diff options
| -rw-r--r-- | lib/libpcap/Makefile | 4 | ||||
| -rw-r--r-- | lib/libpcap/pcap-filter.5 | 925 | ||||
| -rw-r--r-- | lib/libpcap/pcap-filter.7 | 757 |
3 files changed, 927 insertions, 759 deletions
diff --git a/lib/libpcap/Makefile b/lib/libpcap/Makefile index a04eea89172..e569cedfa32 100644 --- a/lib/libpcap/Makefile +++ b/lib/libpcap/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.28 2019/09/03 04:25:10 deraadt Exp $ +# $OpenBSD: Makefile,v 1.29 2019/09/25 16:59:00 jmc Exp $ # $NetBSD: Makefile,v 1.3 1996/05/10 21:54:24 cgd Exp $ LIB= pcap -MAN= pcap_open_live.3 pcap-filter.7 +MAN= pcap_open_live.3 pcap-filter.5 DEFS= -DHAVE_SYS_IOCCOM_H -DHAVE_SYS_SOCKIO_H -DHAVE_ETHER_HOSTTON \ -DHAVE_STRERROR -DHAVE_SOCKADDR_SA_LEN -DLBL_ALIGN -DHAVE_IFADDRS_H \ diff --git a/lib/libpcap/pcap-filter.5 b/lib/libpcap/pcap-filter.5 new file mode 100644 index 00000000000..25d33d30e3e --- /dev/null +++ b/lib/libpcap/pcap-filter.5 @@ -0,0 +1,925 @@ +.\" $OpenBSD: pcap-filter.5,v 1.1 2019/09/25 16:59:00 jmc Exp $ +.\" +.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.Dd $Mdocdate: September 25 2019 $ +.Dt PCAP-FILTER 5 +.Os +.Sh NAME +.Nm pcap-filter +.Nd packet filter syntax +.Sh DESCRIPTION +.Xr pcap_compile 3 +compiles pcap filters for software such as +.Xr tcpdump 8 . +The resulting filter program can then be applied to +some stream of packets to determine which packets will be supplied to +.Fn pcap_loop , +.Fn pcap_dispatch , +.Fn pcap_next , +or +.Fn pcap_next_ex . +.Pp +The filter expression consists of one or more +.Em primitives . +Primitives usually consist of an ID (name or number) +preceded by one or more qualifiers. +There are three different kinds of qualifier: +.Bl -tag -width "proto" +.It type +Type qualifiers say what kind of thing the ID name or number refers to. +Possible types are +.Cm host , +.Cm net , +and +.Cm port . +For example, +.Dq host foo , +.Dq net 128.3 , +and +.Dq port 20 . +If there is no type qualifier, +.Cm host +is assumed. +.It dir +Dir qualifiers specify a particular transfer direction to and/or from an ID. +Possible directions are +.Cm src , +.Cm dst , +.Cm src or dst , +.Cm src and dst , +.Cm ra , +.Cm ta , +.Cm addr1 , +.Cm addr2 , +.Cm addr3 , +and +.Cm addr4 . +For example, +.Cm src foo , +.Cm dst net 128.3 , +.Cm src or dst port ftp-data . +If there is no dir qualifier, +.Cm src or dst +is assumed. +The +.Cm ra , +.Cm ta , +.Cm addr1 , +.Cm addr2 , +.Cm addr3 , +and +.Cm addr4 +qualifiers are only valid for IEEE 802.11 Wireless LAN link layers. +For some link layers, such as SLIP and the "cooked" Linux capture mode +used for the "any" device and for some other device types, the +.Cm inbound +and +.Cm outbound +qualifiers can be used to specify a desired direction. +.It proto +Proto qualifiers restrict the match to a particular protocol. +Possible +protos are: +.Cm ether , +.Cm fddi , +.Cm tr , +.Cm wlan , +.Cm ip , +.Cm ip6 , +.Cm arp , +.Cm rarp , +.Cm decnet , +.Cm tcp , +and +.Cm udp . +For example, +.Dq ether src foo , +.Dq arp net 128.3 , +.Dq tcp port 21 , +and +.Dq wlan addr2 0:2:3:4:5:6 . +If there is no proto qualifier, +all protocols consistent with the type are assumed. +For example, +.Dq src foo +means +.Dq (ip or arp or rarp) src foo +(except the latter is not legal syntax); +.Dq net bar +means +.Dq (ip or arp or rarp) net bar ; +and +.Dq port 53 +means +.Dq (tcp or udp) port 53 . +.Pp +.Cm fddi +is actually an alias for +.Cm ether ; +the parser treats them identically as meaning +"the data link level used on the specified network interface". +FDDI headers contain Ethernet-like source and destination addresses, +and often contain Ethernet-like packet types, +so it's possible to filter these FDDI fields just as with the analogous Ethernet fields. +FDDI headers also contain other fields, +but they cannot be named explicitly in a filter expression. +.Pp +Similarly, +.Cm tr +and +.Cm wlan +are aliases for +.Cm ether ; +the previous paragraph's statements about FDDI headers also apply to Token Ring +and 802.11 wireless LAN headers. +For 802.11 headers, the destination address is the DA field +and the source address is the SA field; +the BSSID, RA, and TA fields aren't tested. +.El +.Pp +In addition to the above, +there are some special primitives that don't follow the pattern: +.Cm gateway , +.Cm broadcast , +.Cm less , +.Cm greater , +and arithmetic expressions. +All of these are described below. +.Pp +More complex filter expressions are built up by using the words +.Cm and , +.Cm or , +and +.Cm not +to combine primitives. +For example, +.Dq host foo and not port ftp and not port ftp-data . +To save typing, identical qualifier lists can be omitted, +so that +.Dq tcp dst port ftp or ftp-data or domain +is exactly the same as +.Dq tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain . +.Pp +Allowable primitives are: +.Bl -tag -width "ether proto proto" +.It Cm dst host Ar host +True if the IPv4/v6 destination field of the packet is +.Ar host , +which may be either an address or a name. +.It Cm src host Ar host +True if the IPv4/v6 source field of the packet is +.Ar host . +.It Cm host Ar host +True if either the IPv4/v6 source or destination of the packet is +.Ar host . +.Pp +Any of the above host expressions can be prepended with the keywords, +.Cm ip , arp , rarp , +or +.Cm ip6 , +as in: +.Pp +.D1 Cm ip host Ar host +.Pp +which is equivalent to: +.Bd -ragged -offset indent +.Cm ether proto +.Ar ip +.Cm and host +.Ar host +.Ed +.Pp +If +.Ar host +is a name with multiple IP addresses, +each address will be checked for a match. +.It .Cm ether dst Ar ehost +True if the Ethernet destination address is +.Ar ehost , +which may be either a name from +.Pa /etc/ethers +or a number (see +.Xr ether_aton 3 +for numeric format). +.It Cm ether src Ar ehost +True if the Ethernet source address is +.Ar ehost . +.It Cm ether host Ar ehost +True if either the