contain Ethernet-like packet
types, so you can filter on these FDDI fields just as with the
analogous Ethernet fields.
FDDI headers also contain other fields,
but you cannot name them explicitly in a filter expression.
<P>
Similarly, `tr' and `wlan' are aliases for `ether'; the previous
paragraph's statements about FDDI headers also apply to Token Ring
and 802.11 wireless LAN headers. For 802.11 headers, the destination
address is the DA field and the source address is the SA field; the
BSSID, RA, and TA fields aren't tested.]
<P>
In addition to the above, there are some special `primitive' keywords
that don't follow the pattern:
<B>gateway</B>,
<B>broadcast</B>,
<B>less</B>,
<B>greater</B>
and arithmetic expressions.
All of these are described below.
<P>
More complex filter expressions are built up by using the words
<B>and</B>,
<B>or</B>
and
<B>not</B>
to combine primitives.
E.g., `host foo and not port ftp and not port ftp-data'.
To save typing, identical qualifier lists can be omitted.
E.g.,
`tcp dst port ftp or ftp-data or domain' is exactly the same as
`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
<P>
Allowable primitives are:
<DL COMPACT>
<DT id="4"><B>dst host </B><I>host</I><DD>
True if the IPv4/v6 destination field of the packet is <I>host</I>,
which may be either an address or a name.
<DT id="5"><B>src host </B><I>host</I><DD>
True if the IPv4/v6 source field of the packet is <I>host</I>.
<DT id="6"><B>host </B><I>host</I><DD>
True if either the IPv4/v6 source or destination of the packet is <I>host</I>.
<DT id="7"><DD>
Any of the above host expressions can be prepended with the keywords,
<B>ip</B>, <B>arp</B>, <B>rarp</B>, or <B>ip6</B> as in:
<PRE>
<B>ip host </B><I>host</I>
</PRE>
which is equivalent to:
<PRE>
<B>ether proto </B><I>\ip</I><B> and host </B><I>host</I>
</PRE>
If <I>host</I> is a name with multiple IP addresses, each address will
be checked for a match.
<DT id="8"><B>ether dst </B><I>ehost</I><DD>
True if the Ethernet destination address is <I>ehost</I>.
<I>Ehost</I>
may be either a name from /etc/ethers or a numerical MAC address of the
form &quot;xx:xx:xx:xx:xx:xx&quot;, &quot;xx.xx.xx.xx.xx.xx&quot;, &quot;xx-xx-xx-xx-xx-xx&quot;,
&quot;xxxx.xxxx.xxxx&quot;, &quot;xxxxxxxxxxxx&quot;, or various mixes of ':', '.', and '-',
where each &quot;x&quot; is a hex digit (0-9, a-f, or A-F).
<DT id="9"><B>ether src </B><I>ehost</I><DD>
True if the Ethernet source address is <I>ehost</I>.
<DT id="10"><B>ether host </B><I>ehost</I><DD>
True if either the Ethernet source or destination address is <I>ehost</I>.
<DT id="11"><B>gateway</B> <I>host</I><DD>
True if the packet used <I>host</I> as a gateway.
I.e., the Ethernet
source or destination address was <I>host</I> but neither the IP source
nor the IP destination was <I>host</I>.
<I>Host</I> must be a name and
must be found both by the machine's host-name-to-IP-address resolution
mechanisms (host name file, DNS, NIS, etc.) and by the machine's
host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.).
(An equivalent expression is
<PRE>
<B>ether host </B><I>ehost </I><B>and not host </B><I>host</I>
</PRE>
which can be used with either names or numbers for <I>host / ehost</I>.)
This syntax does not work in IPv6-enabled configuration at this moment.
<DT id="12"><B>dst net </B><I>net</I><DD>
True if the IPv4/v6 destination address of the packet has a network
number of <I>net</I>.
<I>Net</I> may be either a name from the networks database
(/etc/networks, etc.) or a network number.
An IPv4 network number can be written as a dotted quad (e.g., 192.168.1.0),
dotted triple (e.g., 192.168.1), dotted pair (e.g, 172.16), or single
number (e.g., 10); the netmask is 255.255.255.255 for a dotted quad
(which means that it's really a host match), 255.255.255.0 for a dotted
triple, 255.255.0.0 for a dotted pair, or 255.0.0.0 for a single number.
An IPv6 network number must be written out fully; the netmask is
ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 &quot;network&quot; matches are really always
host matches, and a network match requires a netmask length.
<DT id="13"><B>src net </B><I>net</I><DD>
True if the IPv4/v6 source address of the packet has a network
number of <I>net</I>.
<DT id="14"><B>net </B><I>net</I><DD>
True if either the IPv4/v6 source or destination address of the packet has a network
number of <I>net</I>.
<DT id="15"><B>net </B><I>net</I> <B>mask </B><I>netmask</I><DD>
True if the IPv4 address matches <I>net</I> with the specific <I>netmask</I>.
May be qualified with <B>src</B> or <B>dst</B>.
Note that this syntax is not valid for IPv6 <I>net</I>.
<DT id="16"><B>net </B><I>net</I>/<I>len</I><DD>
True if the IPv4/v6 address matches <I>net</I> with a netmask <I>len</I>
bits wide.
