mirror of
https://github.com/freebsd/freebsd-src.git
synced 2024-11-30 08:43:23 +00:00
6f9cba8f8b
Local changes: - In contrib/libpcap/pcap/bpf.h, do not include pcap/dlt.h. Our system net/dlt.h is pulled in from net/bpf.h. - sys/net/dlt.h: Incorporate changes from libpcap 1.10.3. - lib/libpcap/Makefile: Update for libpcap 1.10.3. Changelog: https://git.tcpdump.org/libpcap/blob/95691ebe7564afa3faa5c6ba0dbd17e351be455a:/CHANGES Reviewed by: emaste Obtained from: https://www.tcpdump.org/release/libpcap-1.10.3.tar.gz Sponsored by: The FreeBSD Foundation
1202 lines
37 KiB
Plaintext
1202 lines
37 KiB
Plaintext
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that: (1) source code distributions
|
|
.\" retain the above copyright notice and this paragraph in its entirety, (2)
|
|
.\" distributions including binary code include the above copyright notice and
|
|
.\" this paragraph in its entirety in the documentation or other materials
|
|
.\" provided with the distribution, and (3) all advertising materials mentioning
|
|
.\" features or use of this software display the following acknowledgement:
|
|
.\" ``This product includes software developed by the University of California,
|
|
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
|
|
.\" the University nor the names of its contributors may be used to endorse
|
|
.\" or promote products derived from this software without specific prior
|
|
.\" written permission.
|
|
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
|
|
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
|
|
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
|
.\"
|
|
.TH PCAP-FILTER @MAN_MISC_INFO@ "19 November 2022"
|
|
.SH NAME
|
|
pcap-filter \- packet filter syntax
|
|
.br
|
|
.ad
|
|
.SH DESCRIPTION
|
|
.LP
|
|
.BR pcap_compile (3PCAP)
|
|
is used to compile a string into a filter program.
|
|
The resulting filter program can then be applied to
|
|
some stream of packets to determine which packets will be supplied to
|
|
.BR pcap_loop (3PCAP),
|
|
.BR pcap_dispatch (3PCAP),
|
|
.BR pcap_next (3PCAP),
|
|
or
|
|
.BR pcap_next_ex (3PCAP).
|
|
.LP
|
|
The \fIfilter expression\fP consists of one or more
|
|
.IR primitives .
|
|
Primitives usually consist of an
|
|
.I id
|
|
(name or number) preceded by one or more qualifiers.
|
|
There are three
|
|
different kinds of qualifier:
|
|
.IP \fItype\fP
|
|
.I type
|
|
qualifiers say what kind of thing the id name or number refers to.
|
|
Possible types are
|
|
.BR host ,
|
|
.BR net ,
|
|
.B port
|
|
and
|
|
.BR portrange .
|
|
E.g., `\fBhost\fP foo', `\fBnet\fP 128.3', `\fBport\fP 20', `\fBportrange\fP 6000-6008'.
|
|
If there is no type
|
|
qualifier,
|
|
.B host
|
|
is assumed.
|
|
.IP \fIdir\fP
|
|
.I dir
|
|
qualifiers specify a particular transfer direction to and/or from
|
|
.IR id .
|
|
Possible directions are
|
|
.BR src ,
|
|
.BR dst ,
|
|
.BR "src or dst" ,
|
|
.BR "src and dst" ,
|
|
.BR ra ,
|
|
.BR ta ,
|
|
.BR addr1 ,
|
|
.BR addr2 ,
|
|
.BR addr3 ,
|
|
and
|
|
.BR addr4 .
|
|
E.g., `\fBsrc\fP foo', `\fBdst net\fP 128.3', `\fBsrc or dst port\fP ftp-data'.
|
|
If
|
|
there is no dir qualifier, `\fBsrc or dst\fP' is assumed.
|
|
The
|
|
.BR ra ,
|
|
.BR ta ,
|
|
.BR addr1 ,
|
|
.BR addr2 ,
|
|
.BR addr3 ,
|
|
and
|
|
.B addr4
|
|
qualifiers are only valid for IEEE 802.11 Wireless LAN link layers.
|
|
.IP \fIproto\fP
|
|
.I proto
|
|
qualifiers restrict the match to a particular protocol.
|
|
Possible
|
|
protocols are:
|
|
.BR ether ,
|
|
.BR fddi ,
|
|
.BR tr ,
|
|
.BR wlan ,
|
|
.BR ip ,
|
|
.BR ip6 ,
|
|
.BR arp ,
|
|
.BR rarp ,
|
|
.BR decnet ,
|
|
.BR sctp ,
|
|
.B tcp
|
|
and
|
|
.BR udp .
|
|
E.g., `\fBether src\fP foo', `\fBarp net\fP 128.3', `\fBtcp port\fP 21',
|
|
`\fBudp portrange\fP 7000-7009', `\fBwlan addr2\fP 0:2:3:4:5:6'.
|
|
If there is no
|
|
.I proto
|
|
qualifier, all protocols consistent with the type are assumed.
|
|
E.g., `\fBsrc\fP foo' means `\fB(ip or arp or rarp) src\fP foo',
|
|
`\fBnet\fP bar' means `\fB(ip or arp or rarp) net\fP bar' and
|
|
`\fBport\fP 53' means `\fB(tcp or udp or sctp) port\fP 53'
|
|
(note that these examples use invalid syntax to illustrate the principle).
|
|
.LP
|
|
[\fBfddi\fP is actually an alias for \fBether\fP; the parser treats them
|
|
identically as meaning ``the data link level used on the specified
|
|
network interface''. FDDI headers contain Ethernet-like source
|
|
and destination addresses, and often contain Ethernet-like packet
|
|
types, so you can filter on these FDDI fields just as with the
|
|
analogous Ethernet fields.
|
|
FDDI headers also contain other fields,
|
|
but you cannot name them explicitly in a filter expression.
|
|
.LP
|
|
Similarly, \fBtr\fP and \fBwlan\fP are aliases for \fBether\fP; the previous
|
|
paragraph's statements about FDDI headers also apply to Token Ring
|
|
and 802.11 wireless LAN headers. For 802.11 headers, the destination
|
|
address is the DA field and the source address is the SA field; the
|
|
BSSID, RA, and TA fields aren't tested.]
|
|
.LP
|
|
In addition to the above, there are some special `primitive' keywords
|
|
that don't follow the pattern:
|
|
.BR gateway ,
|
|
.BR broadcast ,
|
|
.BR less ,
|
|
.B greater
|
|
and arithmetic expressions.
|
|
All of these are described below.
|
|
.LP
|
|
More complex filter expressions are built up by using the words
|
|
.BR and ,
|
|
.B or
|
|
and
|
|
.B not
|
|
(or equivalently: `\fB&&\fP', `\fB||\fP' and `\fB!\fP' respectively)
|
|
to combine primitives.
|
|
E.g., `\fBhost\fP foo \fBand not port\fP ftp \fBand not port\fP ftp-data'.
|
|
To save typing, identical qualifier lists can be omitted.