Ethernet source or destination address is +.Ar ehost . +.It Cm gateway host +True if the packet used +.Ar host +as a gateway. +That is, +the Ethernet source or destination address was +.Ar host +but neither the IP source nor the IP destination was +.Ar host . +.Ar host +must be a name and must be found both by the machine's host-name-to-IP-address resolution +mechanisms (host name file, DNS, NIS, etc.) and by the machine's +host-name-to-Ethernet-address resolution mechanism +(such as +.Pa /etc/ethers ) . +An equivalent expression is: +.Bd -ragged -offset indent +.Cm ether host +.Ar ehost +.Cm and not host +.Ar host +.Ed +.Pp +which can be used with either names or numbers for host/ehost. +This syntax does not work in an IPv6-enabled configuration at this moment. +.It Cm dst net Ar net +True if the IPv4/v6 destination address of the packet has a network +number of +.Ar net , +which may be either a name from the networks database +(such as +.Pa /etc/networks ) +or a network number. +An IPv4 network number can be written as a dotted quad (e.g. 192.168.1.0), +dotted triple (e.g. 192.168.1), dotted pair (e.g 172.16), +or single number (e.g. 10); +the netmask is 255.255.255.255 for a dotted quad +(which means that it's really a host match), +255.255.255.0 for a dotted triple, 255.255.0.0 for a dotted pair, +or 255.0.0.0 for a single number. +An IPv6 network number must be written out fully; +the netmask is ff:ff:ff:ff:ff:ff:ff:ff, +so IPv6 "network" matches are really always host matches, +and a network match requires a netmask length. +.It Cm src net Ar net +True if the IPv4/v6 source address of the packet has a network number of +.Ar net . +.It Cm net Ar net +True if either the IPv4/v6 source or destination address of the packet +has a network number of +.Ar net . +.It Cm net Ar net Cm mask Ar netmask +True if the IPv4 address matches +.Ar net +with the specific +.Ar netmask . +May be qualified with +.Cm src +or +.Cm dst . +Note that this syntax is not valid for IPv6 networks. +.It Cm net Ar net Ns / Ns Ar len +True if the IPv4/v6 address matches +.Ar net +with a netmask +.Ar len +bits wide. +May be qualified with +.Cm src +or +.Cm dst . +.It Cm dst port Ar port +True if the packet is IP/TCP, IP/UDP, IP6/TCP or IP6/UDP +and has a destination port value of +.Ar port . +The +.Ar port +can be a number or a name used in +.Pa /etc/services +(see +.Xr tcp 4 +and +.Xr udp 4 ) . +If a name is used, both the port number and protocol are checked. +If a number or ambiguous name is used, +only the port number is checked (e.g.\& +.Dq dst port 513 +will print both +TCP/login traffic and UDP/who traffic, and +.Dq port domain +will print both TCP/domain and UDP/domain traffic). +.It Cm src port Ar port +True if the packet has a source port value of +.Ar port . +.It Cm port Ar port +True if either the source or destination port of the packet is +.Ar port . +.It Cm less Ar length +True if the packet has a length less than or equal to +.Ar length . +This is equivalent to +.Cm len <= Ar length . +.It Cm greater Ar length +True if the packet has a length greater than or equal to +.Ar length . +This is equivalent to +.Cm len >= Ar length . +.It Cm ip proto Ar protocol +True if the packet is an IPv4 packet (see +.Xr ip 4 ) +of protocol type +.Ar protocol . +.Ar protocol +can be a number, or one of the names +.Cm icmp , +.Cm icmp6 , +.Cm igmp , +.Cm igrp , +.Cm pim , +.Cm ah , +.Cm esp , +.Cm vrrp , +.Cm udp , +or +.Cm tcp . +Note that the identifiers +.Cm tcp , +.Cm udp , +and +.Cm icmp +are also keywords and must be escaped using a backslash character +.Pq \e . +Note that this primitive does not chase the protocol header chain. +.It Cm ip6 proto Ar protocol +True if the packet is an IPv6 packet of protocol type +.Ar protocol . +Note that this primitive does not chase the protocol header chain. +.It Cm ether broadcast +True if the packet is an Ethernet broadcast packet. +The +.Cm ether +keyword is optional. +.It Cm ip broadcast +True if the packet is an IPv4 broadcast packet. +It checks for both the all-zeroes and all-ones broadcast conventions, +and looks up the subnet mask on the interface on which the capture is +being done. +.Pp +If the subnet mask of the interface on which the capture is being done +is not available, +this check will not work correctly. +.It Cm ether multicast +True if the packet is an Ethernet multicast packet. +The +.Cm ether +keyword is optional. +This is shorthand for +.Dq ether[0] & 1 != 0 . +.It Cm ip multicast +True if the packet is an IPv4 multicast packet. +.It Cm ip6 multicast +True if the packet is an IPv6 multicast packet. +.It Cm ether proto Ar protocol +True if the packet is of ether type +.Ar protocol . +.Ar protocol +can be a number, or one of the names +.Cm ip , +.Cm ip6 , +.Cm arp , +.Cm rarp , +.Cm atalk , +.Cm decnet , +.Cm sca , +.Cm lat , +or +.Cm stp . +Note these identifiers are also keywords +and must be escaped using a backslash character +.Pq \e . +.Pp +In the case of FDDI (such as "fddi protocol arp") +and IEEE 802.11 wireless LANS (such as "wlan protocol arp"), +for most of those protocols +the protocol identification comes from +the 802.2 Logical Link Control (LLC) header, +which is usually layered on top of the FDDI or 802.11 header. +.Pp +When filtering for most protocol identifiers on FDDI or 802.11, +the filter checks only the protocol ID field of an LLC header +in so-called SNAP format with an Organizational Unit Identifier (OUI) of +0x000000, for encapsulated Ethernet; it doesn't check whether the packet +is in SNAP format with an OUI of 0x000000. +The exceptions are: +.Bl -tag -width "atalk" +.It iso +The filter checks the DSAP (Destination Service Access Point) and +SSAP (Source Service Access Point) fields of the LLC header. +.It stp +The filter checks the DSAP of the LLC header. +.It atalk +The filter checks for a SNAP-format packet with an OUI of 0x080007 +and the AppleTalk