May be qualified with <B>src</B> or <B>dst</B>.
<DT id="17"><B>dst port </B><I>port</I><DD>
True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a
destination port value of <I>port</I>.
The <I>port</I> can be a number or a name used in /etc/services (see
<I><A HREF="/cgi-bin/man/man2html?4P+tcp">tcp</A></I>(4P)
and
<I><A HREF="/cgi-bin/man/man2html?4P+udp">udp</A></I>(4P)).
If a name is used, both the port
number and protocol are checked.
If a number or ambiguous name is used,
only the port number is checked (e.g., <B>dst port 513</B> will print both
tcp/login traffic and udp/who traffic, and <B>port domain</B> will print
both tcp/domain and udp/domain traffic).
<DT id="18"><B>src port </B><I>port</I><DD>
True if the packet has a source port value of <I>port</I>.
<DT id="19"><B>port </B><I>port</I><DD>
True if either the source or destination port of the packet is <I>port</I>.
<DT id="20"><B>dst portrange </B><I>port1</I><B>-</B><I>port2</I><DD>
True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a
destination port value between <I>port1</I> and <I>port2</I>.
<I>port1</I>
and
<I>port2</I>
are interpreted in the same fashion as the
<I>port</I>
parameter for
<B>port</B>.
<DT id="21"><B>src portrange </B><I>port1</I><B>-</B><I>port2</I><DD>
True if the packet has a source port value between <I>port1</I> and
<I>port2</I>.
<DT id="22"><B>portrange </B><I>port1</I><B>-</B><I>port2</I><DD>
True if either the source or destination port of the packet is between
<I>port1</I> and <I>port2</I>.
<DT id="23"><DD>
Any of the above port or port range expressions can be prepended with
the keywords, <B>tcp</B> or <B>udp</B>, as in:
<PRE>
<B>tcp src port </B><I>port</I>
</PRE>
which matches only tcp packets whose source port is <I>port</I>.
<DT id="24"><B>less </B><I>length</I><DD>
True if the packet has a length less than or equal to <I>length</I>.
This is equivalent to:
<PRE>
<B>len &lt;= </B><I>length</I>.
</PRE>
<DT id="25"><B>greater </B><I>length</I><DD>
True if the packet has a length greater than or equal to <I>length</I>.
This is equivalent to:
<PRE>
<B>len &gt;= </B><I>length</I>.
</PRE>
<DT id="26"><B>ip proto </B><I>protocol</I><DD>
True if the packet is an IPv4 packet (see
<I><A HREF="/cgi-bin/man/man2html?4P+ip">ip</A></I>(4P))
of protocol type <I>protocol</I>.
<I>Protocol</I> can be a number or one of the names
<B>icmp</B>, <B>icmp6</B>, <B>igmp</B>, <B>igrp</B>, <B>pim</B>, <B>ah</B>,
<B>esp</B>, <B>vrrp</B>, <B>udp</B>, or <B>tcp</B>.
Note that the identifiers <B>tcp</B>, <B>udp</B>, and <B>icmp</B> are also
keywords and must be escaped via backslash (\).
Note that this primitive does not chase the protocol header chain.
<DT id="27"><B>ip6 proto </B><I>protocol</I><DD>
True if the packet is an IPv6 packet of protocol type <I>protocol</I>.
Note that this primitive does not chase the protocol header chain.
<DT id="28"><B>proto </B><I>protocol</I><DD>
True if the packet is an IPv4 or IPv6 packet of protocol type
<I>protocol</I>. Note that this primitive does not chase the protocol
header chain.
<DT id="29"><B>tcp</B>, <B>udp</B>, <B>icmp</B><DD>
Abbreviations for:
<PRE>
<B>proto </B><I>p</I><B>
</B></PRE>
where <I>p</I> is one of the above protocols.
<DT id="30"><B>ip6 protochain </B><I>protocol</I><DD>
True if the packet is IPv6 packet,
and contains protocol header with type <I>protocol</I>
in its protocol header chain.
For example,
<PRE>
<B>ip6 protochain 6</B>
</PRE>
matches any IPv6 packet with TCP protocol header in the protocol header chain.
The packet may contain, for example,
authentication header, routing header, or hop-by-hop option header,
between IPv6 header and TCP header.
The BPF code emitted by this primitive is complex and
cannot be optimized by the BPF optimizer code, and is not supported by
filter engines in the kernel, so this can be somewhat slow, and may
cause more packets to be dropped.
<DT id="31"><B>ip protochain </B><I>protocol</I><DD>
Equivalent to <B>ip6 protochain </B><I>protocol</I>, but this is for IPv4.
<DT id="32"><B>protochain </B><I>protocol</I><DD>
True if the packet is an IPv4 or IPv6 packet of protocol type
<I>protocol</I>. Note that this primitive chases the protocol
header chain.
<DT id="33"><B>ether broadcast</B><DD>
True if the packet is an Ethernet broadcast packet.
The <I>ether</I>
keyword is optional.
<DT id="34"><B>ip broadcast</B><DD>
True if the packet is an IPv4 broadcast packet.
It checks for both the all-zeroes and all-ones broadcast conventions,
and looks up the subnet mask on the interface on which the capture is
being done.