|
|
E.g.,
|
|
`\fBtcp dst port\fP ftp \fBor\fP ftp-data \fBor\fP domain' is exactly the same as
|
|
`\fBtcp dst port\fP ftp \fBor tcp dst port\fP ftp-data \fBor tcp dst port\fP domain'.
|
|
.LP
|
|
Allowable primitives are:
|
|
.IP "\fBdst host \fIhostnameaddr\fR"
|
|
True if the IPv4/v6 destination field of the packet is \fIhostnameaddr\fP,
|
|
which may be either an address or a name.
|
|
.IP "\fBsrc host \fIhostnameaddr\fR"
|
|
True if the IPv4/v6 source field of the packet is \fIhostnameaddr\fP.
|
|
.IP "\fBhost \fIhostnameaddr\fP"
|
|
True if either the IPv4/v6 source or destination of the packet is \fIhostnameaddr\fP.
|
|
.IP
|
|
Any of the above host expressions can be prepended with the keywords,
|
|
\fBip\fP, \fBarp\fP, \fBrarp\fP, or \fBip6\fP as in:
|
|
.in +.5i
|
|
.nf
|
|
\fBip host \fIhostnameaddr\fR
|
|
.fi
|
|
.in -.5i
|
|
which is equivalent to:
|
|
.in +.5i
|
|
.nf
|
|
\fBether proto \\\fRip \fBand host \fIhostnameaddr\fR
|
|
.fi
|
|
.in -.5i
|
|
If \fIhostnameaddr\fR is a name with multiple IPv4/v6 addresses, each address will
|
|
be checked for a match.
|
|
.IP "\fBether dst \fIethernameaddr\fP"
|
|
True if the Ethernet destination address is \fIethernameaddr\fP.
|
|
\fIethernameaddr\fP
|
|
may be either a name from /etc/ethers or a numerical MAC address of the
|
|
form "xx:xx:xx:xx:xx:xx", "xx.xx.xx.xx.xx.xx", "xx-xx-xx-xx-xx-xx",
|
|
"xxxx.xxxx.xxxx", "xxxxxxxxxxxx", or various mixes of ':', '.', and '-',
|
|
where each "x" is a hex digit (0-9, a-f, or A-F).
|
|
.IP "\fBether src \fIethernameaddr\fP"
|
|
True if the Ethernet source address is \fIethernameaddr\fP.
|
|
.IP "\fBether host \fIethernameaddr\fP"
|
|
True if either the Ethernet source or destination address is \fIethernameaddr\fP.
|
|
.IP "\fBgateway\fP \fIhost\fP"
|
|
True if the packet used \fIhost\fP as a gateway.
|
|
I.e., the Ethernet
|
|
source or destination address was \fIhost\fP but neither the IP source
|
|
nor the IP destination was \fIhost\fP.
|
|
\fIHost\fP must be a name and
|
|
must be found both by the machine's host-name-to-IP-address resolution
|
|
mechanisms (host name file, DNS, NIS, etc.) and by the machine's
|
|
host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.).
|
|
(An equivalent expression is
|
|
.in +.5i
|
|
.nf
|
|
\fBether host \fIethernameaddr \fBand not host \fIhostnameaddr\fR
|
|
.fi
|
|
.in -.5i
|
|
which can be used with either names or numbers for \fIhostnameaddr / ethernameaddr\fP.)
|
|
This syntax does not work in IPv6-enabled configuration at this moment.
|
|
.IP "\fBdst net \fInetnameaddr\fR"
|
|
True if the IPv4/v6 destination address of the packet has a network
|
|
number of \fInetnameaddr\fP.
|
|
\fINet\fP may be either a name from the networks database
|
|
(/etc/networks, etc.) or a network number.
|
|
An IPv4 network number can be written as a dotted quad (e.g., 192.168.1.0),
|
|
dotted triple (e.g., 192.168.1), dotted pair (e.g, 172.16), or single
|
|
number (e.g., 10); the netmask is 255.255.255.255 for a dotted quad
|
|
(which means that it's really a host match), 255.255.255.0 for a dotted
|
|
triple, 255.255.0.0 for a dotted pair, or 255.0.0.0 for a single number.
|
|
An IPv6 network number must be written out fully; the netmask is
|
|
ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 "network" matches are really always
|
|
host matches, and a network match requires a netmask length.
|
|
.IP "\fBsrc net \fInetnameaddr\fR"
|
|
True if the IPv4/v6 source address of the packet has a network
|
|
number of \fInetnameaddr\fP.
|
|
.IP "\fBnet \fInetnameaddr\fR"
|
|
True if either the IPv4/v6 source or destination address of the packet has a network
|
|
number of \fInetnameaddr\fP.
|
|
.IP "\fBnet \fInetaddr\fR \fBmask \fInetmask\fR"
|
|
True if the IPv4 address matches \fInetaddr\fR with the specific \fInetmask\fR.
|
|
May be qualified with \fBsrc\fR or \fBdst\fR.
|
|
Note that this syntax is not valid for IPv6 \fInetaddr\fR.
|
|
.IP "\fBnet \fInetaddr\fR/\fIlen\fR"
|
|
True if the IPv4/v6 address matches \fInetaddr\fR with a netmask \fIlen\fR
|
|
bits wide.
|
|
May be qualified with \fBsrc\fR or \fBdst\fR.
|
|
.IP "\fBdst port \fIportnamenum\fR"
|
|
True if the packet is IPv4/v6 TCP, UDP or SCTP and has a
|
|
destination port value of \fIportnamenum\fP.
|
|
The \fIportnamenum\fP can be a number or a name used in /etc/services (see
|
|
.BR tcp (4P)
|
|
and
|
|
.BR udp (4P)).
|
|
If a name is used, both the port
|
|
number and protocol are checked.
|
|
If a number or ambiguous name is used,
|
|
only the port number is checked (e.g., `\fBdst port\fR 513' will print both
|
|
tcp/login traffic and udp/who traffic, and `\fBport\fR domain' will print
|
|
both tcp/domain and udp/domain traffic).
|
|
.IP "\fBsrc port \fIportnamenum\fR"
|
|
True if the packet has a source port value of \fIportnamenum\fP.
|
|
.IP "\fBport \fIportnamenum\fR"
|
|
True if either the source or destination port of the packet is \fIportnamenum\fP.
|
|
.IP "\fBdst portrange \fIportnamenum1-portnamenum2\fR"
|
|
True if the packet is IPv4/v6 TCP, UDP or SCTP and has a
|
|
destination port value between \fIportnamenum1\fP and \fIportnamenum2\fP (both inclusive).
|
|
.I portnamenum1
|
|
and
|
|
.I portnamenum2
|
|
are interpreted in the same fashion as the
|
|
.I portnamenum
|
|
parameter for
|
|
.BR port .
|
|
.IP "\fBsrc portrange \fIportnamenum1-portnamenum2\fR"
|
|
True if the packet has a source port value between \fIportnamenum1\fP and
|
|
\fIportnamenum2\fP (both inclusive).
|
|
.IP "\fBportrange \fIportnamenum1-portnamenum2\fR"
|
|
True if either the source or destination port of the packet is between
|
|
\fIportnamenum1\fP and \fIportnamenum2\fP (both inclusive).