etype. +.El +.Pp +In the case of Ethernet, the filter checks the Ethernet type field +for most of those protocols. +The exceptions are: +.Bl -tag -width "iso and stp" +.It iso and stp +The filter checks for an 802.3 frame and then checks the LLC header as +it does for FDDI and 802.11. +.It atalk +The filter checks both for the AppleTalk etype in an Ethernet frame and +for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11. +.El +.It Cm decnet src Ar host +True if the DECNET source address is +.Ar host , +which may be an address of the form "10.123", or a DECNET hostname. +DECNET hostname support is only available on ULTRIX systems +that are configured to run DECNET. +.It Cm decnet dst Ar host +True if the DECNET destination address is +.Ar host . +.It Cm decnet host Ar host +True if either the DECNET source or destination address is +.Ar host . +.It Cm ifname Ar interface +True if the packet was logged as coming from the specified interface +(applies only to packets logged by +.Xr pf 4 ) . +.It Cm on Ar interface +Synonymous with the +.Cm ifname +modifier. +.It Cm rnr Ar num +True if the packet was logged as matching the specified PF rule number +(applies only to packets logged by +.Xr pf 4 ) . +.It Cm rulenum Ar num +Synonymous with the +.Cm rnr +modifier. +.It Cm reason Ar code +True if the packet was logged with the specified PF reason code. +The known codes are: +.Cm match , +.Cm bad-offset , +.Cm fragment , +.Cm short , +.Cm normalize , +and +.Cm memory +(applies only to packets logged by +.Xr pf 4 ) . +.It Cm rset Ar name +True if the packet was logged as matching the specified PF ruleset +name of an anchored ruleset (applies only to packets logged by +.Xr pf 4 ) . +.It Cm ruleset Ar name +Synonymous with the +.Cm rset +modifier. +.It Cm srnr Ar num +True if the packet was logged as matching the specified PF rule number +of an anchored ruleset (applies only to packets logged by +.Xr pf 4 ) . +.It Cm subrulenum Ar num +Synonymous with the +.Cm srnr +modifier. +.It Cm action Ar act +True if PF took the specified action when the packet was logged. +Known actions are: +.Cm pass +and +.Cm block +and, with later versions of +.Xr pf 4 , +.Cm nat , +.Cm rdr , +.Cm binat +and +.Cm scrub +(applies only to packets logged by +.Xr pf 4 ) . +.It Cm ip , ip6 , arp , rarp , atalk , decnet , iso , stp +Abbreviations for +.Cm ether proto Ar p , +where +.Ar p +is one of the above protocols. +.It Cm lat , moprc , mopdl +Abbreviations for +.Cm ether proto Ar p , +where +.Ar p +is one of the above protocols. +Note that not all applications using +.Xr pcap_open_live 3 +currently know how to parse these protocols. +.It Cm type Ar wlan_type +True if the IEEE 802.11 frame type matches the specified +.Ar wlan_type . +Valid types are: +.Cm mgt , +.Cm ctl , +and +.Cm data . +.It Cm type Ar wlan_type Cm subtype Ar wlan_subtype +True if the IEEE 802.11 frame type matches the specified +.Ar wlan_type +and frame subtype matches the specified +.Ar wlan_subtype . +.Pp +If the specified +.Ar wlan_type +is +.Cm mgtv , +then valid values for +.Ar wlan_subtype +are +.Cm assoc-req , +.Cm assoc-resp , +.Cm reassoc-req , +.Cm reassoc-resp , +.Cm probe-req , +.Cm probe-resp , +.Cm beacon , +.Cm atim , +.Cm disassoc , +.Cm auth , +and +.Cm deauth . +.Pp +If the specified +.Ar wlan_type +is +.Cm ctl , +then valid values for +.Ar wlan_subtype +are +.Cm ps-poll , +.Cm rts , +.Cm cts , +.Cm ack , +.Cm cf-end , +and +.Cm cf-end-ack . +.Pp +If the specified +.Ar wlan_type +is +.Cm data , +then valid values for +.Ar wlan_subtype +are +.Cm data , +.Cm data-cf-ack , +.Cm data-cf-poll , +.Cm data-cf-ack-poll , +.Cm null , +.Cm cf-ack , +.Cm cf-poll , +.Cm cf-ack-poll , +.Cm qos-data , +.Cm qos-data-cf-ack , +.Cm qos-data-cf-poll , +.Cm qos-data-cf-ack-poll , +.Cm qos , +.Cm qos-cf-poll , +and +.Cm qos-cf-ack-poll . +.It Cm subtype Ar wlan_subtype +True if the IEEE 802.11 frame subtype matches the specified +.Ar wlan_subtype +and frame has the type to which the specified +.Ar wlan_subtype +belongs. +.It Cm dir Ar dir +True if the IEEE 802.11 frame direction matches the specified +.Cm dir . +Valid directions are: +.Cm nods , +.Cm tods , +.Cm fromds , +.Cm dstods , +or a numeric value. +.It Cm vlan Op Ar vlan_id +True if the packet is an IEEE 802.1Q VLAN packet. +If +.Ar vlan_id +is specified, only true if the packet has the specified ID. +Note that the first +.Cm vlan +keyword encountered in +.Ar expression +changes the decoding offsets for the remainder of +.Ar expression +on the assumption that the packet is a VLAN packet. +This expression may be used more than once, to filter on VLAN hierarchies. +Each use of that expression increments the filter offsets by 4. +.Pp +For example, +to filter on VLAN 200 encapsulated within VLAN 100: +.Pp +.Dl vlan 100 && vlan 200 +.Pp +To filter IPv4 protocols encapsulated in VLAN 300 encapsulated within any +higher order VLAN: +.Pp +.Dl vlan && vlan 300 && ip +.It mpls Op Ar label +True if the packet is an MPLS (Multi-Protocol Label Switching) packet. +If +.Ar label +is specified, only true if the packet has the specified label. +Note that the first +.Cm mpls +keyword encountered in +.Ar expression +changes the decoding offsets for the remainder of +.Ar expression +on the assumption that the packet is an MPLS packet. +This expression may be used more than once, to filter on MPLS labels. +Each use of that expression increments the filter offsets by 4. +.Pp +For example, +to filter on MPLS label 42 first and requires the next label to be 12: +.Pp +.Dl mpls 42 && mpls 12 +.Pp +To filter on network 192.0.2.0/24 transported inside packets with label 42: +.Pp +.Dl mpls 42 && net 192.0.2.0/24 +.It Cm tcp , udp , icmp +Abbreviations for +.Cm ip proto Ar p +or +.Cm ip6 proto Ar p , +where +.Ar p +is one of the above protocols. +.It Ar expr relop expr +True if the relation holds, where +.Ar relop +is one of +.Sq > , +.Sq < , +.Sq >= , +.Sq <= , +.Sq = , +.Sq != , +and +.Ar expr +is an arithmetic expression composed of integer constants +(expressed in standard C syntax), the normal binary operators +.Pf ( Sq + , +.Sq - , +.Sq * , +.Sq / , +.Sq & , +.Sq | , +.Sq << , +.Sq >> ) , +a length operator, and special packet data accessors. +Note that all comparisons are unsigned, so that, for example, +0x80000000 and 0xffffffff are > 0. +To access data inside the packet, use the following syntax: +.Pp +.D1 Ar proto Ns Op Ar expr : Ns Ar size +.Pp +.Ar proto +is one of +.Cm ether , +.Cm fddi , +.Cm tr , +.Cm wlan , +.Cm ppp , +.Cm slip , +.Cm link , +.Cm ip , +.Cm arp , +.Cm rarp , +.Cm tcp , +.Cm udp , +.Cm icmp , +.Cm ip6 , +or +.Cm radio , +and indicates the protocol layer for the index operation +.Pf ( Cm ether , +.Cm fddi , +.Cm wlan , +.Cm tr , +.Cm ppp , +.Cm slip , +and +.Cm link +all refer to the link layer; +.Cm radio +refers to the "radio header" added to some 802.11 captures). +Note that +.Cm tcp , +.Cm udp , +and other upper-layer protocol types only apply to IPv4, not IPv6 +(this will be fixed in the future). +The byte offset, relative to the indicated protocol layer, is given by +.Ar expr . +.Ar size +is optional and indicates the number of bytes in the field of interest; +it can be either one, two, or four, and defaults to one. +The length operator, indicated by the keyword +.Ar len , +gives the length of the packet. +.Pp +For example, +.Dq ether[0] & 1 != 0 +catches all multicast traffic. +The expression +.Dq ip[0] & 0xf != 5 +catches all IPv4 packets with options. +The expression +.Dq ip[6:2] & 0x1fff = 0 +catches only unfragmented IPv4 datagrams and frag zero of fragmented +IPv4 datagrams. +This check is implicitly applied to the +.Cm tcp +and +.Cm udp +index operations. +For instance, +.Dq tcp[0] +always means the first byte of the TCP +.Ar header , +and never means the first byte of an intervening fragment. +.Pp +Some offsets and field values may be expressed as names rather than +as numeric values. +The following protocol header field offsets are available: +.Cm icmptype +(ICMP type field), +.Cm icmpcode +(ICMP code field), and +.Cm tcpflags +(TCP flags field). +.Pp +The following ICMP type field values are available: +.Cm icmp-echoreply , +.Cm icmp-unreach , +.Cm icmp-sourcequench , +.Cm icmp-redirect , +.Cm icmp-echo , +.Cm icmp-routeradvert , +.Cm icmp-routersolicit , +.Cm icmp-timxceed , +.Cm icmp-paramprob , +.Cm icmp-tstamp , +.Cm icmp-tstampreply , +.Cm icmp-ireq , +.Cm icmp-ireqreply , +.Cm icmp-maskreq , +.Cm and +.Cm icmp-maskreply . +.Pp +The following TCP flags field values are available: +.Cm tcp-fin , +.Cm tcp-syn , +.Cm tcp-rst , +.Cm tcp-push , +.Cm tcp-ack , +.Cm tcp-urg . +.El +.Pp +Primitives may be combined using +a parenthesized group of primitives and operators. +Parentheses are special to the shell and must be escaped. +.Bd -ragged -offset indent +Negation +.Po +.Dq Cm \&! +or +.Dq Cm not +.Pc +.Pp +Concatenation +.Po +.Dq Cm && +or +.Dq Cm and +.Pc +.Pp +Alternation +.Po +.Dq Cm || +or +.Dq Cm or +.Pc +.Ed +.Pp +Negation has highest precedence. +Alternation and concatenation have equal precedence and associate +left to right. +Note that explicit +.Cm and +tokens, not juxtaposition, +are now required for concatenation. +.Pp +If an identifier is given without a keyword, the most recent keyword +is assumed. +For example, +.Dq not host vs and ace +is short for +.Dq not host vs and host ace , +which shouldn't be confused with +.Dq not (\& host vs or ace )\& . +.Sh EXAMPLES +To select all packets arriving at or departing from +.Dq sundown : +.Pp +.Dl host sundown +.Pp +To select traffic between +.Dq helios +and either +.Dq hot +or +.Dq ace : +.Pp +.Dl host helios and \e( hot or ace \e) +.Pp +To select all IP packets between +.Dq ace +and any host except +.Dq helios : +.Pp +.Dl ip host ace and not helios +.Pp +To select all traffic between local hosts and hosts at Berkeley: +.Pp +.Dl net ucb-ether +.Pp +To select all FTP traffic through internet gateway +.Dq snup : +.Pp +.Dl gateway snup and (port ftp or ftp-data) +.Pp +To select traffic neither sourced from nor destined for local network +192.168.7.0/24 +(if you gateway to one other net, this stuff should never make it +onto your local net): +.Pp +.Dl ip and not net 192.168.7.0/24 +.Pp +To select the start and end packets (the SYN and FIN packets) of each +TCP connection that involves a host not in local network 192.168.7.0/24: +.Bd -literal -offset indent +tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst \e + net 192.168.7.0/24 +.Ed +.Pp +To select all IPv4 HTTP packets to and from port 80, i.e. print only +packets that contain data and not, for example, SYN and FIN packets and +ACK-only packets +(IPv6 is left as an exercise for the reader): +.Bd -literal -offset indent +tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) \e + - ((tcp[12]&0xf0)>>2)) != 0) +.Ed +.Pp +To select IP packets longer than 576 bytes sent through gateway +.Dq snup : +.Pp +.Dl gateway snup and ip[2:2] > 576 +.Pp +To select IP broadcast or multicast packets +that were not sent via Ethernet broadcast or multicast: +.Pp +.Dl ether[0] & 1 = 0 and ip[16] >= 224 +.Pp +To select all ICMP packets that are not echo requests/replies (i.e. not ping packets): +.Pp +.Dl icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply +.Sh SEE ALSO +.Xr pcap_open_live 3 , +.Xr tcpdump 8 +.Sh AUTHORS +.An -nosplit +The original authors are +.An Van Jacobson , +.An Craig Leres , +and +.An Steven McCanne , +all of the +Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. +.\" Fixes should be submitted to http://sourceforge.net/tracker/?group_id=53067 diff --git a/lib/libpcap/pcap-filter.7 b/lib/libpcap/pcap-filter.7 deleted file mode 100644 index 8c7887c77c7..00000000000 --- a/lib/libpcap/pcap-filter.7 +++ /dev/null @@ -1,757 +0,0 @@ -.\" $OpenBSD: pcap-filter.7,v 1.1 2019/09/03 04:25:10 deraadt Exp $ -.