1PCAP-FILTER(7) Miscellaneous Information Manual PCAP-FILTER(7)
2
6 pcap-filter - packet filter syntax
7
9 pcap_compile() is used to compile a string into a filter program. The
10 resulting filter program can then be applied to some stream of packets
11 to determine which packets will be supplied to pcap_loop(), pcap_dis‐
12 patch(), pcap_next(), or pcap_next_ex().
13 The filter expression consists of one or more primitives. Primitives
15 usually consist of an id (name or number) preceded by one or more qual‐
16 ifiers. There are three different kinds of qualifier:
17 type qualifiers say what kind of thing the id name or number refers
19 to. Possible types are host, net , port and portrange. E.g.,
20 `host foo', `net 128.3', `port 20', `portrange 6000-6008'. If
21 there is no type qualifier, host is assumed.
22 dir qualifiers specify a particular transfer direction to and/or
24 from id. Possible directions are src, dst, src or dst, src and
25 dst, addr1, addr2, addr3, and addr4. E.g., `src foo', `dst net
26 128.3', `src or dst port ftp-data'. If there is no dir quali‐
27 fier, src or dst is assumed. The addr1, addr2, addr3, and addr4
28 qualifiers are only valid for IEEE 802.11 Wireless LAN link lay‐
29 ers. For some link layers, such as SLIP and the ``cooked''
30 Linux capture mode used for the ``any'' device and for some
31 other device types, the inbound and outbound qualifiers can be
32 used to specify a desired direction.
33 proto qualifiers restrict the match to a particular protocol. Possi‐
35 ble protos are: ether, fddi, tr, wlan, ip, ip6, arp, rarp, dec‐
36 net, tcp and udp. E.g., `ether src foo', `arp net 128.3', `tcp
37 port 21', `udp portrange 7000-7009', `wlan addr2 0:2:3:4:5:6'.
38 If there is no proto qualifier, all protocols consistent with
39 the type are assumed. E.g., `src foo' means `(ip or arp or
40 rarp) src foo' (except the latter is not legal syntax), `net
41 bar' means `(ip or arp or rarp) net bar' and `port 53' means
42 `(tcp or udp) port 53'.
43 [`fddi' is actually an alias for `ether'; the parser treats them iden‐
45 tically as meaning ``the data link level used on the specified network
46 interface.'' FDDI headers contain Ethernet-like source and destination
47 addresses, and often contain Ethernet-like packet types, so you can
48 filter on these FDDI fields just as with the analogous Ethernet fields.
49 FDDI headers also contain other fields, but you cannot name them
50 explicitly in a filter expression.
51 Similarly, `tr' and `wlan' are aliases for `ether'; the previous para‐
53 graph's statements about FDDI headers also apply to Token Ring and
54 802.11 wireless LAN headers. For 802.11 headers, the destination
55 address is the DA field and the source address is the SA field; the
56 BSSID, RA, and TA fields aren't tested.]
57 In addition to the above, there are some special `primitive' keywords
59 that don't follow the pattern: gateway, broadcast, less, greater and
60 arithmetic expressions. All of these are described below.
61 More complex filter expressions are built up by using the words and, or
63 and not to combine primitives. E.g., `host foo and not port ftp and
64 not port ftp-data'. To save typing, identical qualifier lists can be
65 omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly the
66 same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port
67 domain'.
68 Allowable primitives are:
70 dst host host
72 True if the IPv4/v6 destination field of the packet is host,
73 which may be either an address or a name.
74 src host host
76 True if the IPv4/v6 source field of the packet is host.
77 host host
79 True if either the IPv4/v6 source or destination of the packet
80 is host.
81 Any of the above host expressions can be prepended with the key‐
83 words, ip, arp, rarp, or ip6 as in:
84 ip host host
85 which is equivalent to:
86 ether proto \ip and host host
87 If host is a name with multiple IP addresses, each address will
88 be checked for a match.
89 ether dst ehost
91 True if the Ethernet destination address is ehost. Ehost may be
92 either a name from /etc/ethers or a number (see ethers(3N) for
93 numeric format).
94 ether src ehost
96 True if the Ethernet source address is ehost.
97 ether host ehost
99 True if either the Ethernet source or destination address is
100 ehost.
