1PCAP-FILTER(7)         Miscellaneous Information Manual         PCAP-FILTER(7)
2
3
4

NAME

6       pcap-filter - packet filter syntax
7

DESCRIPTION

9       pcap_compile()  is used to compile a string into a filter program.  The
10       resulting filter program can then be applied to some stream of  packets
11       to  determine  which packets will be supplied to pcap_loop(), pcap_dis‐
12       patch(), pcap_next(), or pcap_next_ex().
13
14       The filter expression consists of one or more  primitives.   Primitives
15       usually consist of an id (name or number) preceded by one or more qual‐
16       ifiers.  There are three different kinds of qualifier:
17
18       type   type qualifiers say what kind of thing the  id  name  or  number
19              refers  to.   Possible types are host, net , port and portrange.
20              E.g., `host foo', `net 128.3', `port 20', `portrange 6000-6008'.
21              If there is no type qualifier, host is assumed.
22
23       dir    dir qualifiers specify a particular transfer direction to and/or
24              from id.  Possible directions are src, dst, src or dst, src  and
25              dst,  ra,  ta, addr1, addr2, addr3, and addr4.  E.g., `src foo',
26              `dst net 128.3', `src or dst port ftp-data'.  If there is no dir
27              qualifier,  src  or  dst  is assumed.  The ra, ta, addr1, addr2,
28              addr3, and addr4 qualifiers are only valid for IEEE 802.11 Wire‐
29              less  LAN  link  layers.  For some link layers, such as SLIP and
30              the ``cooked'' Linux capture mode used for  the  ``any''  device
31              and for some other device types, the inbound and outbound quali‐
32              fiers can be used to specify a desired direction.
33
34       proto  proto qualifiers restrict the match to  a  particular  protocol.
35              Possible  protos are: ether, fddi, tr, wlan, ip, ip6, arp, rarp,
36              decnet, tcp and udp.  E.g., `ether src foo',  `arp  net  128.3',
37              `tcp   port   21',   `udp   portrange  7000-7009',  `wlan  addr2
38              0:2:3:4:5:6'.  If there is no  proto  qualifier,  all  protocols
39              consistent  with  the  type  are assumed.  E.g., `src foo' means
40              `(ip or arp or rarp) src foo' (except the latter  is  not  legal
41              syntax), `net bar' means `(ip or arp or rarp) net bar' and `port
42              53' means `(tcp or udp) port 53'.
43
44       [`fddi' is actually an alias for `ether'; the parser treats them  iden‐
45       tically  as meaning ``the data link level used on the specified network
46       interface.''  FDDI headers contain Ethernet-like source and destination
47       addresses,  and  often  contain  Ethernet-like packet types, so you can
48       filter on these FDDI fields just as with the analogous Ethernet fields.
49       FDDI  headers  also  contain  other  fields,  but  you cannot name them
50       explicitly in a filter expression.
51
52       Similarly, `tr' and `wlan' are aliases for `ether'; the previous  para‐
53       graph's  statements  about  FDDI  headers  also apply to Token Ring and
54       802.11 wireless LAN  headers.   For  802.11  headers,  the  destination
55       address  is  the  DA  field and the source address is the SA field; the
56       BSSID, RA, and TA fields aren't tested.]
57
58       In addition to the above, there are some special  `primitive'  keywords
59       that  don't  follow  the pattern: gateway, broadcast, less, greater and
60       arithmetic expressions.  All of these are described below.
61
62       More complex filter expressions are built up by using the words and, or
63       and  not  to  combine primitives.  E.g., `host foo and not port ftp and
64       not port ftp-data'.  To save typing, identical qualifier lists  can  be
65       omitted.  E.g., `tcp dst port ftp or ftp-data or domain' is exactly the
66       same as `tcp dst port ftp or tcp dst port  ftp-data  or  tcp  dst  port
67       domain'.
68
69       Allowable primitives are:
70
71       dst host host
72              True  if  the  IPv4/v6  destination field of the packet is host,
73              which may be either an address or a name.
74
75       src host host
76              True if the IPv4/v6 source field of the packet is host.
77
78       host host
79              True if either the IPv4/v6 source or destination of  the  packet
80              is host.