<DT id="35"><DD>
If the subnet mask of the interface on which the capture is being done
is not available, either because the interface on which capture is being
done has no netmask or because the capture is being done on the Linux
&quot;any&quot; interface, which can capture on more than one interface, this
check will not work correctly.
<DT id="36"><B>ether multicast</B><DD>
True if the packet is an Ethernet multicast packet.
The <B>ether</B>
keyword is optional.
This is shorthand for `<B>ether[0] &amp; 1 != 0</B>'.
<DT id="37"><B>ip multicast</B><DD>
True if the packet is an IPv4 multicast packet.
<DT id="38"><B>ip6 multicast</B><DD>
True if the packet is an IPv6 multicast packet.
<DT id="39"><B>ether proto </B><I>protocol</I><DD>
True if the packet is of ether type <I>protocol</I>.
<I>Protocol</I> can be a number or one of the names
<B>ip</B>, <B>ip6</B>, <B>arp</B>, <B>rarp</B>, <B>atalk</B>, <B>aarp</B>,
<B>decnet</B>, <B>sca</B>, <B>lat</B>, <B>mopdl</B>, <B>moprc</B>,
<B>iso</B>, <B>stp</B>, <B>ipx</B>, or <B>netbeui</B>.
Note these identifiers are also keywords
and must be escaped via backslash (\).
<DT id="40"><DD>
[In the case of FDDI (e.g., `<B>fddi proto arp</B>'), Token Ring
(e.g., `<B>tr proto arp</B>'), and IEEE 802.11 wireless LANS (e.g.,
`<B>wlan proto arp</B>'), for most of those protocols, the
protocol identification comes from the 802.2 Logical Link Control (LLC)
header, which is usually layered on top of the FDDI, Token Ring, or
802.11 header.
<DT id="41"><DD>
When filtering for most protocol identifiers on FDDI, Token Ring, or
802.11, the filter checks only the protocol ID field of an LLC header
in so-called SNAP format with an Organizational Unit Identifier (OUI) of
0x000000, for encapsulated Ethernet; it doesn't check whether the packet
is in SNAP format with an OUI of 0x000000.
The exceptions are:
<DL COMPACT><DT id="42"><DD>
<DL COMPACT>
<DT id="43"><B>iso</B><DD>
the filter checks the DSAP (Destination Service Access Point) and
SSAP (Source Service Access Point) fields of the LLC header;
<DT id="44"><B>stp</B> and <B>netbeui</B><DD>
the filter checks the DSAP of the LLC header;
<DT id="45"><B>atalk</B><DD>
the filter checks for a SNAP-format packet with an OUI of 0x080007
and the AppleTalk etype.
</DL>
</DL>
<DT id="46"><DD>
In the case of Ethernet, the filter checks the Ethernet type field
for most of those protocols. The exceptions are:
<DL COMPACT><DT id="47"><DD>
<DL COMPACT>
<DT id="48"><B>iso</B>, <B>stp</B>, and <B>netbeui</B><DD>
the filter checks for an 802.3 frame and then checks the LLC header as
it does for FDDI, Token Ring, and 802.11;
<DT id="49"><B>atalk</B><DD>
the filter checks both for the AppleTalk etype in an Ethernet frame and
for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11;
<DT id="50"><B>aarp</B><DD>
the filter checks for the AppleTalk ARP etype in either an Ethernet
frame or an 802.2 SNAP frame with an OUI of 0x000000;
<DT id="51"><B>ipx</B><DD>
the filter checks for the IPX etype in an Ethernet frame, the IPX
DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of
IPX, and the IPX etype in a SNAP frame.
</DL>
</DL>
<DT id="52"><B>ip</B>, <B>ip6</B>, <B>arp</B>, <B>rarp</B>, <B>atalk</B>, <B>aarp</B>, <B>decnet</B>, <B>iso</B>, <B>stp</B>, <B>ipx</B>, <B>netbeui</B><DD>
Abbreviations for:
<PRE>
<B>ether proto </B><I>p</I>
</PRE>
where <I>p</I> is one of the above protocols.
<DT id="53"><B>lat</B>, <B>moprc</B>, <B>mopdl</B><DD>
Abbreviations for:
<PRE>
<B>ether proto </B><I>p</I>
</PRE>
where <I>p</I> is one of the above protocols.
Note that not all applications using
<B>pcap</B>(3PCAP)
currently know how to parse these protocols.
<DT id="54"><B>decnet src </B><I>host</I><DD>
True if the DECNET source address is
<I>host</I>,
which may be an address of the form ``10.123'', or a DECNET host
name.
[DECNET host name support is only available on ULTRIX systems
that are configured to run DECNET.]
<DT id="55"><B>decnet dst </B><I>host</I><DD>
True if the DECNET destination address is
<I>host</I>.
<DT id="56"><B>decnet host </B><I>host</I><DD>
True if either the DECNET source or destination address is
<I>host</I>.
<DT id="57"><B>llc</B><DD>
True if the packet has an 802.2 LLC header. This includes:
<DT id="58"><DD>
Ethernet packets with a length field rather than a type field that
aren't raw NetWare-over-802.3 packets;
<DT id="59"><DD>
IEEE 802.11 data packets;
<DT id="60"><DD>
Token Ring packets (no check is done for LLC frames);
<DT id="61"><DD>
FDDI packets (no check is done for LLC frames);
<DT id="62"><DD>
LLC-encapsulated ATM packets, for SunATM on Solaris.