|
|
.IP
|
|
Any of the above port or port range expressions can be prepended with
|
|
the keywords, \fBtcp\fP, \fBudp\fP or \fBsctp\fP, as in:
|
|
.in +.5i
|
|
.nf
|
|
\fBtcp src port \fIportnamenum\fR
|
|
.fi
|
|
.in -.5i
|
|
which matches only TCP packets whose source port is \fIportnamenum\fP.
|
|
.IP "\fBless \fIlength\fR"
|
|
True if the packet has a length less than or equal to \fIlength\fP.
|
|
This is equivalent to:
|
|
.in +.5i
|
|
.nf
|
|
\fBlen <= \fIlength\fP
|
|
.fi
|
|
.in -.5i
|
|
.IP "\fBgreater \fIlength\fR"
|
|
True if the packet has a length greater than or equal to \fIlength\fP.
|
|
This is equivalent to:
|
|
.in +.5i
|
|
.nf
|
|
\fBlen >= \fIlength\fP
|
|
.fi
|
|
.in -.5i
|
|
.IP "\fBip proto \fIprotocol\fR"
|
|
True if the packet is an IPv4 packet (see
|
|
.BR ip (4P))
|
|
of protocol type \fIprotocol\fP.
|
|
\fIProtocol\fP can be a number or one of the names recognized by
|
|
.BR getprotobyname (3)
|
|
(as in e.g. `\fBgetent\fR(1) protocols'), typically from an entry in
|
|
.IR \%/etc/protocols ,
|
|
for example:
|
|
.BR ah ,
|
|
.BR esp ,
|
|
.B eigrp
|
|
(only in Linux, FreeBSD, NetBSD, DragonFly BSD, and macOS),
|
|
.BR icmp ,
|
|
.BR igmp ,
|
|
.B igrp
|
|
(only in OpenBSD),
|
|
.BR pim ,
|
|
.BR sctp ,
|
|
.BR tcp ,
|
|
.B udp
|
|
or
|
|
.BR vrrp .
|
|
Note that most of these example identifiers
|
|
are also keywords and must be escaped via backslash (\\).
|
|
Note that this primitive does not chase the protocol header chain.
|
|
.IP "\fBicmp\fR"
|
|
Abbreviation for:
|
|
.in +.5i
|
|
.nf
|
|
\fBip proto\fR 1
|
|
.fi
|
|
.in -.5i
|
|
.IP "\fBip6 proto \fIprotocol\fR"
|
|
True if the packet is an IPv6 packet of protocol type \fIprotocol\fP.
|
|
(See `\fBip proto\fP' above for the meaning of \fIprotocol\fR.)
|
|
Note that the IPv6 variant of ICMP uses a different protocol number, named
|
|
.B \%ipv6-icmp
|
|
in AIX, FreeBSD, illumos, Linux, macOS, NetBSD, OpenBSD, Solaris and Windows.
|
|
Note that this primitive does not chase the protocol header chain.
|
|
.IP "\fBicmp6\fR"
|
|
Abbreviation for:
|
|
.in +.5i
|
|
.nf
|
|
\fBip6 proto\fR 58
|
|
.fi
|
|
.in -.5i
|
|
.IP "\fBproto \fIprotocol\fR"
|
|
True if the packet is an IPv4 or IPv6 packet of protocol type
|
|
\fIprotocol\fP. (See `\fBip proto\fP' above for the meaning of
|
|
\fIprotocol\fP.) Note that this primitive does not chase the protocol
|
|
header chain.
|
|
.IP "\fBah\fR, \fBesp\fR, \fBpim\fR, \fBsctp\fR, \fBtcp\fR, \fBudp\fR"
|
|
Abbreviations for:
|
|
.in +.5i
|
|
.nf
|
|
\fBproto \\\fIprotocol\fR
|
|
.fi
|
|
.in -.5i
|
|
where \fIprotocol\fR is one of the above protocols.
|
|
.IP "\fBip6 protochain \fIprotocol\fR"
|
|
True if the packet is IPv6 packet,
|
|
and contains protocol header with type \fIprotocol\fR
|
|
in its protocol header chain.
|
|
(See `\fBip proto\fP' above for the meaning of \fIprotocol\fP.)
|
|
For example,
|
|
.in +.5i
|
|
.nf
|
|
\fBip6 protochain\fR 6
|
|
.fi
|
|
.in -.5i
|
|
matches any IPv6 packet with TCP protocol header in the protocol header chain.
|
|
The packet may contain, for example,
|
|
authentication header, routing header, or hop-by-hop option header,
|
|
between IPv6 header and TCP header.
|
|
The BPF code emitted by this primitive is complex and
|
|
cannot be optimized by the BPF optimizer code, and is not supported by
|
|
filter engines in the kernel, so this can be somewhat slow, and may
|
|
cause more packets to be dropped.
|
|
.IP "\fBip protochain \fIprotocol\fR"
|
|
Equivalent to \fBip6 protochain \fIprotocol\fR, but this is for IPv4.
|
|
(See `\fBip proto\fP' above for the meaning of \fIprotocol\fP.)
|
|
.IP "\fBprotochain \fIprotocol\fR"
|
|
True if the packet is an IPv4 or IPv6 packet of protocol type
|
|
\fIprotocol\fP. (See `\fBip proto\fP' above for the meaning of
|
|
\fIprotocol\fP.) Note that this primitive chases the protocol
|
|
header chain.
|
|
.IP "\fBether broadcast\fR"
|
|
True if the packet is an Ethernet broadcast packet.
|
|
The \fBether\fP
|
|
keyword is optional.
|
|
.IP "\fBip broadcast\fR"
|
|
True if the packet is an IPv4 broadcast packet.
|
|
It checks for both the all-zeroes and all-ones broadcast conventions,
|
|
and looks up the subnet mask on the interface on which the capture is
|
|
being done.
|
|
.IP
|
|
If the subnet mask of the interface on which the capture is being done
|
|
is not available, either because the interface on which capture is being
|
|
done has no netmask or because the capture is being done on the Linux
|
|
"any" interface, which can capture on more than one interface, this
|
|
check will not work correctly.
|
|
.IP "\fBether multicast\fR"
|
|
True if the packet is an Ethernet multicast packet.
|
|
The \fBether\fP
|
|
keyword is optional.
|
|
This is shorthand for `\fBether[\fP0\fB] & \fP1\fB != \fP0'.
|
|
.IP "\fBip multicast\fR"
|
|
True if the packet is an IPv4 multicast packet.
|
|
.IP "\fBip6 multicast\fR"
|
|
True if the packet is an IPv6 multicast packet.
|
|
.IP "\fBether proto \fIprotocol\fR"
|
|
True if the packet is of ether type \fIprotocol\fR.
|
|
\fIProtocol\fP can be a number or one of the names
|
|
\fBaarp\fP, \fBarp\fP, \fBatalk\fP, \fBdecnet\fP, \fBip\fP, \fBip6\fP,
|
|
\fBipx\fP, \fBiso\fP, \fBlat\fP, \fBloopback\fP, \fBmopdl\fP, \fBmoprc\fP, \fBnetbeui\fP,
|
|
\fBrarp\fP, \fBsca\fP or \fBstp\fP.