81
82              Any of the above host expressions can be prepended with the key‐
83              words, ip, arp, rarp, or ip6 as in:
84                   ip host host
85              which is equivalent to:
86                   ether proto \ip and host host
87              If host is a name with multiple IP addresses, each address  will
88              be checked for a match.
89
90       ether dst ehost
91              True if the Ethernet destination address is ehost.  Ehost may be
92              either a name from /etc/ethers or a numerical MAC address of the
93              form  "xx:xx:xx:xx:xx:xx", "xx.xx.xx.xx.xx.xx", "xx-xx-xx-xx-xx-
94              xx", "xxxx.xxxx.xxxx", "xxxxxxxxxxxx", or various mixes of  ':',
95              '.', and '-', where each "x" is a hex digit (0-9, a-f, or A-F).
96
97       ether src ehost
98              True if the Ethernet source address is ehost.
99
100       ether host ehost
101              True  if  either  the  Ethernet source or destination address is
102              ehost.
103
104       gateway host
105              True if the packet used host as a gateway.  I.e.,  the  Ethernet
106              source or destination address was host but neither the IP source
107              nor the IP destination was host.  Host must be a name  and  must
108              be  found  both by the machine's host-name-to-IP-address resolu‐
109              tion mechanisms (host name file, DNS,  NIS,  etc.)  and  by  the
110              machine's   host-name-to-Ethernet-address  resolution  mechanism
111              (/etc/ethers, etc.).  (An equivalent expression is
112                   ether host ehost and not host host
113              which can be used with  either  names  or  numbers  for  host  /
114              ehost.)  This syntax does not work in IPv6-enabled configuration
115              at this moment.
116
117       dst net net
118              True if the IPv4/v6 destination address of the packet has a net‐
119              work  number of net.  Net may be either a name from the networks
120              database (/etc/networks, etc.) or a  network  number.   An  IPv4
121              network   number   can  be  written  as  a  dotted  quad  (e.g.,
122              192.168.1.0), dotted triple (e.g., 192.168.1), dotted pair (e.g,
123              172.16),   or   single   number   (e.g.,  10);  the  netmask  is
124              255.255.255.255 for a dotted quad (which means that it's  really
125              a  host  match),  255.255.255.0 for a dotted triple, 255.255.0.0
126              for a dotted pair, or 255.0.0.0 for a single  number.   An  IPv6
127              network  number  must  be  written  out  fully;  the  netmask is
128              ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 "network"  matches  are  really
129              always  host  matches,  and  a  network match requires a netmask
130              length.
131
132       src net net
133              True if the IPv4/v6 source address of the packet has  a  network
134              number of net.
135
136       net net
137              True  if either the IPv4/v6 source or destination address of the
138              packet has a network number of net.
139
140       net net mask netmask
141              True if the IPv4 address matches net with the specific  netmask.
142              May  be qualified with src or dst.  Note that this syntax is not
143              valid for IPv6 net.
144
145       net net/len
146              True if the IPv4/v6 address matches net with a netmask len  bits
147              wide.  May be qualified with src or dst.
148
149       dst port port
150              True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has
151              a destination port value of port.  The port can be a number or a
152              name used in /etc/services (see tcp(4P) and udp(4P)).  If a name
153              is used, both the port number and protocol are  checked.   If  a
154              number  or  ambiguous  name  is  used,  only  the port number is
155              checked (e.g., dst port 513 will print  both  tcp/login  traffic
156              and  udp/who traffic, and port domain will print both tcp/domain
157              and udp/domain traffic).
158
159       src port port
160              True if the packet has a source port value of port.
161
162       port port
163              True if either the source or destination port of the  packet  is
164              port.
165
166       dst portrange port1-port2
167              True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has
168              a destination port value between port1  and  port2.   port1  and
169              port2  are interpreted in the same fashion as the port parameter
170              for port.
171
172       src portrange port1-port2
173              True if the packet has a source port  value  between  port1  and
174              port2.
175
176       portrange port1-port2
177              True  if  either the source or destination port of the packet is
178              between port1 and port2.
179
180              Any of the above port or port range expressions can be prepended
181              with the keywords, tcp or udp, as in:
182                   tcp src port port
183              which matches only tcp packets whose source port is port.