<DT id="63"><B>llc</B> Fitype<DD>
True if the packet has an 802.2 LLC header and has the specified
<I>type</I>.
<I>type</I>
can be one of:
<DL COMPACT><DT id="64"><DD>
<DL COMPACT>
<DT id="65"><B>i</B><DD>
Information (I) PDUs
<DT id="66"><B>s</B><DD>
Supervisory (S) PDUs
<DT id="67"><B>u</B><DD>
Unnumbered (U) PDUs
<DT id="68"><B>rr</B><DD>
Receiver Ready (RR) S PDUs
<DT id="69"><B>rnr</B><DD>
Receiver Not Ready (RNR) S PDUs
<DT id="70"><B>rej</B><DD>
Reject (REJ) S PDUs
<DT id="71"><B>ui</B><DD>
Unnumbered Information (UI) U PDUs
<DT id="72"><B>ua</B><DD>
Unnumbered Acknowledgment (UA) U PDUs
<DT id="73"><B>disc</B><DD>
Disconnect (DISC) U PDUs
<DT id="74"><B>sabme</B><DD>
Set Asynchronous Balanced Mode Extended (SABME) U PDUs
<DT id="75"><B>test</B><DD>
Test (TEST) U PDUs
<DT id="76"><B>xid</B><DD>
Exchange Identification (XID) U PDUs
<DT id="77"><B>frmr</B><DD>
Frame Reject (FRMR) U PDUs
</DL>
</DL>
<DT id="78"><B>inbound</B><DD>
Packet was received by the host performing the capture rather than being
sent by that host. This is only supported for certain link-layer types,
such as SLIP and the ``cooked'' Linux capture mode
used for the ``any'' device and for some other device types.
<DT id="79"><B>outbound</B><DD>
Packet was sent by the host performing the capture rather than being
received by that host. This is only supported for certain link-layer types,
such as SLIP and the ``cooked'' Linux capture mode
used for the ``any'' device and for some other device types.
<DT id="80"><B>ifname </B><I>interface</I><DD>
True if the packet was logged as coming from the specified interface (applies
only to packets logged by OpenBSD's or FreeBSD's
<B><A HREF="/cgi-bin/man/man2html?4+pf">pf</A></B>(4)).
<DT id="81"><B>on </B><I>interface</I><DD>
Synonymous with the
<B>ifname</B>
modifier.
<DT id="82"><B>rnr </B><I>num</I><DD>
True if the packet was logged as matching the specified PF rule number
(applies only to packets logged by OpenBSD's or FreeBSD's
<B><A HREF="/cgi-bin/man/man2html?4+pf">pf</A></B>(4)).
<DT id="83"><B>rulenum </B><I>num</I><DD>
Synonymous with the
<B>rnr</B>
modifier.
<DT id="84"><B>reason </B><I>code</I><DD>
True if the packet was logged with the specified PF reason code. The known
codes are:
<B>match</B>,
<B>bad-offset</B>,
<B>fragment</B>,
<B>short</B>,
<B>normalize</B>,
and
<B>memory</B>
(applies only to packets logged by OpenBSD's or FreeBSD's
<B><A HREF="/cgi-bin/man/man2html?4+pf">pf</A></B>(4)).
<DT id="85"><B>rset </B><I>name</I><DD>
True if the packet was logged as matching the specified PF ruleset
name of an anchored ruleset (applies only to packets logged by OpenBSD's
or FreeBSD's
<B><A HREF="/cgi-bin/man/man2html?4+pf">pf</A></B>(4)).
<DT id="86"><B>ruleset </B><I>name</I><DD>
Synonymous with the
<B>rset</B>
modifier.
<DT id="87"><B>srnr </B><I>num</I><DD>
True if the packet was logged as matching the specified PF rule number
of an anchored ruleset (applies only to packets logged by OpenBSD's or
FreeBSD's
<B><A HREF="/cgi-bin/man/man2html?4+pf">pf</A></B>(4)).
<DT id="88"><B>subrulenum </B><I>num</I><DD>
Synonymous with the
<B>srnr</B>
modifier.
<DT id="89"><B>action </B><I>act</I><DD>
True if PF took the specified action when the packet was logged. Known actions
are:
<B>pass</B>
and
<B>block</B>
and, with later versions of
<B><A HREF="/cgi-bin/man/man2html?4+pf">pf</A></B>(4),
<B>nat</B>,
<B>rdr</B>,
<B>binat</B>
and
<B>scrub</B>
(applies only to packets logged by OpenBSD's or FreeBSD's
<B><A HREF="/cgi-bin/man/man2html?4+pf">pf</A></B>(4)).
<DT id="90"><B>wlan ra </B><I>ehost</I><DD>
True if the IEEE 802.11 RA is
<I>ehost</I>.
The RA field is used in all frames except for management frames.
<DT id="91"><B>wlan ta </B><I>ehost</I><DD>
True if the IEEE 802.11 TA is
<I>ehost</I>.
The TA field is used in all frames except for management frames and
CTS (Clear To Send) and ACK (Acknowledgment) control frames.