|
|
Note these identifiers (except \fBloopback\fP) are also keywords
|
|
and must be escaped via backslash (\\).
|
|
.IP
|
|
[In the case of FDDI (e.g., `\fBfddi proto \\arp\fR'), Token Ring
|
|
(e.g., `\fBtr proto \\arp\fR'), and IEEE 802.11 wireless LANs (e.g.,
|
|
`\fBwlan proto \\arp\fR'), for most of those protocols, the
|
|
protocol identification comes from the 802.2 Logical Link Control (LLC)
|
|
header, which is usually layered on top of the FDDI, Token Ring, or
|
|
802.11 header.
|
|
.IP
|
|
When filtering for most protocol identifiers on FDDI, Token Ring, or
|
|
802.11, the filter checks only the protocol ID field of an LLC header
|
|
in so-called SNAP format with an Organizational Unit Identifier (OUI) of
|
|
0x000000, for encapsulated Ethernet; it doesn't check whether the packet
|
|
is in SNAP format with an OUI of 0x000000.
|
|
The exceptions are:
|
|
.RS
|
|
.TP
|
|
\fBiso\fP
|
|
the filter checks the DSAP (Destination Service Access Point) and
|
|
SSAP (Source Service Access Point) fields of the LLC header;
|
|
.TP
|
|
\fBstp\fP and \fBnetbeui\fP
|
|
the filter checks the DSAP of the LLC header;
|
|
.TP
|
|
\fBatalk\fP
|
|
the filter checks for a SNAP-format packet with an OUI of 0x080007
|
|
and the AppleTalk etype.
|
|
.RE
|
|
.IP
|
|
In the case of Ethernet, the filter checks the Ethernet type field
|
|
for most of those protocols. The exceptions are:
|
|
.RS
|
|
.TP
|
|
\fBiso\fP, \fBstp\fP, and \fBnetbeui\fP
|
|
the filter checks for an 802.3 frame and then checks the LLC header as
|
|
it does for FDDI, Token Ring, and 802.11;
|
|
.TP
|
|
\fBatalk\fP
|
|
the filter checks both for the AppleTalk etype in an Ethernet frame and
|
|
for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11;
|
|
.TP
|
|
\fBaarp\fP
|
|
the filter checks for the AppleTalk ARP etype in either an Ethernet
|
|
frame or an 802.2 SNAP frame with an OUI of 0x000000;
|
|
.TP
|
|
\fBipx\fP
|
|
the filter checks for the IPX etype in an Ethernet frame, the IPX
|
|
DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of
|
|
IPX, and the IPX etype in a SNAP frame.
|
|
.RE
|
|
.IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR, \fBipx\fR, \fBnetbeui\fP"
|
|
Abbreviations for:
|
|
.in +.5i
|
|
.nf
|
|
\fBether proto \\\fIprotocol\fR
|
|
.fi
|
|
.in -.5i
|
|
where \fIprotocol\fR is one of the above protocols.
|
|
.IP "\fBlat\fR, \fBmoprc\fR, \fBmopdl\fR"
|
|
Abbreviations for:
|
|
.in +.5i
|
|
.nf
|
|
\fBether proto \\\fIprotocol\fR
|
|
.fi
|
|
.in -.5i
|
|
where \fIprotocol\fR is one of the above protocols.
|
|
Note that not all applications using
|
|
.BR pcap (3PCAP)
|
|
currently know how to parse these protocols.
|
|
.IP "\fBdecnet src \fIdecnetaddr\fR"
|
|
True if the DECnet source address is
|
|
.IR decnetaddr ,
|
|
which may be an address of the form ``10.123'', or a DECnet host
|
|
name.
|
|
[DECnet host name support is only available on ULTRIX systems
|
|
that are configured to run DECnet.]
|
|
.IP "\fBdecnet dst \fIdecnetaddr\fR"
|
|
True if the DECnet destination address is
|
|
.IR decnetaddr .
|
|
.IP "\fBdecnet host \fIdecnetaddr\fR"
|
|
True if either the DECnet source or destination address is
|
|
.IR decnetaddr .
|
|
.IP \fBllc\fP
|
|
True if the packet has an 802.2 LLC header. This includes:
|
|
.IP
|
|
Ethernet packets with a length field rather than a type field that
|
|
aren't raw NetWare-over-802.3 packets;
|
|
.IP
|
|
IEEE 802.11 data packets;
|
|
.IP
|
|
Token Ring packets (no check is done for LLC frames);
|
|
.IP
|
|
FDDI packets (no check is done for LLC frames);
|
|
.IP
|
|
LLC-encapsulated ATM packets, for SunATM on Solaris.
|
|
.IP "\fBllc\fP \fItype\fR"
|
|
True if the packet has an 802.2 LLC header and has the specified
|
|
.IR type .
|
|
.I type
|
|
can be one of:
|
|
.RS
|
|
.TP
|
|
\fBi\fR
|
|
Information (I) PDUs
|
|
.TP
|
|
\fBs\fR
|
|
Supervisory (S) PDUs
|
|
.TP
|
|
\fBu\fR
|
|
Unnumbered (U) PDUs
|
|
.TP
|
|
\fBrr\fR
|
|
Receiver Ready (RR) S PDUs
|
|
.TP
|
|
\fBrnr\fR
|
|
Receiver Not Ready (RNR) S PDUs
|
|
.TP
|
|
\fBrej\fR
|
|
Reject (REJ) S PDUs
|
|
.TP
|
|
\fBui\fR
|
|
Unnumbered Information (UI) U PDUs
|
|
.TP
|
|
\fBua\fR
|
|
Unnumbered Acknowledgment (UA) U PDUs
|
|
.TP
|
|
\fBdisc\fR
|
|
Disconnect (DISC) U PDUs
|
|
.TP
|
|
\fBsabme\fR
|
|
Set Asynchronous Balanced Mode Extended (SABME) U PDUs
|
|
.TP
|
|
\fBtest\fR
|
|
Test (TEST) U PDUs
|
|
.TP
|
|
\fBxid\fR
|
|
Exchange Identification (XID) U PDUs
|
|
.TP
|
|
\fBfrmr\fR
|
|
Frame Reject (FRMR) U PDUs
|
|
.RE
|
|
.IP \fBinbound\fP
|
|
Packet was received by the host performing the capture rather than being
|
|
sent by that host. This is only supported for certain link-layer types,
|
|
such as SLIP and the ``cooked'' Linux capture mode
|
|
used for the ``any'' device and for some other device types.
|
|
.IP \fBoutbound\fP
|
|
Packet was sent by the host performing the capture rather than being
|
|
received by that host. This is only supported for certain link-layer types,
|
|
such as SLIP and the ``cooked'' Linux capture mode
|
|
used for the ``any'' device and for some other device types.
|
|
.IP "\fBifname \fIinterface\fR"
|
|
True if the packet was logged as coming from the specified interface (applies
|
|
only to packets logged by OpenBSD's or FreeBSD's
|
|
.BR pf (4)).