184
185       less length
186              True  if  the  packet has a length less than or equal to length.
187              This is equivalent to:
188                   len <= length.
189
190       greater length
191              True if the packet has a length greater than or equal to length.
192              This is equivalent to:
193                   len >= length.
194
195       ip proto protocol
196              True  if  the  packet is an IPv4 packet (see ip(4P)) of protocol
197              type protocol.  Protocol can be a number or  one  of  the  names
198              icmp,  icmp6, igmp, igrp, pim, ah, esp, vrrp, udp, or tcp.  Note
199              that the identifiers tcp, udp, and icmp are  also  keywords  and
200              must  be  escaped  via  backslash (\).  Note that this primitive
201              does not chase the protocol header chain.
202
203       ip6 proto protocol
204              True if the packet is an IPv6 packet of protocol type  protocol.
205              Note  that  this  primitive  does  not chase the protocol header
206              chain.
207
208       proto protocol
209              True if the packet is an IPv4 or IPv6 packet  of  protocol  type
210              protocol.   Note that this primitive does not chase the protocol
211              header chain.
212
213       tcp, udp, icmp
214              Abbreviations for:
215                   proto p
216              where p is one of the above protocols.
217
218       ip6 protochain protocol
219              True if the packet is IPv6 packet, and contains protocol  header
220              with type protocol in its protocol header chain.  For example,
221                   ip6 protochain 6
222              matches any IPv6 packet with TCP protocol header in the protocol
223              header chain.  The packet may contain, for example,  authentica‐
224              tion  header,  routing  header,  or  hop-by-hop  option  header,
225              between IPv6 header and TCP header.  The  BPF  code  emitted  by
226              this  primitive  is  complex  and cannot be optimized by the BPF
227              optimizer code, and is not supported by filter  engines  in  the
228              kernel, so this can be somewhat slow, and may cause more packets
229              to be dropped.
230
231       ip protochain protocol
232              Equivalent to ip6 protochain protocol, but this is for IPv4.
233
234       protochain protocol
235              True if the packet is an IPv4 or IPv6 packet  of  protocol  type
236              protocol.   Note  that this primitive chases the protocol header
237              chain.
238
239       ether broadcast
240              True if the packet is an Ethernet broadcast packet.   The  ether
241              keyword is optional.
242
243       ip broadcast
244              True  if  the packet is an IPv4 broadcast packet.  It checks for
245              both the all-zeroes  and  all-ones  broadcast  conventions,  and
246              looks  up  the subnet mask on the interface on which the capture
247              is being done.
248
249              If the subnet mask of the interface  on  which  the  capture  is
250              being  done  is  not  available, either because the interface on
251              which capture is being done has no netmask or because  the  cap‐
252              ture  is being done on the Linux "any" interface, which can cap‐
253              ture on more than one interface, this check will not  work  cor‐
254              rectly.
255
256       ether multicast
257              True  if  the packet is an Ethernet multicast packet.  The ether
258              keyword is optional.  This is shorthand for `ether[0] & 1 != 0'.
259
260       ip multicast
261              True if the packet is an IPv4 multicast packet.
262
263       ip6 multicast
264              True if the packet is an IPv6 multicast packet.
265
266       ether proto protocol
267              True if the packet is of ether type protocol.  Protocol can be a
268              number or one of the names ip, ip6, arp, rarp, atalk, aarp, dec‐
269              net, sca, lat, mopdl, moprc, iso, stp, ipx,  or  netbeui.   Note
270              these  identifiers  are  also  keywords  and must be escaped via
271              backslash (\).
272
273              [In the case of FDDI (e.g., `fddi proto arp'), Token Ring (e.g.,
274              `tr  proto  arp'),  and  IEEE  802.11 wireless LANS (e.g., `wlan
275              proto arp'), for most of those protocols, the protocol identifi‐
276              cation  comes  from the 802.2 Logical Link Control (LLC) header,
277              which is usually layered on top of  the  FDDI,  Token  Ring,  or
278              802.11 header.