101 gateway host
103 True if the packet used host as a gateway. I.e., the Ethernet
104 source or destination address was host but neither the IP source
105 nor the IP destination was host. Host must be a name and must
106 be found both by the machine's host-name-to-IP-address resolu‐
107 tion mechanisms (host name file, DNS, NIS, etc.) and by the
108 machine's host-name-to-Ethernet-address resolution mechanism
109 (/etc/ethers, etc.). (An equivalent expression is
110 ether host ehost and not host host
111 which can be used with either names or numbers for host /
112 ehost.) This syntax does not work in IPv6-enabled configuration
113 at this moment.
114 dst net net
116 True if the IPv4/v6 destination address of the packet has a net‐
117 work number of net. Net may be either a name from the networks
118 database (/etc/networks, etc.) or a network number. An IPv4
119 network number can be written as a dotted quad (e.g.,
120 192.168.1.0), dotted triple (e.g., 192.168.1), dotted pair (e.g,
121 172.16), or single number (e.g., 10); the netmask is
122 255.255.255.255 for a dotted quad (which means that it's really
123 a host match), 255.255.255.0 for a dotted triple, 255.255.0.0
124 for a dotted pair, or 255.0.0.0 for a single number. An IPv6
125 network number must be written out fully; the netmask is
126 ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 "network" matches are really
127 always host matches, and a network match requires a netmask
128 length.
129 src net net
131 True if the IPv4/v6 source address of the packet has a network
132 number of net.
133 net net
135 True if either the IPv4/v6 source or destination address of the
136 packet has a network number of net.
137 net net mask netmask
139 True if the IPv4 address matches net with the specific netmask.
140 May be qualified with src or dst. Note that this syntax is not
141 valid for IPv6 net.
142 net net/len
144 True if the IPv4/v6 address matches net with a netmask len bits
145 wide. May be qualified with src or dst.
146 dst port port
148 True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has
149 a destination port value of port. The port can be a number or a
150 name used in /etc/services (see tcp(4P) and udp(4P)). If a name
151 is used, both the port number and protocol are checked. If a
152 number or ambiguous name is used, only the port number is
153 checked (e.g., dst port 513 will print both tcp/login traffic
154 and udp/who traffic, and port domain will print both tcp/domain
155 and udp/domain traffic).
156 src port port
158 True if the packet has a source port value of port.
159 port port
161 True if either the source or destination port of the packet is
162 port.
163 dst portrange port1-port2
165 True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has
166 a destination port value between port1 and port2. port1 and
167 port2 are interpreted in the same fashion as the port parameter
168 for port.
169 src portrange port1-port2
171 True if the packet has a source port value between port1 and
172 port2.
173 portrange port1-port2
175 True if either the source or destination port of the packet is
176 between port1 and port2.
177 Any of the above port or port range expressions can be prepended
179 with the keywords, tcp or udp, as in:
180 tcp src port port
181 which matches only tcp packets whose source port is port.
182 less length
184 True if the packet has a length less than or equal to length.
185 This is equivalent to:
186 len <= length.
187 greater length
189 True if the packet has a length greater than or equal to length.
190 This is equivalent to:
191 len >= length.
192 ip proto protocol
194 True if the packet is an IPv4 packet (see ip(4P)) of protocol
195 type protocol. Protocol can be a number or one of the names
196 icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp, udp, or tcp. Note
197 that the identifiers tcp, udp, and icmp are also keywords and
198 must be escaped via backslash (\), which is \\ in the C-shell.
199 Note that this primitive does not chase the protocol header
200 chain.
201 ip6 proto protocol
203 True if the packet is an IPv6 packet of protocol type protocol.
204 Note that this primitive does not chase the protocol header
205 chain.
206 ip6 protochain protocol
208 True if the packet is IPv6 packet, and contains protocol header
209 with type protocol in its protocol header chain. For example,
210 ip6 protochain 6
211 matches any IPv6 packet with TCP protocol header in the protocol
212 header chain. The packet may contain, for example, authentica‐
213 tion header, routing header, or hop-by-hop option header,
214 between IPv6 header and TCP header. The BPF code emitted by
215 this primitive is complex and cannot be optimized by the BPF
216 optimizer code, so this can be somewhat slow.
217 ip protochain protocol
219 Equivalent to ip6 protochain protocol, but this is for IPv4.
220 ether broadcast
222 True if the packet is an Ethernet broadcast packet. The ether
223 keyword is optional.
224 ip broadcast
226 True if the packet is an IPv4 broadcast packet. It checks for
227 both the all-zeroes and all-ones broadcast conventions, and
228 looks up the subnet mask on the interface on which the capture
229 is being done.