|
|
.IP "\fBon \fIinterface\fR"
|
|
Synonymous with the
|
|
.B ifname
|
|
modifier.
|
|
.IP "\fBrnr \fInum\fR"
|
|
True if the packet was logged as matching the specified PF rule number
|
|
(applies only to packets logged by OpenBSD's or FreeBSD's
|
|
.BR pf (4)).
|
|
.IP "\fBrulenum \fInum\fR"
|
|
Synonymous with the
|
|
.B rnr
|
|
modifier.
|
|
.IP "\fBreason \fIcode\fR"
|
|
True if the packet was logged with the specified PF reason code. The known
|
|
codes are:
|
|
.BR \%match ,
|
|
.BR \%bad-offset ,
|
|
.BR \%fragment ,
|
|
.BR \%short ,
|
|
.BR \%normalize ,
|
|
and
|
|
.B memory
|
|
(applies only to packets logged by OpenBSD's or FreeBSD's
|
|
.BR pf (4)).
|
|
.IP "\fBrset \fIname\fR"
|
|
True if the packet was logged as matching the specified PF ruleset
|
|
name of an anchored ruleset (applies only to packets logged by OpenBSD's
|
|
or FreeBSD's
|
|
.BR pf (4)).
|
|
.IP "\fBruleset \fIname\fR"
|
|
Synonymous with the
|
|
.B rset
|
|
modifier.
|
|
.IP "\fBsrnr \fInum\fR"
|
|
True if the packet was logged as matching the specified PF rule number
|
|
of an anchored ruleset (applies only to packets logged by OpenBSD's or
|
|
FreeBSD's
|
|
.BR pf (4)).
|
|
.IP "\fBsubrulenum \fInum\fR"
|
|
Synonymous with the
|
|
.B srnr
|
|
modifier.
|
|
.IP "\fBaction \fIact\fR"
|
|
True if PF took the specified action when the packet was logged. Known actions
|
|
are:
|
|
.B pass
|
|
and
|
|
.B block
|
|
and, with later versions of
|
|
.BR pf (4),
|
|
.BR nat ,
|
|
.BR rdr ,
|
|
.B binat
|
|
and
|
|
.B scrub
|
|
(applies only to packets logged by OpenBSD's or FreeBSD's
|
|
.BR pf (4)).
|
|
.IP "\fBwlan ra \fIehost\fR"
|
|
True if the IEEE 802.11 RA is
|
|
.IR ehost .
|
|
The RA field is used in all frames except for management frames.
|
|
.IP "\fBwlan ta \fIehost\fR"
|
|
True if the IEEE 802.11 TA is
|
|
.IR ehost .
|
|
The TA field is used in all frames except for management frames and
|
|
CTS (Clear To Send) and ACK (Acknowledgment) control frames.
|
|
.IP "\fBwlan addr1 \fIehost\fR"
|
|
True if the first IEEE 802.11 address is
|
|
.IR ehost .
|
|
.IP "\fBwlan addr2 \fIehost\fR"
|
|
True if the second IEEE 802.11 address, if present, is
|
|
.IR ehost .
|
|
The second address field is used in all frames except for CTS (Clear To
|
|
Send) and ACK (Acknowledgment) control frames.
|
|
.IP "\fBwlan addr3 \fIehost\fR"
|
|
True if the third IEEE 802.11 address, if present, is
|
|
.IR ehost .
|
|
The third address field is used in management and data frames, but not
|
|
in control frames.
|
|
.IP "\fBwlan addr4 \fIehost\fR"
|
|
True if the fourth IEEE 802.11 address, if present, is
|
|
.IR ehost .
|
|
The fourth address field is only used for
|
|
WDS (Wireless Distribution System) frames.
|
|
.IP "\fBtype \fIwlan_type\fR"
|
|
True if the IEEE 802.11 frame type matches the specified \fIwlan_type\fR.
|
|
Valid \fIwlan_type\fRs are:
|
|
\fBmgt\fP,
|
|
\fBctl\fP
|
|
and \fBdata\fP.
|
|
.IP "\fBtype \fIwlan_type \fBsubtype \fIwlan_subtype\fR"
|
|
True if the IEEE 802.11 frame type matches the specified \fIwlan_type\fR
|
|
and frame subtype matches the specified \fIwlan_subtype\fR.
|
|
.IP
|
|
If the specified \fIwlan_type\fR is \fBmgt\fP,
|
|
then valid \fIwlan_subtype\fRs are:
|
|
\fBassoc-req\fP,
|
|
\fBassoc-resp\fP,
|
|
\fBreassoc-req\fP,
|
|
\fBreassoc-resp\fP,
|
|
\fBprobe-req\fP,
|
|
\fBprobe-resp\fP,
|
|
\fBbeacon\fP,
|
|
\fBatim\fP,
|
|
\fBdisassoc\fP,
|
|
\fBauth\fP and
|
|
\fBdeauth\fP.
|
|
.IP
|
|
If the specified \fIwlan_type\fR is \fBctl\fP,
|
|
then valid \fIwlan_subtype\fRs are:
|
|
\fBps-poll\fP,
|
|
\fBrts\fP,
|
|
\fBcts\fP,
|
|
\fBack\fP,
|
|
\fBcf-end\fP and
|
|
\fBcf-end-ack\fP.
|
|
.IP
|
|
If the specified \fIwlan_type\fR is \fBdata\fP,
|
|
then valid \fIwlan_subtype\fRs are:
|
|
.BR \%data ,
|
|
.BR \%data-cf-ack ,
|
|
.BR \%data-cf-poll ,
|
|
.BR \%data-cf-ack-poll ,
|
|
.BR \%null ,
|
|
.BR \%cf-ack ,
|
|
.BR \%cf-poll ,
|
|
.BR \%cf-ack-poll ,
|
|
.BR \%qos-data ,
|
|
.BR \%qos-data-cf-ack ,
|
|
.BR \%qos-data-cf-poll ,
|
|
.BR \%qos-data-cf-ack-poll ,
|
|
.BR \%qos ,
|
|
.B \%qos-cf-poll
|
|
and
|
|
.BR \%qos-cf-ack-poll .
|
|
.IP "\fBsubtype \fIwlan_subtype\fR"
|
|
True if the IEEE 802.11 frame subtype matches the specified \fIwlan_subtype\fR
|
|
and frame has the type to which the specified \fIwlan_subtype\fR belongs.
|
|
.IP "\fBdir \fIdirection\fR"
|
|
True if the IEEE 802.11 frame direction matches the specified
|
|
.IR direction .
|
|
Valid directions are:
|
|
.BR nods ,
|
|
.BR tods ,
|
|
.BR fromds ,
|
|
.BR dstods ,
|
|
or a numeric value.
|
|
.IP "\fBvlan \fI[vlan_id]\fR"
|
|
True if the packet is an IEEE 802.1Q VLAN packet.
|
|
If the optional \fIvlan_id\fR is specified, only true if the packet has the specified
|
|
\fIvlan_id\fR.
|
|
Note that the first \fBvlan\fR keyword encountered in an expression
|
|
changes the decoding offsets for the remainder of the expression on
|
|
the assumption that the packet is a VLAN packet. The `\fBvlan
|
|
\fI[vlan_id]\fR` keyword may be used more than once, to filter on VLAN
|
|
hierarchies. Each use of that keyword increments the filter offsets
|
|
by 4.