279
280              When  filtering  for  most  protocol  identifiers on FDDI, Token
281              Ring, or 802.11, the filter checks only the protocol ID field of
282              an  LLC  header  in so-called SNAP format with an Organizational
283              Unit Identifier (OUI) of 0x000000, for encapsulated Ethernet; it
284              doesn't  check  whether the packet is in SNAP format with an OUI
285              of 0x000000.  The exceptions are:
286
287              iso    the filter checks the DSAP  (Destination  Service  Access
288                     Point)  and  SSAP (Source Service Access Point) fields of
289                     the LLC header;
290
291              stp and netbeui
292                     the filter checks the DSAP of the LLC header;
293
294              atalk  the filter checks for a SNAP-format packet with an OUI of
295                     0x080007 and the AppleTalk etype.
296
297              In  the  case  of  Ethernet, the filter checks the Ethernet type
298              field for most of those protocols.  The exceptions are:
299
300              iso, stp, and netbeui
301                     the filter checks for an 802.3 frame and then checks  the
302                     LLC header as it does for FDDI, Token Ring, and 802.11;
303
304              atalk  the filter checks both for the AppleTalk etype in an Eth‐
305                     ernet frame and for a SNAP-format packet as it  does  for
306                     FDDI, Token Ring, and 802.11;
307
308              aarp   the  filter  checks for the AppleTalk ARP etype in either
309                     an Ethernet frame or an 802.2 SNAP frame with an  OUI  of
310                     0x000000;
311
312              ipx    the filter checks for the IPX etype in an Ethernet frame,
313                     the IPX DSAP in the LLC  header,  the  802.3-with-no-LLC-
314                     header  encapsulation of IPX, and the IPX etype in a SNAP
315                     frame.
316
317       ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui
318              Abbreviations for:
319                   ether proto p
320              where p is one of the above protocols.
321
322       lat, moprc, mopdl
323              Abbreviations for:
324                   ether proto p
325              where p is one of the above protocols.  Note that not all appli‐
326              cations using pcap(3PCAP) currently know how to parse these pro‐
327              tocols.
328
329       decnet src host
330              True if the DECNET source address  is  host,  which  may  be  an
331              address  of the form ``10.123'', or a DECNET host name.  [DECNET
332              host name support is only available on ULTRIX systems  that  are
333              configured to run DECNET.]
334
335       decnet dst host
336              True if the DECNET destination address is host.
337
338       decnet host host
339              True if either the DECNET source or destination address is host.
340
341       llc    True if the packet has an 802.2 LLC header.  This includes:
342
343              Ethernet  packets  with  a length field rather than a type field
344              that aren't raw NetWare-over-802.3 packets;
345
346              IEEE 802.11 data packets;
347
348              Token Ring packets (no check is done for LLC frames);
349
350              FDDI packets (no check is done for LLC frames);
351
352              LLC-encapsulated ATM packets, for SunATM on Solaris.
353
354       llc type
355              True if the packet has an 802.2 LLC header and has the specified
356              type.  type can be one of:
357
358              i      Information (I) PDUs
359
360              s      Supervisory (S) PDUs
361
362              u      Unnumbered (U) PDUs
363
364              rr     Receiver Ready (RR) S PDUs
365
366              rnr    Receiver Not Ready (RNR) S PDUs
367
368              rej    Reject (REJ) S PDUs
369
370              ui     Unnumbered Information (UI) U PDUs
371
372              ua     Unnumbered Acknowledgment (UA) U PDUs
373
374              disc   Disconnect (DISC) U PDUs
375
376              sabme  Set Asynchronous Balanced Mode Extended (SABME) U PDUs
377
378              test   Test (TEST) U PDUs
379
380              xid    Exchange Identification (XID) U PDUs
381
382              frmr   Frame Reject (FRMR) U PDUs
383
384       ifname interface
385              True  if  the  packet  was  logged  as coming from the specified
386              interface (applies only to packets logged by OpenBSD's or  Free‐
387              BSD's pf(4)).
388
389       on interface
390              Synonymous with the ifname modifier.
391
392       rnr num
393              True  if the packet was logged as matching the specified PF rule
394              number (applies only to packets logged by OpenBSD's or FreeBSD's
395              pf(4)).