\" -.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 -.\" The Regents of the University of California. All rights reserved. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that: (1) source code distributions -.\" retain the above copyright notice and this paragraph in its entirety, (2) -.\" distributions including binary code include the above copyright notice and -.\" this paragraph in its entirety in the documentation or other materials -.\" provided with the distribution, and (3) all advertising materials mentioning -.\" features or use of this software display the following acknowledgement: -.\" ``This product includes software developed by the University of California, -.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -.\" the University nor the names of its contributors may be used to endorse -.\" or promote products derived from this software without specific prior -.\" written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.TH PCAP-FILTER 3 2008-01-06 -.SH NAME -pcap-filter \- packet filter syntax -.br -.ad -.SH DESCRIPTION -.LP -.B pcap_compile() -is used to compile a string into a filter program. -The resulting filter program can then be applied to -some stream of packets to determine which packets will be supplied to -.BR pcap_loop() , -.BR pcap_dispatch() , -.BR pcap_next() , -or -.BR pcap_next_ex() . -.LP -The \fIfilter expression\fP consists of one or more -.IR primitives . -Primitives usually consist of an -.I id -(name or number) preceded by one or more qualifiers. -There are three -different kinds of qualifier: -.IP \fItype\fP -qualifiers say what kind of thing the id name or number refers to. -Possible types are -.BR host , -.B net , -.B and port . -E.g., `host foo', `net 128.3', `port 20'. -If there is no type -qualifier, -.B host -is assumed. -.IP \fIdir\fP -qualifiers specify a particular transfer direction to and/or from -.IR id . -Possible directions are -.BR src , -.BR dst , -.BR "src or dst" , -.BR "src and dst" , -.BR ra , -.BR ta , -.BR addr1 , -.BR addr2 , -.BR addr3 , -and -.BR addr4 . -E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. -If -there is no dir qualifier, -.B "src or dst" -is assumed. -The -.BR ra , -.BR ta , -.BR addr1 , -.BR addr2 , -.BR addr3 , -and -.B addr4 -qualifiers are only valid for IEEE 802.11 Wireless LAN link layers. -For some link layers, such as SLIP and the ``cooked'' Linux capture mode -used for the ``any'' device and for some other device types, the -.B inbound -and -.B outbound -qualifiers can be used to specify a desired direction. -.IP \fIproto\fP -qualifiers restrict the match to a particular protocol. -Possible -protos are: -.BR ether , -.BR fddi , -.BR tr , -.BR wlan , -.BR ip , -.BR ip6 , -.BR arp , -.BR rarp , -.BR decnet , -.B tcp -and -.BR udp . -E.g., `ether src foo', `arp net 128.3', `tcp port 21' -`wlan addr2 0:2:3:4:5:6'. -If there is -no proto qualifier, all protocols consistent with the type are -assumed. -E.g., `src foo' means `(ip or arp or rarp) src foo' -(except the latter is not legal syntax), `net bar' means `(ip or -arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'. -.LP -[`fddi' is actually an alias for `ether'; the parser treats them -identically as meaning ``the data link level used on the specified -network interface.'' FDDI headers contain Ethernet-like source -and destination addresses, and often contain Ethernet-like packet -types, so you can filter on these FDDI fields just as with the -analogous Ethernet fields. -FDDI headers also contain other fields, -but you cannot name them explicitly in a filter expression. -.LP -Similarly, `tr' and `wlan' are aliases for `ether'; the previous -paragraph's statements about FDDI headers also apply to Token Ring -and 802.11 wireless LAN headers. For 802.11 headers, the destination -address is the DA field and the source address is the SA field; the -BSSID, RA, and TA fields aren't tested.] -.LP -In addition to the above, there are some special `primitive' keywords -that don't follow the pattern: -.BR gateway , -.BR broadcast , -.BR less , -.B greater -and arithmetic expressions. -All of these are described below. -.LP -More complex filter expressions are built up by using the words -.BR and , -.B or -and -.B not -to combine primitives. -E.g., `host foo and not port ftp and not port ftp-data'. -To save typing, identical qualifier lists can be omitted. -E.g., -`tcp dst port ftp or ftp-data or domain' is exactly the same as -`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'. -.LP -Allowable primitives are: -.IP "\fBdst host \fIhost\fR" -True if the IPv4/v6 destination field of the packet is \fIhost\fP, -which may be either an address or a name. -.IP "\fBsrc host \fIhost\fR" -True if the IPv4/v6 source field of the packet is \fIhost\fP. -.IP "\fBhost \fIhost\fP" -True if either the IPv4/v6 source or destination of the packet is \fIhost\fP. -.IP -Any of the above host expressions can be prepended with the keywords, -\fBip\fP, \fBarp\fP, \fBrarp\fP, or \fBip6\fP as in: -.in +.5i -.nf -\fBip host \fIhost\fR -.fi -.in -.5i -which is equivalent to: -.in +.5i -.nf -\fBether proto \fI\\ip\fB and host \fIhost\fR -.fi -.in -.5i -If \fIhost\fR is a name with multiple IP addresses, each address will -be checked for a match. -.IP "\fBether dst \fIehost\fP" -True if the Ethernet destination address is \fIehost\fP. -\fIEhost\fP -may be either a name from /etc/ethers or a number (see -.IR ethers (3N) -for numeric format). -.IP "\fBether src \fIehost\fP" -True if the Ethernet source address is \fIehost\fP. -.IP "\fBether host \fIehost\fP" -True if either the Ethernet source or destination address is \fIehost\fP. -.IP "\fBgateway\fP \fIhost\fP" -True if the packet used \fIhost\fP as a gateway. -I.e., the Ethernet -source or destination address was \fIhost\fP but neither the IP source -nor the IP destination was \fIhost\fP. -\fIHost\fP