|
|
.IP
|
|
For example:
|
|
.in +.5i
|
|
.nf
|
|
\fBvlan\fP 100 \fB&& vlan\fR 200
|
|
.fi
|
|
.in -.5i
|
|
filters on VLAN 200 encapsulated within VLAN 100, and
|
|
.in +.5i
|
|
.nf
|
|
\fBvlan && vlan \fP300 \fB&& ip\fR
|
|
.fi
|
|
.in -.5i
|
|
filters IPv4 protocol encapsulated in VLAN 300 encapsulated within any
|
|
higher order VLAN.
|
|
.IP "\fBmpls \fI[label_num]\fR"
|
|
True if the packet is an MPLS packet.
|
|
If the optional \fIlabel_num\fR is specified, only true if the packet has the specified
|
|
\fIlabel_num\fR.
|
|
Note that the first \fBmpls\fR keyword encountered in an expression
|
|
changes the decoding offsets for the remainder of the expression on
|
|
the assumption that the packet is a MPLS-encapsulated IP packet. The
|
|
`\fBmpls \fI[label_num]\fR` keyword may be used more than once, to
|
|
filter on MPLS hierarchies. Each use of that keyword increments the
|
|
filter offsets by 4.
|
|
.IP
|
|
For example:
|
|
.in +.5i
|
|
.nf
|
|
\fBmpls\fP 100000 \fB&& mpls\fR 1024
|
|
.fi
|
|
.in -.5i
|
|
filters packets with an outer label of 100000 and an inner label of
|
|
1024, and
|
|
.in +.5i
|
|
.nf
|
|
\fBmpls && mpls\fP 1024 \fB&& host\fR 192.9.200.1
|
|
.fi
|
|
.in -.5i
|
|
filters packets to or from 192.9.200.1 with an inner label of 1024 and
|
|
any outer label.
|
|
.IP \fBpppoed\fP
|
|
True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet
|
|
type 0x8863).
|
|
.IP "\fBpppoes \fI[session_id]\fR"
|
|
True if the packet is a PPP-over-Ethernet Session packet (Ethernet
|
|
type 0x8864).
|
|
If the optional \fIsession_id\fR is specified, only true if the packet has the specified
|
|
\fIsession_id\fR.
|
|
Note that the first \fBpppoes\fR keyword encountered in an expression
|
|
changes the decoding offsets for the remainder of the expression on
|
|
the assumption that the packet is a PPPoE session packet.
|
|
.IP
|
|
For example:
|
|
.in +.5i
|
|
.nf
|
|
\fBpppoes\fP 0x27 \fB&& ip\fR
|
|
.fi
|
|
.in -.5i
|
|
filters IPv4 protocol encapsulated in PPPoE session id 0x27.
|
|
.IP "\fBgeneve \fI[vni]\fR"
|
|
True if the packet is a Geneve packet (UDP port 6081). If the optional \fIvni\fR
|
|
is specified, only true if the packet has the specified \fIvni\fR.
|
|
Note that when the \fBgeneve\fR keyword is encountered in
|
|
an expression, it changes the decoding offsets for the remainder of
|
|
the expression on the assumption that the packet is a Geneve packet.
|
|
.IP
|
|
For example:
|
|
.in +.5i
|
|
.nf
|
|
\fBgeneve\fP 0xb \fB&& ip\fR
|
|
.fi
|
|
.in -.5i
|
|
filters IPv4 protocol encapsulated in Geneve with VNI 0xb. This will
|
|
match both IPv4 directly encapsulated in Geneve as well as IPv4 contained
|
|
inside an Ethernet frame.
|
|
.IP "\fBiso proto \fIprotocol\fR"
|
|
True if the packet is an OSI packet of protocol type \fIprotocol\fP.
|
|
\fIProtocol\fP can be a number or one of the names
|
|
\fBclnp\fP, \fBesis\fP, or \fBisis\fP.
|
|
.IP "\fBclnp\fR, \fBesis\fR, \fBisis\fR"
|
|
Abbreviations for:
|
|
.in +.5i
|
|
.nf
|
|
\fBiso proto \\\fIprotocol\fR
|
|
.fi
|
|
.in -.5i
|
|
where \fIprotocol\fR is one of the above protocols.
|
|
.IP "\fBl1\fR, \fBl2\fR, \fBiih\fR, \fBlsp\fR, \fBsnp\fR, \fBcsnp\fR, \fBpsnp\fR"
|
|
Abbreviations for IS-IS PDU types.
|
|
.IP "\fBvpi\fP \fIn\fR"
|
|
True if the packet is an ATM packet, for SunATM on Solaris, with a
|
|
virtual path identifier of
|
|
.IR n .
|
|
.IP "\fBvci\fP \fIn\fR"
|
|
True if the packet is an ATM packet, for SunATM on Solaris, with a
|
|
virtual channel identifier of
|
|
.IR n .
|
|
.IP \fBlane\fP
|
|
True if the packet is an ATM packet, for SunATM on Solaris, and is
|
|
an ATM LANE packet.
|
|
Note that the first \fBlane\fR keyword encountered in an expression
|
|
changes the tests done in the remainder of the expression
|
|
on the assumption that the packet is either a LANE emulated Ethernet
|
|
packet or a LANE LE Control packet. If \fBlane\fR isn't specified, the
|
|
tests are done under the assumption that the packet is an
|
|
LLC-encapsulated packet.
|
|
.IP \fBoamf4s\fP
|
|
True if the packet is an ATM packet, for SunATM on Solaris, and is
|
|
a segment OAM F4 flow cell (VPI=0 & VCI=3).
|
|
.IP \fBoamf4e\fP
|
|
True if the packet is an ATM packet, for SunATM on Solaris, and is
|
|
an end-to-end OAM F4 flow cell (VPI=0 & VCI=4).
|
|
.IP \fBoamf4\fP
|
|
True if the packet is an ATM packet, for SunATM on Solaris, and is
|
|
a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
|
|
.IP \fBoam\fP
|
|
True if the packet is an ATM packet, for SunATM on Solaris, and is
|
|
a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
|
|
.IP \fBmetac\fP
|
|
True if the packet is an ATM packet, for SunATM on Solaris, and is
|
|
on a meta signaling circuit (VPI=0 & VCI=1).
|
|
.IP \fBbcc\fP
|
|
True if the packet is an ATM packet, for SunATM on Solaris, and is
|
|
on a broadcast signaling circuit (VPI=0 & VCI=2).
|
|
.IP \fBsc\fP
|
|
True if the packet is an ATM packet, for SunATM on Solaris, and is
|
|
on a signaling circuit (VPI=0 & VCI=5).
|
|
.IP \fBilmic\fP
|
|
True if the packet is an ATM packet, for SunATM on Solaris, and is
|
|
on an ILMI circuit (VPI=0 & VCI=16).
|
|
.IP \fBconnectmsg\fP
|
|
True if the packet is an ATM packet, for SunATM on Solaris, and is
|
|
on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect,
|
|
Connect Ack, Release, or Release Done message.