396
397       rulenum num
398              Synonymous with the rnr modifier.
399
400       reason code
401              True if the packet was logged with the specified PF reason code.
402              The known codes are: match, bad-offset, fragment, short, normal‐
403              ize,  and memory (applies only to packets logged by OpenBSD's or
404              FreeBSD's pf(4)).
405
406       rset name
407              True if the packet was logged as matching the specified PF rule‐
408              set  name of an anchored ruleset (applies only to packets logged
409              by OpenBSD's or FreeBSD's pf(4)).
410
411       ruleset name
412              Synonymous with the rset modifier.
413
414       srnr num
415              True if the packet was logged as matching the specified PF  rule
416              number of an anchored ruleset (applies only to packets logged by
417              OpenBSD's or FreeBSD's pf(4)).
418
419       subrulenum num
420              Synonymous with the srnr modifier.
421
422       action act
423              True if PF took the specified action when the packet was logged.
424              Known  actions  are:  pass and block and, with later versions of
425              pf(4), nat, rdr, binat and scrub (applies only to packets logged
426              by OpenBSD's or FreeBSD's pf(4)).
427
428       wlan ra ehost
429              True  if  the  IEEE 802.11 RA is ehost.  The RA field is used in
430              all frames except for management frames.
431
432       wlan ta ehost
433              True if the IEEE 802.11 TA is ehost.  The TA field  is  used  in
434              all  frames except for management frames and CTS (Clear To Send)
435              and ACK (Acknowledgment) control frames.
436
437       wlan addr1 ehost
438              True if the first IEEE 802.11 address is ehost.
439
440       wlan addr2 ehost
441              True if the second IEEE 802.11 address, if  present,  is  ehost.
442              The  second  address  field is used in all frames except for CTS
443              (Clear To Send) and ACK (Acknowledgment) control frames.
444
445       wlan addr3 ehost
446              True if the third IEEE 802.11 address,  if  present,  is  ehost.
447              The  third  address field is used in management and data frames,
448              but not in control frames.
449
450       wlan addr4 ehost
451              True if the fourth IEEE 802.11 address, if  present,  is  ehost.
452              The  fourth address field is only used for WDS (Wireless Distri‐
453              bution System) frames.
454
455       type wlan_type
456              True if  the  IEEE  802.11  frame  type  matches  the  specified
457              wlan_type.  Valid wlan_types are: mgt, ctl and data.
458
459       type wlan_type subtype wlan_subtype
460              True  if  the  IEEE  802.11  frame  type  matches  the specified
461              wlan_type and frame subtype matches the specified wlan_subtype.
462
463              If the specified wlan_type is mgt, then valid wlan_subtypes are:
464              assoc-req,  assoc-resp,  reassoc-req,  reassoc-resp,  probe-req,
465              probe-resp, beacon, atim, disassoc, auth and deauth.
466
467              If the specified wlan_type is ctl, then valid wlan_subtypes are:
468              ps-poll, rts, cts, ack, cf-end and cf-end-ack.
469
470              If  the  specified  wlan_type  is data, then valid wlan_subtypes
471              are: data, data-cf-ack,  data-cf-poll,  data-cf-ack-poll,  null,
472              cf-ack,  cf-poll,  cf-ack-poll,  qos-data, qos-data-cf-ack, qos-
473              data-cf-poll, qos-data-cf-ack-poll, qos, qos-cf-poll and qos-cf-
474              ack-poll.
475
476       subtype wlan_subtype
477              True  if  the  IEEE  802.11  frame subtype matches the specified
478              wlan_subtype and frame has  the  type  to  which  the  specified
479              wlan_subtype belongs.
480
481       dir dir
482              True  if  the  IEEE 802.11 frame direction matches the specified
483              dir.  Valid directions are: nods, tods,  fromds,  dstods,  or  a
484              numeric value.
485
486       vlan [vlan_id]
487              True  if the packet is an IEEE 802.1Q VLAN packet.  If [vlan_id]
488              is specified, only true if the packet has the specified vlan_id.
489              Note  that  the  first  vlan  keyword  encountered in expression
490              changes the decoding offsets for the remainder of expression  on
491              the  assumption  that  the  packet  is  a VLAN packet.  The vlan
492              [vlan_id] expression may be used more than once,  to  filter  on
493              VLAN  hierarchies.   Each  use of that expression increments the
494              filter offsets by 4.