230 If the subnet mask of the interface on which the capture is
232 being done is not available, either because the interface on
233 which capture is being done has no netmask or because the cap‐
234 ture is being done on the Linux "any" interface, which can cap‐
235 ture on more than one interface, this check will not work cor‐
236 rectly.
237 ether multicast
239 True if the packet is an Ethernet multicast packet. The ether
240 keyword is optional. This is shorthand for `ether[0] & 1 != 0'.
241 ip multicast
243 True if the packet is an IPv4 multicast packet.
244 ip6 multicast
246 True if the packet is an IPv6 multicast packet.
247 ether proto protocol
249 True if the packet is of ether type protocol. Protocol can be a
250 number or one of the names ip, ip6, arp, rarp, atalk, aarp, dec‐
251 net, sca, lat, mopdl, moprc, iso, stp, ipx, or netbeui. Note
252 these identifiers are also keywords and must be escaped via
253 backslash (\).
254 [In the case of FDDI (e.g., `fddi protocol arp'), Token Ring
256 (e.g., `tr protocol arp'), and IEEE 802.11 wireless LANS (e.g.,
257 `wlan protocol arp'), for most of those protocols, the protocol
258 identification comes from the 802.2 Logical Link Control (LLC)
259 header, which is usually layered on top of the FDDI, Token Ring,
260 or 802.11 header.
261 When filtering for most protocol identifiers on FDDI, Token
263 Ring, or 802.11, the filter checks only the protocol ID field of
264 an LLC header in so-called SNAP format with an Organizational
265 Unit Identifier (OUI) of 0x000000, for encapsulated Ethernet; it
266 doesn't check whether the packet is in SNAP format with an OUI
267 of 0x000000. The exceptions are:
268 iso the filter checks the DSAP (Destination Service Access
270 Point) and SSAP (Source Service Access Point) fields of
271 the LLC header;
272 stp and netbeui
274 the filter checks the DSAP of the LLC header;
275 atalk the filter checks for a SNAP-format packet with an OUI of
277 0x080007 and the AppleTalk etype.
278 In the case of Ethernet, the filter checks the Ethernet type
280 field for most of those protocols. The exceptions are:
281 iso, stp, and netbeui
283 the filter checks for an 802.3 frame and then checks the
284 LLC header as it does for FDDI, Token Ring, and 802.11;
285 atalk the filter checks both for the AppleTalk etype in an Eth‐
287 ernet frame and for a SNAP-format packet as it does for
288 FDDI, Token Ring, and 802.11;
289 aarp the filter checks for the AppleTalk ARP etype in either
291 an Ethernet frame or an 802.2 SNAP frame with an OUI of
292 0x000000;
293 ipx the filter checks for the IPX etype in an Ethernet frame,
295 the IPX DSAP in the LLC header, the 802.3-with-no-LLC-
296 header encapsulation of IPX, and the IPX etype in a SNAP
297 frame.
298 decnet src host
300 True if the DECNET source address is host, which may be an
301 address of the form ``10.123'', or a DECNET host name. [DECNET
302 host name support is only available on ULTRIX systems that are
303 configured to run DECNET.]
304 decnet dst host
306 True if the DECNET destination address is host.
307 decnet host host
309 True if either the DECNET source or destination address is host.
310 ifname interface
312 True if the packet was logged as coming from the specified
313 interface (applies only to packets logged by OpenBSD's or Free‐
314 BSD's pf(4)).
315 on interface
317 Synonymous with the ifname modifier.
318 rnr num
320 True if the packet was logged as matching the specified PF rule
321 number (applies only to packets logged by OpenBSD's or FreeBSD's
322 pf(4)).
323 rulenum num
325 Synonymous with the rnr modifier.
326 reason code
328 True if the packet was logged with the specified PF reason code.
329 The known codes are: match, bad-offset, fragment, short, normal‐
330 ize, and memory (applies only to packets logged by OpenBSD's or
331 FreeBSD's pf(4)).
332 rset name
334 True if the packet was logged as matching the specified PF rule‐
335 set name of an anchored ruleset (applies only to packets logged
336 by OpenBSD's or FreeBSD's pf(4)).