|
|
.IP \fBmetaconnect\fP
|
|
True if the packet is an ATM packet, for SunATM on Solaris, and is
|
|
on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect,
|
|
Release, or Release Done message.
|
|
.IP "\fIexpr1 relop expr2\fR"
|
|
True if the relation holds. \fIRelop\fR is one of
|
|
.RB { > ,
|
|
.BR < ,
|
|
.BR >= ,
|
|
.BR <= ,
|
|
.BR = ,
|
|
.BR == ,
|
|
.BR != }
|
|
(where
|
|
.B =
|
|
means the same as
|
|
.BR == ).
|
|
Each of \fIexpr1\fR and \fIexpr2\fR is an arithmetic expression composed of
|
|
integer constants (expressed in standard C syntax), the normal binary operators
|
|
.RB { + ,
|
|
.BR - ,
|
|
.BR * ,
|
|
.BR / ,
|
|
.BR % ,
|
|
.BR & ,
|
|
.BR | ,
|
|
.BR ^ ,
|
|
.BR << ,
|
|
.BR >> },
|
|
a length operator, and special packet data
|
|
accessors. Note that all comparisons are unsigned, so that, for example,
|
|
0x80000000 and 0xffffffff are > 0.
|
|
.IP
|
|
The
|
|
.B %
|
|
and
|
|
.B ^
|
|
operators are currently only supported for filtering in the kernel on
|
|
particular operating systems (for example: FreeBSD, Linux with 3.7 and later
|
|
kernels, NetBSD); on all other systems (for example: AIX, illumos, Solaris,
|
|
OpenBSD), if
|
|
those operators are used, filtering will be done in user mode, which
|
|
will increase the overhead of capturing packets and may cause more
|
|
packets to be dropped.
|
|
.IP
|
|
The length operator, indicated by the keyword \fBlen\fP, gives the
|
|
length of the packet.
|
|
.IP
|
|
To access data inside the packet, use the following syntax:
|
|
.in +.5i
|
|
.nf
|
|
\fIproto\fB [ \fIexpr\fB : \fIsize\fB ]\fR
|
|
.fi
|
|
.in -.5i
|
|
.I Proto
|
|
is one of
|
|
.BR arp ,
|
|
.BR atalk ,
|
|
.BR carp ,
|
|
.BR decnet ,
|
|
.BR ether ,
|
|
.BR fddi ,
|
|
.BR icmp ,
|
|
.BR icmp6 ,
|
|
.BR igmp ,
|
|
.BR igrp ,
|
|
.BR ip ,
|
|
.BR ip6 ,
|
|
.BR lat ,
|
|
.BR link ,
|
|
.BR mopdl ,
|
|
.BR moprc ,
|
|
.BR pim ,
|
|
.BR ppp ,
|
|
.BR radio ,
|
|
.BR rarp ,
|
|
.BR sca ,
|
|
.BR sctp ,
|
|
.BR slip ,
|
|
.BR tcp ,
|
|
.BR tr ,
|
|
.BR udp ,
|
|
.B vrrp
|
|
or
|
|
.BR wlan ,
|
|
and
|
|
indicates the protocol layer for the index operation.
|
|
.RB ( ether ,
|
|
.BR fddi ,
|
|
.BR link ,
|
|
.BR ppp ,
|
|
.BR slip ,
|
|
.B tr
|
|
and
|
|
.BR wlan
|
|
all refer to the
|
|
link layer. \fBradio\fR refers to the "radio header" added to some
|
|
802.11 captures.)
|
|
Note that \fBtcp\fR, \fBudp\fR and other upper-layer protocol types only
|
|
apply to IPv4, not IPv6 (this will be fixed in the future).
|
|
The byte offset, relative to the indicated protocol layer, is
|
|
given by \fIexpr\fR.
|
|
\fISize\fR is optional and indicates the number of bytes in the
|
|
field of interest; it can be either one, two, or four, and defaults to one.
|
|
|
|
For example, `\fBether[\fP0\fB] &\fP 1 \fB!=\fP 0' catches all multicast traffic.
|
|
The expression `\fBip[\fP0\fB] &\fP 0xf \fB!=\fP 5'
|
|
catches all IPv4 packets with options.
|
|
The expression
|
|
`\fBip[\fP6:2\fB] &\fP 0x1fff \fB=\fP 0'
|
|
catches only unfragmented IPv4 datagrams and frag zero of fragmented
|
|
IPv4 datagrams.
|
|
This check is implicitly applied to the \fBtcp\fP and \fBudp\fP
|
|
index operations.
|
|
For instance, \fBtcp[\fP0\fB]\fP always means the first
|
|
byte of the TCP \fIheader\fP, and never means the first byte of an
|
|
intervening fragment.
|
|
.IP
|
|
Some offsets and field values may be expressed as names rather than
|
|
as numeric values.
|
|
The following protocol header field offsets are
|
|
available: \fBicmptype\fP (ICMP type field), \fBicmp6type\fP (ICMPv6 type field),
|
|
\fBicmpcode\fP (ICMP code field), \fBicmp6code\fP (ICMPv6 code field) and
|
|
\fBtcpflags\fP (TCP flags field).
|
|
.IP
|
|
The following ICMP type field values are available:
|
|
.BR \%icmp-echoreply ,
|
|
.BR \%icmp-unreach ,
|
|
.BR \%icmp-sourcequench ,
|
|
.BR \%icmp-redirect ,
|
|
.BR \%icmp-echo ,
|
|
.BR \%icmp-routeradvert ,
|
|
.BR \%icmp-routersolicit ,
|
|
.BR \%icmp-timxceed ,
|
|
.BR \%icmp-paramprob ,
|
|
.BR \%icmp-tstamp ,
|
|
.BR \%icmp-tstampreply ,
|
|
.BR \%icmp-ireq ,
|
|
.BR \%icmp-ireqreply ,
|
|
.BR \%icmp-maskreq ,
|
|
.BR \%icmp-maskreply .
|
|
.IP
|
|
The following ICMPv6 type field values are available:
|
|
.BR \%icmp6-destinationunreach ,
|
|
.BR \%icmp6-packettoobig ,
|
|
.BR \%icmp6-timeexceeded ,
|
|
.BR \%icmp6-parameterproblem ,
|
|
.BR \%icmp6-echo ,
|
|
.BR \%icmp6-echoreply ,
|
|
.BR \%icmp6-multicastlistenerquery ,
|
|
.BR \%icmp6-multicastlistenerreportv1 ,
|
|
.BR \%icmp6-multicastlistenerdone ,
|
|
.BR \%icmp6-routersolicit ,
|
|
.BR \%icmp6-routeradvert ,
|
|
.BR \%icmp6-neighborsolicit ,
|
|
.BR \%icmp6-neighboradvert ,
|
|
.BR \%icmp6-redirect ,
|
|
.BR \%icmp6-routerrenum ,
|
|
.BR \%icmp6-nodeinformationquery ,
|
|
.BR \%icmp6-nodeinformationresponse ,
|
|
.BR \%icmp6-ineighbordiscoverysolicit ,
|
|
.BR \%icmp6-ineighbordiscoveryadvert ,
|
|
.BR \%icmp6-multicastlistenerreportv2 ,
|
|
.BR \%icmp6-homeagentdiscoveryrequest ,
|
|
.BR \%icmp6-homeagentdiscoveryreply ,
|
|
.BR \%icmp6-mobileprefixsolicit ,
|
|
.BR \%icmp6-mobileprefixadvert ,
|
|
.BR \%icmp6-certpathsolicit ,
|
|
.BR \%icmp6-certpathadvert ,
|
|
.BR \%icmp6-multicastrouteradvert ,
|
|
.BR \%icmp6-multicastroutersolicit ,
|
|
.BR \%icmp6-multicastrouterterm .