495
496              For example:
497                   vlan 100 && vlan 200
498              filters on VLAN 200 encapsulated within VLAN 100, and
499                   vlan && vlan 300 && ip
500              filters IPv4 protocols encapsulated  in  VLAN  300  encapsulated
501              within any higher order VLAN.
502
503       mpls [label_num]
504              True  if the packet is an MPLS packet.  If [label_num] is speci‐
505              fied, only true is the packet has the specified label_num.  Note
506              that  the  first  mpls keyword encountered in expression changes
507              the decoding offsets for the  remainder  of  expression  on  the
508              assumption  that  the  packet  is a MPLS-encapsulated IP packet.
509              The mpls [label_num] expression may be used more than  once,  to
510              filter  on MPLS hierarchies.  Each use of that expression incre‐
511              ments the filter offsets by 4.
512
513              For example:
514                   mpls 100000 && mpls 1024
515              filters packets with an outer label of 100000 and an inner label
516              of 1024, and
517                   mpls && mpls 1024 && host 192.9.200.1
518              filters  packets  to  or from 192.9.200.1 with an inner label of
519              1024 and any outer label.
520
521       pppoed True if the packet is a PPP-over-Ethernet Discovery packet (Eth‐
522              ernet type 0x8863).
523
524       pppoes [session_id]
525              True if the packet is a PPP-over-Ethernet Session packet (Ether‐
526              net type 0x8864).  If [session_id] is specified,  only  true  if
527              the  packet  has  the specified session_id.  Note that the first
528              pppoes keyword encountered in expression  changes  the  decoding
529              offsets  for  the remainder of expression on the assumption that
530              the packet is a PPPoE session packet.
531
532              For example:
533                   pppoes 0x27 && ip
534              filters IPv4 protocols encapsulated in PPPoE session id 0x27.
535
536       geneve [vni]
537              True if the packet is a Geneve packet (UDP port 6081). If  [vni]
538              is  specified,  only  true  if the packet has the specified vni.
539              Note that when the geneve keyword is encountered in  expression,
540              it  changes the decoding offsets for the remainder of expression
541              on the assumption that the packet is a Geneve packet.
542
543              For example:
544                   geneve 0xb && ip
545              filters IPv4 protocols encapsulated in Geneve with VNI 0xb. This
546              will match both IP directly encapsulated in Geneve as well as IP
547              contained inside an Ethernet frame.
548
549       iso proto protocol
550              True if the packet is an OSI packet of protocol  type  protocol.
551              Protocol  can  be  a  number  or one of the names clnp, esis, or
552              isis.
553
554       clnp, esis, isis
555              Abbreviations for:
556                   iso proto p
557              where p is one of the above protocols.
558
559       l1, l2, iih, lsp, snp, csnp, psnp
560              Abbreviations for IS-IS PDU types.
561
562       vpi n  True if the packet is an ATM packet, for SunATM on Solaris, with
563              a virtual path identifier of n.
564
565       vci n  True if the packet is an ATM packet, for SunATM on Solaris, with
566              a virtual channel identifier of n.
567
568       lane   True if the packet is an ATM packet, for SunATM on Solaris,  and
569              is an ATM LANE packet.  Note that the first lane keyword encoun‐
570              tered in expression changes the tests done in the  remainder  of
571              expression  on  the  assumption that the packet is either a LANE
572              emulated Ethernet packet or a LANE LE Control packet.   If  lane
573              isn't  specified,  the  tests are done under the assumption that
574              the packet is an LLC-encapsulated packet.
575
576       oamf4s True if the packet is an ATM packet, for SunATM on Solaris,  and
577              is a segment OAM F4 flow cell (VPI=0 & VCI=3).
578
579       oamf4e True  if the packet is an ATM packet, for SunATM on Solaris, and
580              is an end-to-end OAM F4 flow cell (VPI=0 & VCI=4).
581
582       oamf4  True if the packet is an ATM packet, for SunATM on Solaris,  and
583              is  a  segment  or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 |
584              VCI=4)).
585
586       oam    True if the packet is an ATM packet, for SunATM on Solaris,  and
587              is  a  segment  or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 |
588              VCI=4)).
589
590       metac  True if the packet is an ATM packet, for SunATM on Solaris,  and
591              is on a meta signaling circuit (VPI=0 & VCI=1).