<DT id="92"><B>wlan addr1 </B><I>ehost</I><DD>
True if the first IEEE 802.11 address is
<I>ehost</I>.
<DT id="93"><B>wlan addr2 </B><I>ehost</I><DD>
True if the second IEEE 802.11 address, if present, is
<I>ehost</I>.
The second address field is used in all frames except for CTS (Clear To
Send) and ACK (Acknowledgment) control frames.
<DT id="94"><B>wlan addr3 </B><I>ehost</I><DD>
True if the third IEEE 802.11 address, if present, is
<I>ehost</I>.
The third address field is used in management and data frames, but not
in control frames.
<DT id="95"><B>wlan addr4 </B><I>ehost</I><DD>
True if the fourth IEEE 802.11 address, if present, is
<I>ehost</I>.
The fourth address field is only used for
WDS (Wireless Distribution System) frames.
<DT id="96"><B>type </B><I>wlan_type</I><DD>
True if the IEEE 802.11 frame type matches the specified <I>wlan_type</I>.
Valid <I>wlan_type</I>s are:
<B>mgt</B>,
<B>ctl</B>
and <B>data</B>.
<DT id="97"><B>type </B><I>wlan_type </I><B>subtype </B><I>wlan_subtype</I><DD>
True if the IEEE 802.11 frame type matches the specified <I>wlan_type</I>
and frame subtype matches the specified <I>wlan_subtype</I>.
<DT id="98"><DD>
If the specified <I>wlan_type</I> is <B>mgt</B>,
then valid <I>wlan_subtype</I>s are:
<B>assoc-req</B>,
<B>assoc-resp</B>,
<B>reassoc-req</B>,
<B>reassoc-resp</B>,
<B>probe-req</B>,
<B>probe-resp</B>,
<B>beacon</B>,
<B>atim</B>,
<B>disassoc</B>,
<B>auth</B> and
<B>deauth</B>.
<DT id="99"><DD>
If the specified <I>wlan_type</I> is <B>ctl</B>,
then valid <I>wlan_subtype</I>s are:
<B>ps-poll</B>,
<B>rts</B>,
<B>cts</B>,
<B>ack</B>,
<B>cf-end</B> and
<B>cf-end-ack</B>.
<DT id="100"><DD>
If the specified <I>wlan_type</I> is <B>data</B>,
then valid <I>wlan_subtype</I>s are:
<B>data</B>,
<B>data-cf-ack</B>,
<B>data-cf-poll</B>,
<B>data-cf-ack-poll</B>,
<B>null</B>,
<B>cf-ack</B>,
<B>cf-poll</B>,
<B>cf-ack-poll</B>,
<B>qos-data</B>,
<B>qos-data-cf-ack</B>,
<B>qos-data-cf-poll</B>,
<B>qos-data-cf-ack-poll</B>,
<B>qos</B>,
<B>qos-cf-poll</B> and
<B>qos-cf-ack-poll</B>.
<DT id="101"><B>subtype </B><I>wlan_subtype</I><DD>
True if the IEEE 802.11 frame subtype matches the specified <I>wlan_subtype</I>
and frame has the type to which the specified <I>wlan_subtype</I> belongs.
<DT id="102"><B>dir </B><I>dir</I><DD>
True if the IEEE 802.11 frame direction matches the specified
<I>dir</I>.
Valid directions are:
<B>nods</B>,
<B>tods</B>,
<B>fromds</B>,
<B>dstods</B>,
or a numeric value.
<DT id="103"><B>vlan </B><I>[vlan_id]</I><DD>
True if the packet is an IEEE 802.1Q VLAN packet.
If <I>[vlan_id]</I> is specified, only true if the packet has the specified
<I>vlan_id</I>.
Note that the first <B>vlan</B> keyword encountered in <I>expression</I>
changes the decoding offsets for the remainder of <I>expression</I> on
the assumption that the packet is a VLAN packet. The <B>vlan
</B><I>[vlan_id]</I> expression may be used more than once, to filter on VLAN
hierarchies. Each use of that expression increments the filter offsets
by 4.
<DT id="104"><DD>
For example:
<PRE>
<B>vlan 100 &amp;&amp; vlan 200</B>
</PRE>
filters on VLAN 200 encapsulated within VLAN 100, and
<PRE>
<B>vlan &amp;&amp; vlan 300 &amp;&amp; ip</B>
</PRE>
filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any
higher order VLAN.
<DT id="105"><B>mpls </B><I>[label_num]</I><DD>
True if the packet is an MPLS packet.
If <I>[label_num]</I> is specified, only true is the packet has the specified
<I>label_num</I>.
Note that the first <B>mpls</B> keyword encountered in <I>expression</I>
changes the decoding offsets for the remainder of <I>expression</I> on
the assumption that the packet is a MPLS-encapsulated IP packet. The
<B>mpls </B><I>[label_num]</I> expression may be used more than once, to
filter on MPLS hierarchies. Each use of that expression increments the
filter offsets by 4.
<DT id="106"><DD>
For example:
<PRE>
<B>mpls 100000 &amp;&amp; mpls 1024</B>
</PRE>
filters packets with an outer label of 100000 and an inner label of
1024, and
<PRE>
<B>mpls &amp;&amp; mpls 1024 &amp;&amp; host 192.9.200.1</B>
</PRE>
filters packets to or from 192.9.200.1 with an inner label of 1024 and
any outer label.