must be a name and -must be found both by the machine's host-name-to-IP-address resolution -mechanisms (host name file, DNS, NIS, etc.) and by the machine's -host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.). -(An equivalent expression is -.in +.5i -.nf -\fBether host \fIehost \fBand not host \fIhost\fR -.fi -.in -.5i -which can be used with either names or numbers for \fIhost / ehost\fP.) -This syntax does not work in IPv6-enabled configuration at this moment. -.IP "\fBdst net \fInet\fR" -True if the IPv4/v6 destination address of the packet has a network -number of \fInet\fP. -\fINet\fP may be either a name from the networks database -(/etc/networks, etc.) or a network number. -An IPv4 network number can be written as a dotted quad (e.g., 192.168.1.0), -dotted triple (e.g., 192.168.1), dotted pair (e.g, 172.16), or single -number (e.g., 10); the netmask is 255.255.255.255 for a dotted quad -(which means that it's really a host match), 255.255.255.0 for a dotted -triple, 255.255.0.0 for a dotted pair, or 255.0.0.0 for a single number. -An IPv6 network number must be written out fully; the netmask is -ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 "network" matches are really always -host matches, and a network match requires a netmask length. -.IP "\fBsrc net \fInet\fR" -True if the IPv4/v6 source address of the packet has a network -number of \fInet\fP. -.IP "\fBnet \fInet\fR" -True if either the IPv4/v6 source or destination address of the packet has a network -number of \fInet\fP. -.IP "\fBnet \fInet\fR \fBmask \fInetmask\fR" -True if the IPv4 address matches \fInet\fR with the specific \fInetmask\fR. -May be qualified with \fBsrc\fR or \fBdst\fR. -Note that this syntax is not valid for IPv6 \fInet\fR. -.IP "\fBnet \fInet\fR/\fIlen\fR" -True if the IPv4/v6 address matches \fInet\fR with a netmask \fIlen\fR -bits wide. -May be qualified with \fBsrc\fR or \fBdst\fR. -.IP "\fBdst port \fIport\fR" -True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a -destination port value of \fIport\fP. -The \fIport\fP can be a number or a name used in /etc/services (see -.IR tcp (4) -and -.IR udp (4)). -If a name is used, both the port -number and protocol are checked. -If a number or ambiguous name is used, -only the port number is checked (e.g., \fBdst port 513\fR will print both -tcp/login traffic and udp/who traffic, and \fBport domain\fR will print -both tcp/domain and udp/domain traffic). -.IP "\fBsrc port \fIport\fR" -True if the packet has a source port value of \fIport\fP. -.IP "\fBport \fIport\fR" -True if either the source or destination port of the packet is \fIport\fP. -.IP "\fBless \fIlength\fR" -True if the packet has a length less than or equal to \fIlength\fP. -This is equivalent to: -.in +.5i -.nf -\fBlen <= \fIlength\fP. -.fi -.in -.5i -.IP "\fBgreater \fIlength\fR" -True if the packet has a length greater than or equal to \fIlength\fP. -This is equivalent to: -.in +.5i -.nf -\fBlen >= \fIlength\fP. -.fi -.in -.5i -.IP "\fBip proto \fIprotocol\fR" -True if the packet is an IPv4 packet (see -.IR ip (4P)) -of protocol type \fIprotocol\fP. -\fIProtocol\fP can be a number or one of the names -\fBicmp\fP, \fBicmp6\fP, \fBigmp\fP, \fBigrp\fP, \fBpim\fP, \fBah\fP, -\fBesp\fP, \fBvrrp\fP, \fBudp\fP, or \fBtcp\fP. -Note that the identifiers \fBtcp\fP, \fBudp\fP, and \fBicmp\fP are also -keywords and must be escaped via backslash (\\), which is \\\\ in the C-shell. -Note that this primitive does not chase the protocol header chain. -.IP "\fBip6 proto \fIprotocol\fR" -True if the packet is an IPv6 packet of protocol type \fIprotocol\fP. -Note that this primitive does not chase the protocol header chain. -.IP "\fBether broadcast\fR" -True if the packet is an Ethernet broadcast packet. -The \fIether\fP -keyword is optional. -.IP "\fBip broadcast\fR" -True if the packet is an IPv4 broadcast packet. -It checks for both the all-zeroes and all-ones broadcast conventions, -and looks up the subnet mask on the interface on which the capture is -being done. -.IP -If the subnet mask of the interface on which the capture is being done -is not available, either because the interface on which capture is being -done has no netmask this check will not work correctly. -.IP "\fBether multicast\fR" -True if the packet is an Ethernet multicast packet. -The \fBether\fP -keyword is optional. -This is shorthand for `\fBether[0] & 1 != 0\fP'. -.IP "\fBip multicast\fR" -True if the packet is an IPv4 multicast packet. -.IP "\fBip6 multicast\fR" -True if the packet is an IPv6 multicast packet. -.IP "\fBether proto \fIprotocol\fR" -True if the packet is of ether type \fIprotocol\fR. -\fIProtocol\fP can be a number or one of the names -\fBip\fP, \fBip6\fP, \fBarp\fP, \fBrarp\fP, \fBatalk\fP, -\fBdecnet\fP, \fBsca\fP, \fBlat\fP or \fBstp\fP. -Note these identifiers are also keywords -and must be escaped via backslash (\\). -.IP -[In the case of FDDI (e.g., `\fBfddi protocol arp\fR') -and IEEE 802.11 wireless LANS (e.g., -`\fBwlan protocol arp\fR'), for most of those protocols, the -protocol identification comes from the 802.2 Logical Link Control (LLC) -header, which is usually layered on top of the FDDI or 802.11 header. -.IP -When filtering for most protocol identifiers on FDDI or 802.11, -the filter checks only the protocol ID field of an LLC header -in so-called SNAP format with an Organizational Unit Identifier (OUI) of -0x000000, for encapsulated Ethernet; it doesn't check whether the packet -is in SNAP format with an OUI of 0x000000. -The exceptions are: -.RS -.TP -\fBiso\fP -the filter checks the DSAP (Destination Service Access Point) and -SSAP (Source Service Access Point) fields of the LLC header; -.TP -\fBstp\fP -the filter checks the DSAP of the LLC header; -.TP -\fBatalk\fP -the filter checks for a SNAP-format packet with an OUI of 0x080007 -and the AppleTalk etype. -.RE -.IP -In the case of Ethernet, the