592
593       bcc    True  if the packet is an ATM packet, for SunATM on Solaris, and
594              is on a broadcast signaling circuit (VPI=0 & VCI=2).
595
596       sc     True if the packet is an ATM packet, for SunATM on Solaris,  and
597              is on a signaling circuit (VPI=0 & VCI=5).
598
599       ilmic  True  if the packet is an ATM packet, for SunATM on Solaris, and
600              is on an ILMI circuit (VPI=0 & VCI=16).
601
602       connectmsg
603              True if the packet is an ATM packet, for SunATM on Solaris,  and
604              is  on  a signaling circuit and is a Q.2931 Setup, Call Proceed‐
605              ing, Connect, Connect Ack, Release, or Release Done message.
606
607       metaconnect
608              True if the packet is an ATM packet, for SunATM on Solaris,  and
609              is  on a meta signaling circuit and is a Q.2931 Setup, Call Pro‐
610              ceeding, Connect, Release, or Release Done message.
611
612       expr relop expr
613              True if the relation holds, where relop is one of >, <, >=,  <=,
614              =,  !=, and expr is an arithmetic expression composed of integer
615              constants (expressed in standard C syntax),  the  normal  binary
616              operators  [+,  -, *, /, %, &, |, ^, <<, >>], a length operator,
617              and special packet data accessors.  Note  that  all  comparisons
618              are  unsigned,  so  that, for example, 0x80000000 and 0xffffffff
619              are > 0.
620
621              The % and ^ operators are currently only supported for filtering
622              in  the kernel on Linux with 3.7 and later kernels; on all other
623              systems, if those operators are used, filtering will be done  in
624              user mode, which will increase the overhead of capturing packets
625              and may cause more packets to be dropped.
626
627              To access data inside the packet, use the following syntax:
628                   proto [ expr : size ]
629              Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp,
630              rarp,  tcp,  udp, icmp, ip6 or radio, and indicates the protocol
631              layer for the index operation.  (ether,  fddi,  wlan,  tr,  ppp,
632              slip  and  link all refer to the link layer. radio refers to the
633              "radio header" added to some 802.11 captures.)  Note  that  tcp,
634              udp and other upper-layer protocol types only apply to IPv4, not
635              IPv6 (this will be fixed in the future).  The byte offset, rela‐
636              tive to the indicated protocol layer, is given by expr.  Size is
637              optional and indicates the number  of  bytes  in  the  field  of
638              interest;  it  can  be either one, two, or four, and defaults to
639              one.  The length operator, indicated by the keyword  len,  gives
640              the length of the packet.
641
642              For  example, `ether[0] & 1 != 0' catches all multicast traffic.
643              The expression `ip[0] & 0xf != 5' catches all IPv4 packets  with
644              options.   The  expression  `ip[6:2]  & 0x1fff = 0' catches only
645              unfragmented IPv4 datagrams and frag  zero  of  fragmented  IPv4
646              datagrams.   This check is implicitly applied to the tcp and udp
647              index operations.  For instance, tcp[0] always means  the  first
648              byte  of  the  TCP  header, and never means the first byte of an
649              intervening fragment.
650
651              Some offsets and field values may be expressed as  names  rather
652              than  as  numeric  values.   The following protocol header field
653              offsets are available: icmptype  (ICMP  type  field),  icmp6type
654              (ICMP v6 type field) icmpcode (ICMP code field), icmp6code (ICMP
655              v6 code field), and tcpflags (TCP flags field).
656
657              The following ICMP type field values are available: icmp-echore‐
658              ply,  icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo,
659              icmp-routeradvert,  icmp-routersolicit,   icmp-timxceed,   icmp-
660              paramprob,  icmp-tstamp,  icmp-tstampreply, icmp-ireq, icmp-ire‐
661              qreply, icmp-maskreq, icmp-maskreply.