337 ruleset name
339 Synonomous with the rset modifier.
340 srnr num
342 True if the packet was logged as matching the specified PF rule
343 number of an anchored ruleset (applies only to packets logged by
344 OpenBSD's or FreeBSD's pf(4)).
345 subrulenum num
347 Synonomous with the srnr modifier.
348 action act
350 True if PF took the specified action when the packet was logged.
351 Known actions are: pass and block and, with later versions of
352 pf(4)), nat, rdr, binat and scrub (applies only to packets
353 logged by OpenBSD's or FreeBSD's pf(4)).
354 wlan addr1 ehost
356 True if the first IEEE 802.11 address is ehost.
357 wlan addr2 ehost
359 True if the second IEEE 802.11 address, if present, is ehost.
360 The second address field is used in all frames except for CTS
361 (Clear To Send) and ACK (Acknowledgment) control frames.
362 wlan addr3 ehost
364 True if the third IEEE 802.11 address, if present, is ehost.
365 The third address field is used in management and data frames,
366 but not in control frames.
367 wlan addr4 ehost
369 True if the fourth IEEE 802.11 address, if present, is ehost.
370 The fourth address field is only used for WDS (Wireless Distri‐
371 bution System) frames.
372 ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui
374 Abbreviations for:
375 ether proto p
376 where p is one of the above protocols.
377 lat, moprc, mopdl
379 Abbreviations for:
380 ether proto p
381 where p is one of the above protocols. Note that not all appli‐
382 cations using pcap(3) currently know how to parse these proto‐
383 cols.
384 type wlan_type
386 True if the IEEE 802.11 frame type matches the specified
387 wlan_type. Valid wlan_types are: mgt, ctl and data.
388 type wlan_type subtype wlan_subtype
390 True if the IEEE 802.11 frame type matches the specified
391 wlan_type and frame subtype matches the specified wlan_subtype.
392 If the specified wlan_type is mgt, then valid wlan_subtypes are:
394 assoc-req, assoc-resp, reassoc-req, reassoc-resp, probe-req,
395 probe-resp, beacon, atim, disassoc, auth and deauth.
396 If the specified wlan_type is ctl, then valid wlan_subtypes are:
398 ps-poll, rts, cts, ack, cf-end and cf-end-ack.
399 If the specified wlan_type is data, then valid wlan_subtypes
401 are: data, data-cf-ack, data-cf-poll, data-cf-ack-poll, null,
402 cf-ack, cf-poll, cf-ack-poll, qos-data, qos-data-cf-ack, qos-
403 data-cf-poll, qos-data-cf-ack-poll, qos, qos-cf-poll and qos-cf-
404 ack-poll.
405 subtype wlan_subtype
407 True if the IEEE 802.11 frame subtype matches the specified
408 wlan_subtype and frame has the type to which the specified
409 wlan_subtype belongs.
410 dir dir
412 True if the IEEE 802.11 frame direction matches the specified
413 dir. Valid directions are: nods, tods, fromds, dstods, or a
414 numeric value.
415 vlan [vlan_id]
417 True if the packet is an IEEE 802.1Q VLAN packet. If [vlan_id]
418 is specified, only true if the packet has the specified vlan_id.
419 Note that the first vlan keyword encountered in expression
420 changes the decoding offsets for the remainder of expression on
421 the assumption that the packet is a VLAN packet. The vlan
422 [vlan_id] expression may be used more than once, to filter on
423 VLAN hierarchies. Each use of that expression increments the
424 filter offsets by 4.
425 For example:
427 vlan 100 && vlan 200
428 filters on VLAN 200 encapsulated within VLAN 100, and
429 vlan && vlan 300 && ip
430 filters IPv4 protocols encapsulated in VLAN 300 encapsulated
431 within any higher order VLAN.
432 mpls [label_num]
434 True if the packet is an MPLS packet. If [label_num] is speci‐
435 fied, only true is the packet has the specified label_num. Note
436 that the first mpls keyword encountered in expression changes
437 the decoding offsets for the remainder of expression on the
438 assumption that the packet is a MPLS-encapsulated IP packet.
439 The mpls [label_num] expression may be used more than once, to
440 filter on MPLS hierarchies. Each use of that expression incre‐
441 ments the filter offsets by 4.
442 For example:
444 mpls 100000 && mpls 1024
445 filters packets with an outer label of 100000 and an inner label
446 of 1024, and
447 mpls && mpls 1024 && host 192.9.200.1
448 filters packets to or from 192.9.200.1 with an inner label of
449 1024 and any outer label.