|
|
.IP
|
|
The following TCP flags field values are available: \fBtcp-fin\fP,
|
|
\fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP,
|
|
\fBtcp-ack\fP, \fBtcp-urg\fP, \fBtcp-ece\fP,
|
|
\fBtcp-cwr\fP.
|
|
.LP
|
|
Primitives may be combined using:
|
|
.IP
|
|
A parenthesized group of primitives and operators.
|
|
.IP
|
|
Negation (`\fB!\fP' or `\fBnot\fP').
|
|
.IP
|
|
Concatenation (`\fB&&\fP' or `\fBand\fP').
|
|
.IP
|
|
Alternation (`\fB||\fP' or `\fBor\fP').
|
|
.LP
|
|
Negation has the highest precedence.
|
|
Alternation and concatenation have equal precedence and associate
|
|
left to right.
|
|
Note that explicit \fBand\fR tokens, not juxtaposition,
|
|
are now required for concatenation.
|
|
.LP
|
|
If an identifier is given without a keyword, the most recent keyword
|
|
is assumed.
|
|
For example,
|
|
.in +.5i
|
|
.nf
|
|
\fBnot host\fP vs \fBand\fR ace
|
|
.fi
|
|
.in -.5i
|
|
is short for
|
|
.in +.5i
|
|
.nf
|
|
\fBnot host\fP vs \fBand host\fR ace
|
|
.fi
|
|
.in -.5i
|
|
which should not be confused with
|
|
.in +.5i
|
|
.nf
|
|
\fBnot (host \fPvs\fB or \fPace\fB)\fR
|
|
.fi
|
|
.in -.5i
|
|
.SH EXAMPLES
|
|
.LP
|
|
To select all packets arriving at or departing from `sundown':
|
|
.RS
|
|
.nf
|
|
\fBhost\fP sundown
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To select traffic between `helios' and either `hot' or `ace':
|
|
.RS
|
|
.nf
|
|
\fBhost\fP helios \fBand (\fPhot \fBor\fP ace\fB)\fP
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To select all IPv4 packets between `ace' and any host except `helios':
|
|
.RS
|
|
.nf
|
|
\fBip host\fP ace \fBand not\fP helios
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To select all traffic between local hosts and hosts at Berkeley:
|
|
.RS
|
|
.nf
|
|
\fBnet\fP ucb-ether
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To select all FTP traffic through Internet gateway `snup':
|
|
.RS
|
|
.nf
|
|
\fBgateway\fP snup \fBand (port\fP ftp \fBor\fP ftp-data\fB)\fP
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To select IPv4 traffic neither sourced from nor destined for local hosts
|
|
(if you gateway to one other net, this stuff should never make it
|
|
onto your local net).
|
|
.RS
|
|
.nf
|
|
\fBip and not net \fPlocalnet
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To select the start and end packets (the SYN and FIN packets) of each
|
|
TCP conversation that involves a non-local host.
|
|
.RS
|
|
.nf
|
|
\fBtcp[tcpflags] & (tcp-syn|tcp-fin) !=\fP 0 \fBand not src and dst net\fP localnet
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To select the TCP packets with flags RST and ACK both set.
|
|
(i.e. select only the RST and ACK flags in the flags field, and if the result
|
|
is "RST and ACK both set", match)
|
|
.RS
|
|
.nf
|
|
.B
|
|
tcp[tcpflags] & (tcp-rst|tcp-ack) == (tcp-rst|tcp-ack)
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To select all IPv4 HTTP packets to and from port 80, i.e. print only
|
|
packets that contain data, not, for example, SYN and FIN packets and
|
|
ACK-only packets. (IPv6 is left as an exercise for the reader.)
|
|
.RS
|
|
.nf
|
|
\fBtcp port\fP 80 \fBand (((ip[\fP2:2\fB] - ((ip[\fP0\fB]&\fP0xf\fB)<<\fP2\fB)) - ((tcp[\fP12\fB]&\fP0xf0\fB)>>\fP2\fB)) != \fP0\fB)
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To select IPv4 packets longer than 576 bytes sent through gateway `snup':
|
|
.RS
|
|
.nf
|
|
\fBgateway\fP snup \fBand ip[\fP2:2\fB] >\fP 576
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To select IPv4 broadcast or multicast packets that were
|
|
.I not
|
|
sent via Ethernet broadcast or multicast:
|
|
.RS
|
|
.nf
|
|
\fBether[\fP0\fB] &\fP 1 \fB=\fP 0 \fBand ip[\fP16\fB] >=\fP 224
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To select all ICMP packets that are not echo requests/replies (i.e., not
|
|
ping packets):
|
|
.RS
|
|
.nf
|
|
.B
|
|
icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
|
|
.B
|
|
icmp6[icmp6type] != icmp6-echo and icmp6[icmp6type] != icmp6-echoreply
|
|
.fi
|
|
.RE
|
|
.SH BACKWARD COMPATIBILITY
|
|
The ICMPv6 type code names, as well as the
|
|
.B tcp-ece
|
|
and
|
|
.B tcp-cwr
|
|
TCP flag names became available in libpcap 1.9.0.
|
|
.PP
|
|
The
|
|
.B geneve
|
|
keyword became available in libpcap 1.8.0.
|
|
.SH SEE ALSO
|
|
.BR pcap (3PCAP)
|
|
.SH BUGS
|
|
To report a security issue please send an e-mail to \%security@tcpdump.org.
|
|
.LP
|
|
To report bugs and other problems, contribute patches, request a
|
|
feature, provide generic feedback etc please see the file
|
|
.I CONTRIBUTING.md
|
|
in the libpcap source tree root.
|
|
.LP
|
|
Filter expressions on fields other than those in Token Ring headers will
|
|
not correctly handle source-routed Token Ring packets.
|
|
.LP
|
|
Filter expressions on fields other than those in 802.11 headers will not
|
|
correctly handle 802.11 data packets with both To DS and From DS set.
|
|
.LP
|
|
`\fBip6 proto\fP'
|
|
should chase header chain, but at this moment it does not.
|
|
`\fBip6 protochain\fP'
|
|
is supplied for this behavior. For example, to match IPv6 fragments:
|
|
`\fBip6 protochain\fP 44'
|
|
.LP
|
|
Arithmetic expression against transport layer headers, like \fBtcp[0]\fP,
|
|
does not work against IPv6 packets.
|
|
It only looks at IPv4 packets.
|