<DT id="107"><B>pppoed</B><DD>
True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet
type 0x8863).
<DT id="108"><B>pppoes </B><I>[session_id]</I><DD>
True if the packet is a PPP-over-Ethernet Session packet (Ethernet
type 0x8864).
If <I>[session_id]</I> is specified, only true if the packet has the specified
<I>session_id</I>.
Note that the first <B>pppoes</B> keyword encountered in <I>expression</I>
changes the decoding offsets for the remainder of <I>expression</I> on
the assumption that the packet is a PPPoE session packet.
<DT id="109"><DD>
For example:
<PRE>
<B>pppoes 0x27 &amp;&amp; ip</B>
</PRE>
filters IPv4 protocols encapsulated in PPPoE session id 0x27.
<DT id="110"><B>geneve </B><I>[vni]</I><DD>
True if the packet is a Geneve packet (UDP port 6081). If <I>[vni]</I>
is specified, only true if the packet has the specified <I>vni</I>.
Note that when the <B>geneve</B> keyword is encountered in
<I>expression</I>, it changes the decoding offsets for the remainder of
<I>expression</I> on the assumption that the packet is a Geneve packet.
<DT id="111"><DD>
For example:
<PRE>
<B>geneve 0xb &amp;&amp; ip</B>
</PRE>
filters IPv4 protocols encapsulated in Geneve with VNI 0xb. This will
match both IP directly encapsulated in Geneve as well as IP contained
inside an Ethernet frame.
<DT id="112"><B>iso proto </B><I>protocol</I><DD>
True if the packet is an OSI packet of protocol type <I>protocol</I>.
<I>Protocol</I> can be a number or one of the names
<B>clnp</B>, <B>esis</B>, or <B>isis</B>.
<DT id="113"><B>clnp</B>, <B>esis</B>, <B>isis</B><DD>
Abbreviations for:
<PRE>
<B>iso proto </B><I>p</I>
</PRE>
where <I>p</I> is one of the above protocols.
<DT id="114"><B>l1</B>, <B>l2</B>, <B>iih</B>, <B>lsp</B>, <B>snp</B>, <B>csnp</B>, <B>psnp</B><DD>
Abbreviations for IS-IS PDU types.
<DT id="115"><B>vpi</B> <I>n</I><DD>
True if the packet is an ATM packet, for SunATM on Solaris, with a
virtual path identifier of
<I>n</I>.
<DT id="116"><B>vci</B> <I>n</I><DD>
True if the packet is an ATM packet, for SunATM on Solaris, with a
virtual channel identifier of
<I>n</I>.
<DT id="117"><B>lane</B><DD>
True if the packet is an ATM packet, for SunATM on Solaris, and is
an ATM LANE packet.
Note that the first <B>lane</B> keyword encountered in <I>expression</I>
changes the tests done in the remainder of <I>expression</I>
on the assumption that the packet is either a LANE emulated Ethernet
packet or a LANE LE Control packet. If <B>lane</B> isn't specified, the
tests are done under the assumption that the packet is an
LLC-encapsulated packet.
<DT id="118"><B>oamf4s</B><DD>
True if the packet is an ATM packet, for SunATM on Solaris, and is
a segment OAM F4 flow cell (VPI=0 &amp; VCI=3).
<DT id="119"><B>oamf4e</B><DD>
True if the packet is an ATM packet, for SunATM on Solaris, and is
an end-to-end OAM F4 flow cell (VPI=0 &amp; VCI=4).
<DT id="120"><B>oamf4</B><DD>
True if the packet is an ATM packet, for SunATM on Solaris, and is
a segment or end-to-end OAM F4 flow cell (VPI=0 &amp; (VCI=3 | VCI=4)).
<DT id="121"><B>oam</B><DD>
True if the packet is an ATM packet, for SunATM on Solaris, and is
a segment or end-to-end OAM F4 flow cell (VPI=0 &amp; (VCI=3 | VCI=4)).
<DT id="122"><B>metac</B><DD>
True if the packet is an ATM packet, for SunATM on Solaris, and is
on a meta signaling circuit (VPI=0 &amp; VCI=1).
<DT id="123"><B>bcc</B><DD>
True if the packet is an ATM packet, for SunATM on Solaris, and is
on a broadcast signaling circuit (VPI=0 &amp; VCI=2).
<DT id="124"><B>sc</B><DD>
True if the packet is an ATM packet, for SunATM on Solaris, and is
on a signaling circuit (VPI=0 &amp; VCI=5).
<DT id="125"><B>ilmic</B><DD>
True if the packet is an ATM packet, for SunATM on Solaris, and is
on an ILMI circuit (VPI=0 &amp; VCI=16).
<DT id="126"><B>connectmsg</B><DD>
True if the packet is an ATM packet, for SunATM on Solaris, and is
on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect,
Connect Ack, Release, or Release Done message.
<DT id="127"><B>metaconnect</B><DD>
True if the packet is an ATM packet, for SunATM on Solaris, and is
on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect,
Release, or Release Done message.