filter checks the Ethernet type field -for most of those protocols. The exceptions are: -.RS -.TP -\fBiso\fP and \fBstp\fP -the filter checks for an 802.3 frame and then checks the LLC header as -it does for FDDI and 802.11; -.TP -\fBatalk\fP -the filter checks both for the AppleTalk etype in an Ethernet frame and -for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11; -.TP -.RE -.IP "\fBdecnet src \fIhost\fR" -True if the DECNET source address is -.IR host , -which may be an address of the form ``10.123'', or a DECNET host -name. -[DECNET host name support is only available on ULTRIX systems -that are configured to run DECNET.] -.IP "\fBdecnet dst \fIhost\fR" -True if the DECNET destination address is -.IR host . -.IP "\fBdecnet host \fIhost\fR" -True if either the DECNET source or destination address is -.IR host . -.IP "\fBifname \fIinterface\fR" -True if the packet was logged as coming from the specified interface (applies -only to packets logged by -.BR pf (4)). -.IP "\fBon \fIinterface\fR" -Synonymous with the -.B ifname -modifier. -.IP "\fBrnr \fInum\fR" -True if the packet was logged as matching the specified PF rule number -(applies only to packets logged by -.BR pf (4)). -.IP "\fBrulenum \fInum\fR" -Synonymous with the -.B rnr -modifier. -.IP "\fBreason \fIcode\fR" -True if the packet was logged with the specified PF reason code. The known -codes are: -.BR match , -.BR bad-offset , -.BR fragment , -.BR short , -.BR normalize , -and -.B memory -(applies only to packets logged by -.BR pf (4)). -.IP "\fBrset \fIname\fR" -True if the packet was logged as matching the specified PF ruleset -name of an anchored ruleset (applies only to packets logged by -.BR pf (4)). -.IP "\fBruleset \fIname\fR" -Synonymous with the -.B rset -modifier. -.IP "\fBsrnr \fInum\fR" -True if the packet was logged as matching the specified PF rule number -of an anchored ruleset (applies only to packets logged by -.BR pf (4)). -.IP "\fBsubrulenum \fInum\fR" -Synonymous with the -.B srnr -modifier. -.IP "\fBaction \fIact\fR" -True if PF took the specified action when the packet was logged. Known actions -are: -.B pass -and -.B block -and, with later versions of -.BR pf (4)), -.BR nat , -.BR rdr , -.B binat -and -.B scrub -(applies only to packets logged by -.BR pf (4)). -.IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fP" -Abbreviations for: -.in +.5i -.nf -\fBether proto \fIp\fR -.fi -.in -.5i -where \fIp\fR is one of the above protocols. -.IP "\fBlat\fR, \fBmoprc\fR, \fBmopdl\fR" -Abbreviations for: -.in +.5i -.nf -\fBether proto \fIp\fR -.fi -.in -.5i -where \fIp\fR is one of the above protocols. -Note that not all applications using -.BR pcap (3) -currently know how to parse these protocols. -.IP "\fBtype \fIwlan_type\fR" -True if the IEEE 802.11 frame type matches the specified \fIwlan_type\fR. -Valid \fIwlan_type\fRs are: -\fBmgt\fP, -\fBctl\fP -and \fBdata\fP. -.IP "\fBtype \fIwlan_type \fBsubtype \fIwlan_subtype\fR" -True if the IEEE 802.11 frame type matches the specified \fIwlan_type\fR -and frame subtype matches the specified \fIwlan_subtype\fR. -.IP -If the specified \fIwlan_type\fR is \fBmgt\fP, -then valid \fIwlan_subtype\fRs are: -\fBassoc-req\fP, -\fBassoc-resp\fP, -\fBreassoc-req\fP, -\fBreassoc-resp\fP, -\fBprobe-req\fP, -\fBprobe-resp\fP, -\fBbeacon\fP, -\fBatim\fP, -\fBdisassoc\fP, -\fBauth\fP and -\fBdeauth\fP. -.IP -If the specified \fIwlan_type\fR is \fBctl\fP, -then valid \fIwlan_subtype\fRs are: -\fBps-poll\fP, -\fBrts\fP, -\fBcts\fP, -\fBack\fP, -\fBcf-end\fP and -\fBcf-end-ack\fP. -.IP -If the specified \fIwlan_type\fR is \fBdata\fP, -then valid \fIwlan_subtype\fRs are: -\fBdata\fP, -\fBdata-cf-ack\fP, -\fBdata-cf-poll\fP, -\fBdata-cf-ack-poll\fP, -\fBnull\fP, -\fBcf-ack\fP, -\fBcf-poll\fP, -\fBcf-ack-poll\fP, -\fBqos-data\fP, -\fBqos-data-cf-ack\fP, -\fBqos-data-cf-poll\fP, -\fBqos-data-cf-ack-poll\fP, -\fBqos\fP, -\fBqos-cf-poll\fP and -\fBqos-cf-ack-poll\fP. -.IP "\fBsubtype \fIwlan_subtype\fR" -True if the IEEE 802.11 frame subtype matches the specified \fIwlan_subtype\fR -and frame has the type to which the specified \fIwlan_subtype\fR belongs. -.IP "\fBdir \fIdir\fR" -True if the IEEE 802.11 frame direction matches the specified -.IR dir . -Valid directions are: -.BR nods , -.BR tods , -.BR fromds , -.BR dstods , -or a numeric value. -.IP "\fBvlan \fI[vlan_id]\fR" -True if the packet is an IEEE 802.1Q VLAN packet. -If \fI[vlan_id]\fR is specified, only true if the packet has the specified -\fIvlan_id\fR. -Note that the first \fBvlan\fR keyword encountered in \fIexpression\fR -changes the decoding offsets for the remainder of \fIexpression\fR on -the assumption that the packet is a VLAN packet. The \fBvlan -\fI[vlan_id]\fR expression may be used more than once, to filter on VLAN -hierarchies. Each use of that expression increments the filter offsets -by 4. -.IP -For example: -.in +.5i -.nf -\fBvlan 100 && vlan 200\fR -.fi -.in -.5i -filters on VLAN 200 encapsulated within VLAN 100, and -.in +.5i -.nf -\fBvlan && vlan 300 && ip\fR -.fi -.in -.5i -filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any -higher order VLAN. -.IP "\fBmpls \fI[label]\fR" -True if the packet is an MPLS (Multi-Protocol Label Switching) packet. -If \fIlabel\fR is specified, only true if the packet has the specified -\fIlabel\fR. -Note that the first \fBmpls\fR keyword encountered in \fIexpression\fR -changes the decoding offsets for the remainder of \fIexpression\fR on -the assumption that the packet is an MPLS packet. The \fBmpls -\fI[label]\fR expression may be used more than once, to filter on MPLS -labels stack. Each use of that expression increments the filter offsets -by 4. -.IP -For example: -.in +.5i -.nf -\fBmpls 42 && mpls 12\fR -.fi -.in -.5i -filters on MPLS label 42 first and requires the next label to be 12 and -.in +.5i -.nf -\fBmpls 42 && net 192.0.2.0/24\fR -.fi -.in -.5i -filters on network 192.0.2.0/24 transported inside packets with label 42. -.IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR" -Abbreviations for: -.in +.5i -.nf -\fBip proto \fIp\fR\fB or ip6 proto \fIp\fR -.fi -.in -.5i -where \fIp\fR is one of the above protocols. -.IP "\fIexpr relop expr\fR" -True if the relation holds, where \fIrelop\fR is one of >, <, >=, <=, =, -!