662
663              The following ICMPv6  type  fields  are  available:  icmp6-echo,
664              icmp6-echoreply,  icmp6-multicastlistenerquery,  icmp6-multicas‐
665              tlistenerreportv1, icmp6-multicastlistenerdone,  icmp6-routerso‐
666              licit, icmp6-routeradvert, icmp6-neighborsolicit, icmp6-neighbo‐
667              radvert, icmp6-redirect,  icmp6-routerrenum,  icmp6-nodeinforma‐
668              tionquery, icmp6-nodeinformationresponse, icmp6-ineighbordiscov‐
669              erysolicit, icmp6-ineighbordiscoveryadvert,  icmp6-multicastlis‐
670              tenerreportv2, icmp6-homeagentdiscoveryrequest, icmp6-homeagent‐
671              discoveryreply, icmp6-mobileprefixsolicit, icmp6-mobileprefixad‐
672              vert,  icmp6-certpathsolicit, icmp6-certpathadvert, icmp6-multi‐
673              castrouteradvert, icmp6-multicastroutersolicit,  icmp6-multicas‐
674              trouterterm.
675
676              The  following  TCP  flags  field values are available: tcp-fin,
677              tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg, tcp-ece, tcp-cwr.
678
679       Primitives may be combined using:
680
681              A parenthesized group of primitives and operators.
682
683              Negation (`!' or `not').
684
685              Concatenation (`&&' or `and').
686
687              Alternation (`||' or `or').
688
689       Negation has highest precedence.  Alternation  and  concatenation  have
690       equal  precedence  and associate left to right.  Note that explicit and
691       tokens, not juxtaposition, are now required for concatenation.
692
693       If an identifier is given without a keyword, the most recent keyword is
694       assumed.  For example,
695            not host vs and ace
696       is short for
697            not host vs and host ace
698       which should not be confused with
699            not ( host vs or ace )
700

EXAMPLES

702       To select all packets arriving at or departing from sundown:
703              host sundown
704
705       To select traffic between helios and either hot or ace:
706              host helios and \( hot or ace \)
707
708       To select all IP packets between ace and any host except helios:
709              ip host ace and not helios
710
711       To select all traffic between local hosts and hosts at Berkeley:
712              net ucb-ether
713
714       To select all ftp traffic through internet gateway snup:
715              gateway snup and (port ftp or ftp-data)
716
717       To select traffic neither sourced from nor destined for local hosts (if
718       you gateway to one other net, this stuff should never make it onto your
719       local net).
720              ip and not net localnet
721
722       To  select  the start and end packets (the SYN and FIN packets) of each
723       TCP conversation that involves a non-local host.
724              tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet
725
726       To select all IPv4 HTTP packets to and from port 80,  i.e.  print  only
727       packets  that  contain  data, not, for example, SYN and FIN packets and
728       ACK-only packets.  (IPv6 is left as an exercise for the reader.)
729              tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
730
731       To select IP packets longer than 576 bytes sent through gateway snup:
732              gateway snup and ip[2:2] > 576
733
734       To select IP broadcast or multicast packets that were not sent via Eth‐
735       ernet broadcast or multicast:
736              ether[0] & 1 = 0 and ip[16] >= 224
737
738       To  select  all  ICMP packets that are not echo requests/replies (i.e.,
739       not ping packets):
740              icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
741

SEE ALSO

743       pcap(3PCAP)
744

BUGS

746       To report a security issue  please  send  an  e-mail  to  security@tcp‐
747       dump.org.
748
749       To  report  bugs and other problems, contribute patches, request a fea‐
750       ture, provide generic feedback etc please see the file CONTRIBUTING  in
751       the libpcap source tree root.
752
753       Filter  expressions  on  fields  other than those in Token Ring headers
754       will not correctly handle source-routed Token Ring packets.
755
756       Filter expressions on fields other than those in  802.11  headers  will
757       not  correctly  handle  802.11 data packets with both To DS and From DS
758       set.
759
760       ip6 proto should chase header chain, but at this moment  it  does  not.
761       ip6 protochain is supplied for this behavior.
762
763       Arithmetic  expression  against  transport  layer headers, like tcp[0],
764       does not work against IPv6 packets.  It only looks at IPv4 packets.
765
766
767
768                                5 November 2017                 PCAP-FILTER(7)
Impressum