450 pppoed True if the packet is a PPP-over-Ethernet Discovery packet (Eth‐
452 ernet type 0x8863).
453 pppoes True if the packet is a PPP-over-Ethernet Session packet (Ether‐
455 net type 0x8864). Note that the first pppoes keyword encoun‐
456 tered in expression changes the decoding offsets for the remain‐
457 der of expression on the assumption that the packet is a PPPoE
458 session packet.
459 For example:
461 pppoes && ip
462 filters IPv4 protocols encapsulated in PPPoE.
463 tcp, udp, icmp
465 Abbreviations for:
466 ip proto p or ip6 proto p
467 where p is one of the above protocols.
468 iso proto protocol
470 True if the packet is an OSI packet of protocol type protocol.
471 Protocol can be a number or one of the names clnp, esis, or
472 isis.
473 clnp, esis, isis
475 Abbreviations for:
476 iso proto p
477 where p is one of the above protocols.
478 l1, l2, iih, lsp, snp, csnp, psnp
480 Abbreviations for IS-IS PDU types.
481 vpi n True if the packet is an ATM packet, for SunATM on Solaris, with
483 a virtual path identifier of n.
484 vci n True if the packet is an ATM packet, for SunATM on Solaris, with
486 a virtual channel identifier of n.
487 lane True if the packet is an ATM packet, for SunATM on Solaris, and
489 is an ATM LANE packet. Note that the first lane keyword encoun‐
490 tered in expression changes the tests done in the remainder of
491 expression on the assumption that the packet is either a LANE
492 emulated Ethernet packet or a LANE LE Control packet. If lane
493 isn't specified, the tests are done under the assumption that
494 the packet is an LLC-encapsulated packet.
495 llc True if the packet is an ATM packet, for SunATM on Solaris, and
497 is an LLC-encapsulated packet.
498 oamf4s True if the packet is an ATM packet, for SunATM on Solaris, and
500 is a segment OAM F4 flow cell (VPI=0 & VCI=3).
501 oamf4e True if the packet is an ATM packet, for SunATM on Solaris, and
503 is an end-to-end OAM F4 flow cell (VPI=0 & VCI=4).
504 oamf4 True if the packet is an ATM packet, for SunATM on Solaris, and
506 is a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 |
507 VCI=4)).
508 oam True if the packet is an ATM packet, for SunATM on Solaris, and
510 is a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 |
511 VCI=4)).
512 metac True if the packet is an ATM packet, for SunATM on Solaris, and
514 is on a meta signaling circuit (VPI=0 & VCI=1).
515 bcc True if the packet is an ATM packet, for SunATM on Solaris, and
517 is on a broadcast signaling circuit (VPI=0 & VCI=2).
518 sc True if the packet is an ATM packet, for SunATM on Solaris, and
520 is on a signaling circuit (VPI=0 & VCI=5).
521 ilmic True if the packet is an ATM packet, for SunATM on Solaris, and
523 is on an ILMI circuit (VPI=0 & VCI=16).
524 connectmsg
526 True if the packet is an ATM packet, for SunATM on Solaris, and
527 is on a signaling circuit and is a Q.2931 Setup, Call Proceed‐
528 ing, Connect, Connect Ack, Release, or Release Done message.
529 metaconnect
531 True if the packet is an ATM packet, for SunATM on Solaris, and
532 is on a meta signaling circuit and is a Q.2931 Setup, Call Pro‐
533 ceeding, Connect, Release, or Release Done message.
534 expr relop expr
536 True if the relation holds, where relop is one of >, <, >=, <=,
537 =, !=, and expr is an arithmetic expression composed of integer
538 constants (expressed in standard C syntax), the normal binary
539 operators [+, -, *, /, &, |, <<, >>], a length operator, and
540 special packet data accessors. Note that all comparisons are
541 unsigned, so that, for example, 0x80000000 and 0xffffffff are >
542 0. To access data inside the packet, use the following syntax:
543 proto [ expr : size ]
544 Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp,
545 rarp, tcp, udp, icmp, ip6 or radio, and indicates the protocol
546 layer for the index operation. (ether, fddi, wlan, tr, ppp,
547 slip and link all refer to the link layer. radio refers to the
548 "radio header" added to some 802.11 captures.) Note that tcp,
549 udp and other upper-layer protocol types only apply to IPv4, not
550 IPv6 (this will be fixed in the future). The byte offset, rela‐
551 tive to the indicated protocol layer, is given by expr. Size is
552 optional and indicates the number of bytes in the field of
553 interest; it can be either one, two, or four, and defaults to
554 one. The length operator, indicated by the keyword len, gives
555 the length of the packet.