=, and \fIexpr\fR is an arithmetic expression composed of integer -constants (expressed in standard C syntax), the normal binary operators -[+, -, *, /, &, |, <<, >>], a length operator, and special packet data -accessors. Note that all comparisons are unsigned, so that, for example, -0x80000000 and 0xffffffff are > 0. -To access -data inside the packet, use the following syntax: -.in +.5i -.nf -\fIproto\fB [ \fIexpr\fB : \fIsize\fB ]\fR -.fi -.in -.5i -\fIProto\fR is one of \fBether, fddi, tr, wlan, ppp, slip, link, -ip, arp, rarp, tcp, udp, icmp, ip6\fR or \fBradio\fR, and -indicates the protocol layer for the index operation. -(\fBether, fddi, wlan, tr, ppp, slip\fR and \fBlink\fR all refer to the -link layer. \fBradio\fR refers to the "radio header" added to some -802.11 captures.) -Note that \fItcp, udp\fR and other upper-layer protocol types only -apply to IPv4, not IPv6 (this will be fixed in the future). -The byte offset, relative to the indicated protocol layer, is -given by \fIexpr\fR. -\fISize\fR is optional and indicates the number of bytes in the -field of interest; it can be either one, two, or four, and defaults to one. -The length operator, indicated by the keyword \fBlen\fP, gives the -length of the packet. - -For example, `\fBether[0] & 1 != 0\fP' catches all multicast traffic. -The expression `\fBip[0] & 0xf != 5\fP' -catches all IPv4 packets with options. -The expression -`\fBip[6:2] & 0x1fff = 0\fP' -catches only unfragmented IPv4 datagrams and frag zero of fragmented -IPv4 datagrams. -This check is implicitly applied to the \fBtcp\fP and \fBudp\fP -index operations. -For instance, \fBtcp[0]\fP always means the first -byte of the TCP \fIheader\fP, and never means the first byte of an -intervening fragment. - -Some offsets and field values may be expressed as names rather than -as numeric values. -The following protocol header field offsets are -available: \fBicmptype\fP (ICMP type field), \fBicmpcode\fP (ICMP -code field), and \fBtcpflags\fP (TCP flags field). - -The following ICMP type field values are available: \fBicmp-echoreply\fP, -\fBicmp-unreach\fP, \fBicmp-sourcequench\fP, \fBicmp-redirect\fP, -\fBicmp-echo\fP, \fBicmp-routeradvert\fP, \fBicmp-routersolicit\fP, -\fBicmp-timxceed\fP, \fBicmp-paramprob\fP, \fBicmp-tstamp\fP, -\fBicmp-tstampreply\fP, \fBicmp-ireq\fP, \fBicmp-ireqreply\fP, -\fBicmp-maskreq\fP, \fBicmp-maskreply\fP. - -The following TCP flags field values are available: \fBtcp-fin\fP, -\fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP, -\fBtcp-ack\fP, \fBtcp-urg\fP. -.LP -Primitives may be combined using: -.IP -A parenthesized group of primitives and operators -(parentheses are special to the Shell and must be escaped). -.IP -Negation (`\fB!\fP' or `\fBnot\fP'). -.IP -Concatenation (`\fB&&\fP' or `\fBand\fP'). -.IP -Alternation (`\fB||\fP' or `\fBor\fP'). -.LP -Negation has highest precedence. -Alternation and concatenation have equal precedence and associate -left to right. -Note that explicit \fBand\fR tokens, not juxtaposition, -are now required for concatenation. -.LP -If an identifier is given without a keyword, the most recent keyword -is assumed. -For example, -.in +.5i -.nf -\fBnot host vs and ace\fR -.fi -.in -.5i -is short for -.in +.5i -.nf -\fBnot host vs and host ace\fR -.fi -.in -.5i -which should not be confused with -.in +.5i -.nf -\fBnot ( host vs or ace )\fR -.fi -.in -.5i -.SH EXAMPLES -.LP -To select all packets arriving at or departing from \fIsundown\fP: -.RS -.nf -\fBhost sundown\fP -.fi -.RE -.LP -To select traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR: -.RS -.nf -\fBhost helios and \\( hot or ace \\)\fP -.fi -.RE -.LP -To select all IP packets between \fIace\fR and any host except \fIhelios\fR: -.RS -.nf -\fBip host ace and not helios\fP -.fi -.RE -.LP -To select all traffic between local hosts and hosts at Berkeley: -.RS -.nf -.B -net ucb-ether -.fi -.RE -.LP -To select all ftp traffic through internet gateway \fIsnup\fP: -.RS -.nf -.B -gateway snup and (port ftp or ftp-data) -.fi -.RE -.LP -To select traffic neither sourced from nor destined for local hosts -(if you gateway to one other net, this stuff should never make it -onto your local net). -.RS -.nf -.B -ip and not net \fIlocalnet\fP -.fi -.RE -.LP -To select the start and end packets (the SYN and FIN packets) of each -TCP conversation that involves a non-local host. -.RS -.nf -.B -tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP -.fi -.RE -.LP -To select all IPv4 HTTP packets to and from port 80, i.e. print only -packets that contain data, not, for example, SYN and FIN packets and -ACK-only packets. (IPv6 is left as an exercise for the reader.) -.RS -.nf -.B -tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) -.fi -.RE -.LP -To select IP packets longer than 576 bytes sent through gateway \fIsnup\fP: -.RS -.nf -.B -gateway snup and ip[2:2] > 576 -.fi -.RE -.LP -To select IP broadcast or multicast packets that were -.I not -sent via Ethernet broadcast or multicast: -.RS -.nf -.B -ether[0] & 1 = 0 and ip[16] >= 224 -.fi -.RE -.LP -To select all ICMP packets that are not echo requests/replies (i.e., not -ping packets): -.RS -.nf -.B -icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply -.fi -.RE -.SH "SEE ALSO" -.BR pcap ( 3 ), -.BR tcpdump ( 8 ) -.SH AUTHORS -The original authors are: -.LP -Van Jacobson, -Craig Leres and -Steven McCanne, all of the -Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. -.\" Fixes should be submitted to http://sourceforge.net/tracker/?group_id=53067 |