<DT id="128"><I>expr relop expr</I><DD>
True if the relation holds, where <I>relop</I> is one of &gt;, &lt;, &gt;=, &lt;=, =,
!=, and <I>expr</I> is an arithmetic expression composed of integer
constants (expressed in standard C syntax), the normal binary operators
[+, -, *, /, %, &amp;, |, ^, &lt;&lt;, &gt;&gt;], a length operator, and special packet data
accessors. Note that all comparisons are unsigned, so that, for example,
0x80000000 and 0xffffffff are &gt; 0.
<DT id="129"><DD>
The % and ^ operators are currently only supported for filtering in the
kernel on Linux with 3.7 and later kernels; on all other systems, if
those operators are used, filtering will be done in user mode, which
will increase the overhead of capturing packets and may cause more
packets to be dropped.
<DT id="130"><DD>
To access data inside the packet, use the following syntax:
<PRE>
<I>proto</I><B> [ </B><I>expr</I><B> : </B><I>size</I><B> ]</B>
</PRE>
<I>Proto</I> is one of <B>ether, fddi, tr, wlan, ppp, slip, link,
ip, arp, rarp, tcp, udp, icmp, ip6</B> or <B>radio</B>, and
indicates the protocol layer for the index operation.
(<B>ether, fddi, wlan, tr, ppp, slip</B> and <B>link</B> all refer to the
link layer. <B>radio</B> refers to the &quot;radio header&quot; added to some
802.11 captures.)
Note that <I>tcp, udp</I> and other upper-layer protocol types only
apply to IPv4, not IPv6 (this will be fixed in the future).
The byte offset, relative to the indicated protocol layer, is
given by <I>expr</I>.
<I>Size</I> is optional and indicates the number of bytes in the
field of interest; it can be either one, two, or four, and defaults to one.
The length operator, indicated by the keyword <B>len</B>, gives the
length of the packet.
<P>
For example, `<B>ether[0] &amp; 1 != 0</B>' catches all multicast traffic.
The expression `<B>ip[0] &amp; 0xf != 5</B>'
catches all IPv4 packets with options.
The expression
`<B>ip[6:2] &amp; 0x1fff = 0</B>'
catches only unfragmented IPv4 datagrams and frag zero of fragmented
IPv4 datagrams.
This check is implicitly applied to the <B>tcp</B> and <B>udp</B>
index operations.
For instance, <B>tcp[0]</B> always means the first
byte of the TCP <I>header</I>, and never means the first byte of an
intervening fragment.
<P>
Some offsets and field values may be expressed as names rather than
as numeric values.
The following protocol header field offsets are
available: <B>icmptype</B> (ICMP type field), <B>icmp6type (ICMP v6 type field)
icmpcode</B> (ICMP code field), <B>icmp6code</B> (ICMP v6 code field), and
<B>tcpflags</B> (TCP flags field).
<P>
The following ICMP type field values are available: <B>icmp-echoreply</B>,
<B>icmp-unreach</B>, <B>icmp-sourcequench</B>, <B>icmp-redirect</B>,
<B>icmp-echo</B>, <B>icmp-routeradvert</B>, <B>icmp-routersolicit</B>,
<B>icmp-timxceed</B>, <B>icmp-paramprob</B>, <B>icmp-tstamp</B>,
<B>icmp-tstampreply</B>, <B>icmp-ireq</B>, <B>icmp-ireqreply</B>,
<B>icmp-maskreq</B>, <B>icmp-maskreply</B>.
<P>
The following ICMPv6 type fields are available: <B>icmp6-echo</B>,
<B>icmp6-echoreply</B>, <B>icmp6-multicastlistenerquery</B>,
<B>icmp6-multicastlistenerreportv1</B>, <B>icmp6-multicastlistenerdone</B>,
<B>icmp6-routersolicit</B>, <B>icmp6-routeradvert</B>,
<B>icmp6-neighborsolicit</B>, <B>icmp6-neighboradvert</B>, <B>icmp6-redirect</B>,
<B>icmp6-routerrenum</B>, <B>icmp6-nodeinformationquery</B>,
<B>icmp6-nodeinformationresponse</B>, <B>icmp6-ineighbordiscoverysolicit</B>,
<B>icmp6-ineighbordiscoveryadvert</B>, <B>icmp6-multicastlistenerreportv2</B>,
<B>icmp6-homeagentdiscoveryrequest</B>, <B>icmp6-homeagentdiscoveryreply</B>,
<B>icmp6-mobileprefixsolicit</B>, <B>icmp6-mobileprefixadvert</B>,
<B>icmp6-certpathsolicit</B>, <B>icmp6-certpathadvert</B>,
<B>icmp6-multicastrouteradvert</B>, <B>icmp6-multicastroutersolicit</B>,
<B>icmp6-multicastrouterterm</B>.
<P>
The following TCP flags field values are available: <B>tcp-fin</B>,
<B>tcp-syn</B>, <B>tcp-rst</B>, <B>tcp-push</B>,
<B>tcp-ack</B>, <B>tcp-urg</B>, <B>tcp-ece</B>,
<B>tcp-cwr</B>.
</DL>
<P>
Primitives may be combined using:
<DL COMPACT>
<DT id="131"><DD>
A parenthesized group of primitives and operators.
<DT id="132"><DD>
Negation (`<B>!</B>' or `<B>not</B>').