556 For example, `ether[0] & 1 != 0' catches all multicast traffic.
558 The expression `ip[0] & 0xf != 5' catches all IPv4 packets with
559 options. The expression `ip[6:2] & 0x1fff = 0' catches only
560 unfragmented IPv4 datagrams and frag zero of fragmented IPv4
561 datagrams. This check is implicitly applied to the tcp and udp
562 index operations. For instance, tcp[0] always means the first
563 byte of the TCP header, and never means the first byte of an
564 intervening fragment.
565 Some offsets and field values may be expressed as names rather
567 than as numeric values. The following protocol header field
568 offsets are available: icmptype (ICMP type field), icmpcode
569 (ICMP code field), and tcpflags (TCP flags field).
570 The following ICMP type field values are available: icmp-echore‐
572 ply, icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo,
573 icmp-routeradvert, icmp-routersolicit, icmp-timxceed, icmp-
574 paramprob, icmp-tstamp, icmp-tstampreply, icmp-ireq, icmp-ire‐
575 qreply, icmp-maskreq, icmp-maskreply.
576 The following TCP flags field values are available: tcp-fin,
578 tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.
579 Primitives may be combined using:
581 A parenthesized group of primitives and operators (parentheses
583 are special to the Shell and must be escaped).
584 Negation (`!' or `not').
586 Concatenation (`&&' or `and').
588 Alternation (`||' or `or').
590 Negation has highest precedence. Alternation and concatenation have
592 equal precedence and associate left to right. Note that explicit and
593 tokens, not juxtaposition, are now required for concatenation.
594 If an identifier is given without a keyword, the most recent keyword is
596 assumed. For example,
597 not host vs and ace
598 is short for
599 not host vs and host ace
600 which should not be confused with
601 not ( host vs or ace )
602
604 To select all packets arriving at or departing from sundown:
605 host sundown
606 To select traffic between helios and either hot or ace:
608 host helios and \( hot or ace \)
609 To select all IP packets between ace and any host except helios:
611 ip host ace and not helios
612 To select all traffic between local hosts and hosts at Berkeley:
614 net ucb-ether
615 To select all ftp traffic through internet gateway snup:
617 gateway snup and (port ftp or ftp-data)
618 To select traffic neither sourced from nor destined for local hosts (if
620 you gateway to one other net, this stuff should never make it onto your
621 local net).
622 ip and not net localnet
623 To select the start and end packets (the SYN and FIN packets) of each
625 TCP conversation that involves a non-local host.
626 tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet
627 To select all IPv4 HTTP packets to and from port 80, i.e. print only
629 packets that contain data, not, for example, SYN and FIN packets and
630 ACK-only packets. (IPv6 is left as an exercise for the reader.)
631 tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
632 To select IP packets longer than 576 bytes sent through gateway snup:
634 gateway snup and ip[2:2] > 576
635 To select IP broadcast or multicast packets that were not sent via Eth‐
637 ernet broadcast or multicast:
638 ether[0] & 1 = 0 and ip[16] >= 224
639 To select all ICMP packets that are not echo requests/replies (i.e.,
641 not ping packets):
642 icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
643
645 pcap(3PCAP)
646
648 The original authors are:
649 Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence
651 Berkeley National Laboratory, University of California, Berkeley, CA.
652 It is currently being maintained by tcpdump.org.
654 The current version of libpcap is available via http:
656 http://www.tcpdump.org/
658 The original distribution is available via anonymous ftp:
660 ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
662
664 Please send problems, bugs, questions, desirable enhancements, etc. to:
665 tcpdump-workers@lists.tcpdump.org
667 Filter expressions on fields other than those in Token Ring headers
669 will not correctly handle source-routed Token Ring packets.
670 Filter expressions on fields other than those in 802.11 headers will
672 not correctly handle 802.11 data packets with both To DS and From DS
673 set.
674 ip6 proto should chase header chain, but at this moment it does not.
676 ip6 protochain is supplied for this behavior.
677 Arithmetic expression against transport layer headers, like tcp[0],
679 does not work against IPv6 packets. It only looks at IPv4 packets.
680 6 January 2008 PCAP-FILTER(7)