<DT id="133"><DD>
Concatenation (`<B>&amp;&amp;</B>' or `<B>and</B>').
<DT id="134"><DD>
Alternation (`<B>||</B>' or `<B>or</B>').
</DL>
<P>
Negation has highest precedence.
Alternation and concatenation have equal precedence and associate
left to right.
Note that explicit <B>and</B> tokens, not juxtaposition,
are now required for concatenation.
<P>
If an identifier is given without a keyword, the most recent keyword
is assumed.
For example,
<PRE>
<B>not host vs and ace</B>
</PRE>
is short for
<PRE>
<B>not host vs and host ace</B>
</PRE>
which should not be confused with
<PRE>
<B>not ( host vs or ace )</B>
</PRE>
<A NAME="lbAD">&nbsp;</A>
<H2>EXAMPLES</H2>
<P>
To select all packets arriving at or departing from <I>sundown</I>:
<DL COMPACT><DT id="135"><DD>
<PRE>
<B>host sundown</B>
</PRE>
</DL>
<P>
To select traffic between <I>helios</I> and either <I>hot</I> or <I>ace</I>:
<DL COMPACT><DT id="136"><DD>
<PRE>
<B>host helios and \( hot or ace \)</B>
</PRE>
</DL>
<P>
To select all IP packets between <I>ace</I> and any host except <I>helios</I>:
<DL COMPACT><DT id="137"><DD>
<PRE>
<B>ip host ace and not helios</B>
</PRE>
</DL>
<P>
To select all traffic between local hosts and hosts at Berkeley:
<DL COMPACT><DT id="138"><DD>
<PRE>
<B>net ucb-ether</B>
</PRE>
</DL>
<P>
To select all ftp traffic through internet gateway <I>snup</I>:
<DL COMPACT><DT id="139"><DD>
<PRE>
<B>gateway snup and (port ftp or ftp-data)</B>
</PRE>
</DL>
<P>
To select traffic neither sourced from nor destined for local hosts
(if you gateway to one other net, this stuff should never make it
onto your local net).
<DL COMPACT><DT id="140"><DD>
<PRE>
<B>ip and not net </B><I>localnet</I>
</PRE>
</DL>
<P>
To select the start and end packets (the SYN and FIN packets) of each
TCP conversation that involves a non-local host.
<DL COMPACT><DT id="141"><DD>
<PRE>
<B>tcp[tcpflags] &amp; (tcp-syn|tcp-fin) != 0 and not src and dst net </B><I>localnet</I>
</PRE>
</DL>
<P>
To select all IPv4 HTTP packets to and from port 80, i.e. print only
packets that contain data, not, for example, SYN and FIN packets and
ACK-only packets. (IPv6 is left as an exercise for the reader.)
<DL COMPACT><DT id="142"><DD>
<PRE>
<B>tcp port 80 and (((ip[2:2] - ((ip[0]&amp;0xf)&lt;&lt;2)) - ((tcp[12]&amp;0xf0)&gt;&gt;2)) != 0)</B>
</PRE>
</DL>
<P>
To select IP packets longer than 576 bytes sent through gateway <I>snup</I>:
<DL COMPACT><DT id="143"><DD>
<PRE>
<B>gateway snup and ip[2:2] &gt; 576</B>
</PRE>
</DL>
<P>
To select IP broadcast or multicast packets that were
<I>not</I>
sent via Ethernet broadcast or multicast:
<DL COMPACT><DT id="144"><DD>
<PRE>
<B>ether[0] &amp; 1 = 0 and ip[16] &gt;= 224</B>
</PRE>
</DL>
<P>
To select all ICMP packets that are not echo requests/replies (i.e., not
ping packets):
<DL COMPACT><DT id="145"><DD>
<PRE>
<B>icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply</B>
</PRE>
</DL>
<A NAME="lbAE">&nbsp;</A>
<H2>SEE ALSO</H2>
pcap(3PCAP)
<A NAME="lbAF">&nbsp;</A>
<H2>BUGS</H2>
To report a security issue please send an e-mail to <A HREF="mailto:security@tcpdump.org">security@tcpdump.org</A>.
<P>
To report bugs and other problems, contribute patches, request a
feature, provide generic feedback etc please see the file
<I>CONTRIBUTING</I>
in the libpcap source tree root.
<P>
Filter expressions on fields other than those in Token Ring headers will
not correctly handle source-routed Token Ring packets.
<P>
Filter expressions on fields other than those in 802.11 headers will not
correctly handle 802.11 data packets with both To DS and From DS set.
<P>
<B>ip6 proto</B>
should chase header chain, but at this moment it does not.
<B>ip6 protochain</B>
is supplied for this behavior.
<P>
Arithmetic expression against transport layer headers, like <B>tcp[0]</B>,
does not work against IPv6 packets.
It only looks at IPv4 packets.
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="146"><A HREF="#lbAB">NAME</A><DD>
<DT id="147"><A HREF="#lbAC">DESCRIPTION</A><DD>
<DT id="148"><A HREF="#lbAD">EXAMPLES</A><DD>
<DT id="149"><A HREF="#lbAE">SEE ALSO</A><DD>
<DT id="150"><A HREF="#lbAF">BUGS</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:09 GMT, March 31, 2021
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink