1.\" $OpenBSD: pcap-filter.5,v 1.7 2021/01/20 12:37:26 sthen Exp $ 2.\" 3.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 4.\" The Regents of the University of California. All rights reserved. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that: (1) source code distributions 9.\" retain the above copyright notice and this paragraph in its entirety, (2) 10.\" distributions including binary code include the above copyright notice and 11.\" this paragraph in its entirety in the documentation or other materials 12.\" provided with the distribution, and (3) all advertising materials mentioning 13.\" features or use of this software display the following acknowledgement: 14.\" ``This product includes software developed by the University of California, 15.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 16.\" the University nor the names of its contributors may be used to endorse 17.\" or promote products derived from this software without specific prior 18.\" written permission. 19.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 20.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 21.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 22.\" 23.Dd $Mdocdate: January 20 2021 $ 24.Dt PCAP-FILTER 5 25.Os 26.Sh NAME 27.Nm pcap-filter 28.Nd packet filter syntax 29.Sh DESCRIPTION 30.Xr pcap_compile 3 31compiles pcap filters for software such as 32.Xr tcpdump 8 . 33The resulting filter program can then be applied to 34some stream of packets to determine which packets will be supplied to 35.Xr pcap_loop 3 , 36.Xr pcap_dispatch 3 , 37.Xr pcap_next 3 , 38or 39.Xr pcap_next_ex 3 . 40.Pp 41The filter expression consists of one or more 42.Em primitives . 43Primitives usually consist of an ID (name or number) 44preceded by one or more qualifiers. 45There are three different kinds of qualifier: 46.Bl -tag -width "proto" 47.It type 48Type qualifiers say what kind of thing the ID name or number refers to. 49Possible types are 50.Cm host , 51.Cm net , 52and 53.Cm port . 54For example, 55.Dq host foo , 56.Dq net 128.3 , 57and 58.Dq port 20 . 59If there is no type qualifier, 60.Cm host 61is assumed. 62.It dir 63Dir qualifiers specify a particular transfer direction to and/or from an ID. 64Possible directions are 65.Cm src , 66.Cm dst , 67.Cm src or dst , 68.Cm src and dst , 69.Cm ra , 70.Cm ta , 71.Cm addr1 , 72.Cm addr2 , 73.Cm addr3 , 74and 75.Cm addr4 . 76For example, 77.Cm src foo , 78.Cm dst net 128.3 , 79.Cm src or dst port ftp-data . 80If there is no dir qualifier, 81.Cm src or dst 82is assumed. 83The 84.Cm ra , 85.Cm ta , 86.Cm addr1 , 87.Cm addr2 , 88.Cm addr3 , 89and 90.Cm addr4 91qualifiers are only valid for IEEE 802.11 Wireless LAN link layers. 92For some link layers, such as SLIP and the "cooked" Linux capture mode 93used for the "any" device and for some other device types, the 94.Cm inbound 95and 96.Cm outbound 97qualifiers can be used to specify a desired direction. 98.It proto 99Proto qualifiers restrict the match to a particular protocol. 100Possible 101protos are: 102.Cm ether , 103.Cm fddi , 104.Cm tr , 105.Cm wlan , 106.Cm ip , 107.Cm ip6 , 108.Cm arp , 109.Cm rarp , 110.Cm decnet , 111.Cm tcp , 112and 113.Cm udp . 114For example, 115.Dq ether src foo , 116.Dq arp net 128.3 , 117.Dq tcp port 21 , 118and 119.Dq wlan addr2 0:2:3:4:5:6 . 120If there is no proto qualifier, 121all protocols consistent with the type are assumed. 122For example, 123.Dq src foo 124means 125.Dq (ip or arp or rarp) src foo 126(except the latter is not legal syntax); 127.Dq net bar 128means 129.Dq (ip or arp or rarp) net bar ; 130and 131.Dq port 53 132means 133.Dq (tcp or udp) port 53 . 134.Pp 135.Cm fddi 136is actually an alias for 137.Cm ether ; 138the parser treats them identically as meaning 139"the data link level used on the specified network interface". 140FDDI headers contain Ethernet-like source and destination addresses, 141and often contain Ethernet-like packet types, 142so it's possible to filter these FDDI fields just as with the analogous Ethernet fields. 143FDDI headers also contain other fields, 144but they cannot be named explicitly in a filter expression. 145.Pp 146Similarly, 147.Cm tr 148and 149.Cm wlan 150are aliases for 151.Cm ether ; 152the previous paragraph's statements about FDDI headers also apply to Token Ring 153and 802.11 wireless LAN headers. 154For 802.11 headers, the destination address is the DA field 155and the source address is the SA field; 156the BSSID, RA, and TA fields aren't tested. 157.El 158.Pp 159In addition to the above, 160there are some special primitives that don't follow the pattern: 161.Cm gateway , 162.Cm broadcast , 163.Cm less , 164.Cm greater , 165and arithmetic expressions. 166All of these are described below. 167.Pp 168More complex filter expressions are built up by using the words 169.Cm and , 170.Cm or , 171and 172.Cm not 173to combine primitives. 174For example, 175.Dq host foo and not port ftp and not port ftp-data . 176To save typing, identical qualifier lists can be omitted, 177so that 178.Dq tcp dst port ftp or ftp-data or domain 179is exactly the same as 180.Dq tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain . 181.Pp 182Allowable primitives are: 183.Bl -tag -width "ether proto proto" 184.It Cm dst host Ar host 185True if the IPv4/v6 destination field of the packet is 186.Ar host , 187which may be either an address or a name. 188.It Cm src host Ar host 189True if the IPv4/v6 source field of the packet is 190.Ar host . 191.It Cm host Ar host 192True if either the IPv4/v6 source or destination of the packet is 193.Ar host . 194.Pp 195Any of the above host expressions can be prepended with the keywords, 196.Cm ip , arp , rarp , 197or 198.Cm ip6 , 199as in: 200.Pp 201.D1 Cm ip host Ar host 202.Pp 203which is equivalent to: 204.Bd -ragged -offset indent 205.Cm ether proto 206.Ar ip 207.Cm and host 208.Ar host 209.Ed 210.Pp 211If 212.Ar host 213is a name with multiple IP addresses, 214each address will be checked for a match. 215.It Cm ether dst Ar ehost 216True if the Ethernet destination address is 217.Ar ehost , 218which may be either a name from 219.Pa /etc/ethers 220or a number (see 221.Xr ether_aton 3 222for numeric format). 223.It Cm ether src Ar ehost 224True if the Ethernet source address is 225.Ar ehost . 226.It Cm ether host Ar ehost 227True if either the Ethernet source or destination address is 228.Ar ehost . 229.It Cm gateway host 230True if the packet used 231.Ar host 232as a gateway. 233That is, 234the Ethernet source or destination address was 235.Ar host 236but neither the IP source nor the IP destination was 237.Ar host . 238.Ar host 239must be a name and must be found both by the machine's host-name-to-IP-address resolution 240mechanisms (host name file, DNS, NIS, etc.) and by the machine's 241host-name-to-Ethernet-address resolution mechanism 242(such as 243.Pa /etc/ethers ) . 244An equivalent expression is: 245.Bd -ragged -offset indent 246.Cm ether host 247.Ar ehost 248.Cm and not host 249.Ar host 250.Ed 251.Pp 252which can be used with either names or numbers for host/ehost. 253This syntax does not work in an IPv6-enabled configuration at this moment. 254.It Cm dst net Ar net 255True if the IPv4/v6 destination address of the packet has a network 256number of 257.Ar net , 258which may be either a name from the networks database 259(such as 260.Pa /etc/networks ) 261or a network number. 262An IPv4 network number can be written as a dotted quad (e.g. 192.168.1.0), 263dotted triple (e.g. 192.168.1), dotted pair (e.g 172.16), 264or single number (e.g. 10); 265the netmask is 255.255.255.255 for a dotted quad 266(which means that it's really a host match), 267255.255.255.0 for a dotted triple, 255.255.0.0 for a dotted pair, 268or 255.0.0.0 for a single number. 269An IPv6 network number must be written out fully; 270the netmask is ff:ff:ff:ff:ff:ff:ff:ff, 271so IPv6 "network" matches are really always host matches, 272and a network match requires a netmask length. 273.It Cm src net Ar net 274True if the IPv4/v6 source address of the packet has a network number of 275.Ar net . 276.It Cm net Ar net 277True if either the IPv4/v6 source or destination address of the packet 278has a network number of 279.Ar net . 280.It Cm net Ar net Cm mask Ar netmask 281True if the IPv4 address matches 282.Ar net 283with the specific 284.Ar netmask . 285May be qualified with 286.Cm src 287or 288.Cm dst . 289Note that this syntax is not valid for IPv6 networks. 290.It Cm net Ar net Ns / Ns Ar len 291True if the IPv4/v6 address matches 292.Ar net 293with a netmask 294.Ar len 295bits wide. 296May be qualified with 297.Cm src 298or 299.Cm dst . 300.It Cm dst port Ar port 301True if the packet is IP/TCP, IP/UDP, IP6/TCP or IP6/UDP 302and has a destination port value of 303.Ar port . 304The 305.Ar port 306can be a number or a name used in 307.Pa /etc/services 308(see 309.Xr tcp 4 310and 311.Xr udp 4 ) . 312If a name is used, both the port number and protocol are checked. 313If a number or ambiguous name is used, 314only the port number is checked (e.g.\& 315.Dq dst port 513 316will print both 317TCP/login traffic and UDP/who traffic, and 318.Dq port domain 319will print both TCP/domain and UDP/domain traffic). 320.It Cm src port Ar port 321True if the packet has a source port value of 322.Ar port . 323.It Cm port Ar port 324True if either the source or destination port of the packet is 325.Ar port . 326.It Cm less Ar length 327True if the packet has a length less than or equal to 328.Ar length . 329This is equivalent to 330.Cm len <= Ar length . 331.It Cm greater Ar length 332True if the packet has a length greater than or equal to 333.Ar length . 334This is equivalent to 335.Cm len >= Ar length . 336.It Cm sample Ar samplerate 337True if the packet has been randomly selected or sampled at a rate of 1 per 338.Ar samplerate . 339.It Cm ip proto Ar protocol 340True if the packet is an IPv4 packet (see 341.Xr ip 4 ) 342of protocol type 343.Ar protocol . 344.Ar protocol 345can be a number, or one of the names 346.Cm icmp , 347.Cm icmp6 , 348.Cm igmp , 349.Cm igrp , 350.Cm pim , 351.Cm ah , 352.Cm esp , 353.Cm vrrp , 354.Cm udp , 355or 356.Cm tcp . 357Note that the identifiers 358.Cm tcp , 359.Cm udp , 360and 361.Cm icmp 362are also keywords and must be escaped using a backslash character 363.Pq \e . 364Note that this primitive does not chase the protocol header chain. 365.It Cm ip6 proto Ar protocol 366True if the packet is an IPv6 packet of protocol type 367.Ar protocol . 368Note that this primitive does not chase the protocol header chain. 369.It Cm ether broadcast 370True if the packet is an Ethernet broadcast packet. 371The 372.Cm ether 373keyword is optional. 374.It Cm ip broadcast 375True if the packet is an IPv4 broadcast packet. 376It checks for both the all-zeroes and all-ones broadcast conventions, 377and looks up the subnet mask on the interface on which the capture is 378being done. 379.Pp 380If the subnet mask of the interface on which the capture is being done 381is not known, a value of PCAP_NETMASK_UNKNOWN can be supplied; 382tests for IPv4 broadcast addresses will fail to compile, 383but all other tests in the filter program will be OK. 384.It Cm ether multicast 385True if the packet is an Ethernet multicast packet. 386The 387.Cm ether 388keyword is optional. 389This is shorthand for 390.Dq ether[0] & 1 != 0 . 391.It Cm ip multicast 392True if the packet is an IPv4 multicast packet. 393.It Cm ip6 multicast 394True if the packet is an IPv6 multicast packet. 395.It Cm ether proto Ar protocol 396True if the packet is of ether type 397.Ar protocol . 398.Ar protocol 399can be a number, or one of the names 400.Cm ip , 401.Cm ip6 , 402.Cm arp , 403.Cm rarp , 404.Cm atalk , 405.Cm decnet , 406.Cm sca , 407.Cm lat , 408or 409.Cm stp . 410Note these identifiers are also keywords 411and must be escaped using a backslash character 412.Pq \e . 413.Pp 414In the case of FDDI (such as "fddi protocol arp") 415and IEEE 802.11 wireless LANS (such as "wlan protocol arp"), 416for most of those protocols 417the protocol identification comes from 418the 802.2 Logical Link Control (LLC) header, 419which is usually layered on top of the FDDI or 802.11 header. 420.Pp 421When filtering for most protocol identifiers on FDDI or 802.11, 422the filter checks only the protocol ID field of an LLC header 423in so-called SNAP format with an Organizational Unit Identifier (OUI) of 4240x000000, for encapsulated Ethernet; it doesn't check whether the packet 425is in SNAP format with an OUI of 0x000000. 426The exceptions are: 427.Bl -tag -width "atalk" 428.It iso 429The filter checks the DSAP (Destination Service Access Point) and 430SSAP (Source Service Access Point) fields of the LLC header. 431.It stp 432The filter checks the DSAP of the LLC header. 433.It atalk 434The filter checks for a SNAP-format packet with an OUI of 0x080007 435and the AppleTalk etype. 436.El 437.Pp 438In the case of Ethernet, the filter checks the Ethernet type field 439for most of those protocols. 440The exceptions are: 441.Bl -tag -width "iso and stp" 442.It iso and stp 443The filter checks for an 802.3 frame and then checks the LLC header as 444it does for FDDI and 802.11. 445.It atalk 446The filter checks both for the AppleTalk etype in an Ethernet frame and 447for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11. 448.El 449.It Cm decnet src Ar host 450True if the DECNET source address is 451.Ar host , 452which may be an address of the form "10.123", or a DECNET hostname. 453DECNET hostname support is only available on ULTRIX systems 454that are configured to run DECNET. 455.It Cm decnet dst Ar host 456True if the DECNET destination address is 457.Ar host . 458.It Cm decnet host Ar host 459True if either the DECNET source or destination address is 460.Ar host . 461.It Cm ifname Ar interface 462True if the packet was logged as coming from the specified interface 463(applies only to packets logged by 464.Xr pf 4 ) . 465.It Cm on Ar interface 466Synonymous with the 467.Cm ifname 468modifier. 469.It Cm rnr Ar num 470True if the packet was logged as matching the specified PF rule number 471(applies only to packets logged by 472.Xr pf 4 ) . 473.It Cm rulenum Ar num 474Synonymous with the 475.Cm rnr 476modifier. 477.It Cm reason Ar code 478True if the packet was logged with the specified PF reason code. 479The known codes are: 480.Cm match , 481.Cm bad-offset , 482.Cm fragment , 483.Cm short , 484.Cm normalize , 485and 486.Cm memory 487(applies only to packets logged by 488.Xr pf 4 ) . 489.It Cm rset Ar name 490True if the packet was logged as matching the specified PF ruleset 491name of an anchored ruleset (applies only to packets logged by 492.Xr pf 4 ) . 493.It Cm ruleset Ar name 494Synonymous with the 495.Cm rset 496modifier. 497.It Cm srnr Ar num 498True if the packet was logged as matching the specified PF rule number 499of an anchored ruleset (applies only to packets logged by 500.Xr pf 4 ) . 501.It Cm subrulenum Ar num 502Synonymous with the 503.Cm srnr 504modifier. 505.It Cm action Ar act 506True if PF took the specified action when the packet was logged. 507Known actions are: 508.Cm pass 509and 510.Cm block 511and, with later versions of 512.Xr pf 4 , 513.Cm nat , 514.Cm rdr , 515.Cm binat 516and 517.Cm scrub 518(applies only to packets logged by 519.Xr pf 4 ) . 520.It Cm ip , ip6 , arp , rarp , atalk , decnet , iso , stp 521Abbreviations for 522.Cm ether proto Ar p , 523where 524.Ar p 525is one of the above protocols. 526.It Cm lat , moprc , mopdl 527Abbreviations for 528.Cm ether proto Ar p , 529where 530.Ar p 531is one of the above protocols. 532Note that not all applications using 533.Xr pcap_open_live 3 534currently know how to parse these protocols. 535.It Cm type Ar wlan_type 536True if the IEEE 802.11 frame type matches the specified 537.Ar wlan_type . 538Valid types are: 539.Cm mgt , 540.Cm ctl , 541and 542.Cm data . 543.It Cm type Ar wlan_type Cm subtype Ar wlan_subtype 544True if the IEEE 802.11 frame type matches the specified 545.Ar wlan_type 546and frame subtype matches the specified 547.Ar wlan_subtype . 548.Pp 549If the specified 550.Ar wlan_type 551is 552.Cm mgtv , 553then valid values for 554.Ar wlan_subtype 555are 556.Cm assoc-req , 557.Cm assoc-resp , 558.Cm reassoc-req , 559.Cm reassoc-resp , 560.Cm probe-req , 561.Cm probe-resp , 562.Cm beacon , 563.Cm atim , 564.Cm disassoc , 565.Cm auth , 566and 567.Cm deauth . 568.Pp 569If the specified 570.Ar wlan_type 571is 572.Cm ctl , 573then valid values for 574.Ar wlan_subtype 575are 576.Cm ps-poll , 577.Cm rts , 578.Cm cts , 579.Cm ack , 580.Cm cf-end , 581and 582.Cm cf-end-ack . 583.Pp 584If the specified 585.Ar wlan_type 586is 587.Cm data , 588then valid values for 589.Ar wlan_subtype 590are 591.Cm data , 592.Cm data-cf-ack , 593.Cm data-cf-poll , 594.Cm data-cf-ack-poll , 595.Cm null , 596.Cm cf-ack , 597.Cm cf-poll , 598.Cm cf-ack-poll , 599.Cm qos-data , 600.Cm qos-data-cf-ack , 601.Cm qos-data-cf-poll , 602.Cm qos-data-cf-ack-poll , 603.Cm qos , 604.Cm qos-cf-poll , 605and 606.Cm qos-cf-ack-poll . 607.It Cm subtype Ar wlan_subtype 608True if the IEEE 802.11 frame subtype matches the specified 609.Ar wlan_subtype 610and frame has the type to which the specified 611.Ar wlan_subtype 612belongs. 613.It Cm dir Ar dir 614True if the IEEE 802.11 frame direction matches the specified 615.Cm dir . 616Valid directions are: 617.Cm nods , 618.Cm tods , 619.Cm fromds , 620.Cm dstods , 621or a numeric value. 622.It Cm vlan Op Ar vlan_id 623True if the packet is an IEEE 802.1Q VLAN packet. 624If 625.Ar vlan_id 626is specified, only true if the packet has the specified ID. 627Note that the first 628.Cm vlan 629keyword encountered in 630.Ar expression 631changes the decoding offsets for the remainder of 632.Ar expression 633on the assumption that the packet is a VLAN packet. 634This expression may be used more than once, to filter on VLAN hierarchies. 635Each use of that expression increments the filter offsets by 4. 636.Pp 637For example, 638to filter on VLAN 200 encapsulated within VLAN 100: 639.Pp 640.Dl vlan 100 && vlan 200 641.Pp 642To filter IPv4 protocols encapsulated in VLAN 300 encapsulated within any 643higher order VLAN: 644.Pp 645.Dl vlan && vlan 300 && ip 646.It mpls Op Ar label 647True if the packet is an MPLS (Multi-Protocol Label Switching) packet. 648If 649.Ar label 650is specified, only true if the packet has the specified label. 651Note that the first 652.Cm mpls 653keyword encountered in 654.Ar expression 655changes the decoding offsets for the remainder of 656.Ar expression 657on the assumption that the packet is an MPLS packet. 658This expression may be used more than once, to filter on MPLS labels. 659Each use of that expression increments the filter offsets by 4. 660.Pp 661For example, 662to filter on MPLS label 42 first and requires the next label to be 12: 663.Pp 664.Dl mpls 42 && mpls 12 665.Pp 666To filter on network 192.0.2.0/24 transported inside packets with label 42: 667.Pp 668.Dl mpls 42 && net 192.0.2.0/24 669.It Cm tcp , udp , icmp 670Abbreviations for 671.Cm ip proto Ar p 672or 673.Cm ip6 proto Ar p , 674where 675.Ar p 676is one of the above protocols. 677.It Ar expr relop expr 678True if the relation holds, where 679.Ar relop 680is one of 681.Sq > , 682.Sq < , 683.Sq >= , 684.Sq <= , 685.Sq = , 686.Sq != , 687and 688.Ar expr 689is an arithmetic expression composed of integer constants 690(expressed in standard C syntax), the normal binary operators 691.Pf ( Sq + , 692.Sq - , 693.Sq * , 694.Sq / , 695.Sq & , 696.Sq | , 697.Sq << , 698.Sq >> ) , 699a length operator, a random operator, and special packet data accessors. 700Note that all comparisons are unsigned, so that, for example, 7010x80000000 and 0xffffffff are > 0. 702To access data inside the packet, use the following syntax: 703.Pp 704.D1 Ar proto Ns Op Ar expr : Ns Ar size 705.Pp 706.Ar proto 707is one of 708.Cm ether , 709.Cm fddi , 710.Cm tr , 711.Cm wlan , 712.Cm ppp , 713.Cm slip , 714.Cm link , 715.Cm ip , 716.Cm arp , 717.Cm rarp , 718.Cm tcp , 719.Cm udp , 720.Cm icmp , 721.Cm ip6 , 722or 723.Cm radio , 724and indicates the protocol layer for the index operation 725.Pf ( Cm ether , 726.Cm fddi , 727.Cm wlan , 728.Cm tr , 729.Cm ppp , 730.Cm slip , 731and 732.Cm link 733all refer to the link layer; 734.Cm radio 735refers to the "radio header" added to some 802.11 captures). 736Note that 737.Cm tcp , 738.Cm udp , 739and other upper-layer protocol types only apply to IPv4, not IPv6 740(this will be fixed in the future). 741The byte offset, relative to the indicated protocol layer, is given by 742.Ar expr . 743.Ar size 744is optional and indicates the number of bytes in the field of interest; 745it can be either one, two, or four, and defaults to one. 746The length operator, indicated by the keyword 747.Ar len , 748gives the length of the packet. 749The random operator, indicated by the keyword 750.Ar random , 751generates a random number. 752.Pp 753For example, 754.Dq ether[0] & 1 != 0 755catches all multicast traffic. 756The expression 757.Dq ip[0] & 0xf != 5 758catches all IPv4 packets with options. 759The expression 760.Dq ip[6:2] & 0x1fff = 0 761catches only unfragmented IPv4 datagrams and frag zero of fragmented 762IPv4 datagrams. 763This check is implicitly applied to the 764.Cm tcp 765and 766.Cm udp 767index operations. 768For instance, 769.Dq tcp[0] 770always means the first byte of the TCP 771.Ar header , 772and never means the first byte of an intervening fragment. 773.Pp 774Some offsets and field values may be expressed as names rather than 775as numeric values. 776The following protocol header field offsets are available: 777.Cm icmptype 778(ICMP type field), 779.Cm icmpcode 780(ICMP code field), and 781.Cm tcpflags 782(TCP flags field). 783.Pp 784The following ICMP type field values are available: 785.Cm icmp-echoreply , 786.Cm icmp-unreach , 787.Cm icmp-sourcequench , 788.Cm icmp-redirect , 789.Cm icmp-echo , 790.Cm icmp-routeradvert , 791.Cm icmp-routersolicit , 792.Cm icmp-timxceed , 793.Cm icmp-paramprob , 794.Cm icmp-tstamp , 795.Cm icmp-tstampreply , 796.Cm icmp-ireq , 797.Cm icmp-ireqreply , 798.Cm icmp-maskreq , 799.Cm and 800.Cm icmp-maskreply . 801.Pp 802The following TCP flags field values are available: 803.Cm tcp-fin , 804.Cm tcp-syn , 805.Cm tcp-rst , 806.Cm tcp-push , 807.Cm tcp-ack , 808.Cm tcp-urg . 809.El 810.Pp 811Primitives may be combined using 812a parenthesized group of primitives and operators. 813Parentheses are special to the shell and must be escaped. 814.Bd -ragged -offset indent 815Negation 816.Po 817.Dq Cm \&! 818or 819.Dq Cm not 820.Pc 821.Pp 822Concatenation 823.Po 824.Dq Cm && 825or 826.Dq Cm and 827.Pc 828.Pp 829Alternation 830.Po 831.Dq Cm || 832or 833.Dq Cm or 834.Pc 835.Ed 836.Pp 837Negation has highest precedence. 838Alternation and concatenation have equal precedence and associate 839left to right. 840Note that explicit 841.Cm and 842tokens, not juxtaposition, 843are now required for concatenation. 844.Pp 845If an identifier is given without a keyword, the most recent keyword 846is assumed. 847For example, 848.Dq not host vs and ace 849is short for 850.Dq not host vs and host ace , 851which shouldn't be confused with 852.Dq not (\& host vs or ace )\& . 853.Sh EXAMPLES 854To select all packets arriving at or departing from 855.Dq sundown : 856.Pp 857.Dl host sundown 858.Pp 859To select traffic between 860.Dq helios 861and either 862.Dq hot 863or 864.Dq ace : 865.Pp 866.Dl host helios and \e( hot or ace \e) 867.Pp 868To select all IP packets between 869.Dq ace 870and any host except 871.Dq helios : 872.Pp 873.Dl ip host ace and not helios 874.Pp 875To select all traffic between local hosts and hosts at Berkeley: 876.Pp 877.Dl net ucb-ether 878.Pp 879To select all FTP traffic through internet gateway 880.Dq snup : 881.Pp 882.Dl gateway snup and (port ftp or ftp-data) 883.Pp 884To select traffic neither sourced from nor destined for local network 885192.168.7.0/24 886(if you gateway to one other net, this stuff should never make it 887onto your local net): 888.Pp 889.Dl ip and not net 192.168.7.0/24 890.Pp 891To select the start and end packets (the SYN and FIN packets) of each 892TCP connection that involves a host not in local network 192.168.7.0/24: 893.Bd -literal -offset indent 894tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst \e 895 net 192.168.7.0/24 896.Ed 897.Pp 898To select all IPv4 HTTP packets to and from port 80, i.e. print only 899packets that contain data and not, for example, SYN and FIN packets and 900ACK-only packets 901(IPv6 is left as an exercise for the reader): 902.Bd -literal -offset indent 903tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) \e 904 - ((tcp[12]&0xf0)>>2)) != 0) 905.Ed 906.Pp 907To select IP packets longer than 576 bytes sent through gateway 908.Dq snup : 909.Pp 910.Dl gateway snup and ip[2:2] > 576 911.Pp 912To select IP broadcast or multicast packets 913that were not sent via Ethernet broadcast or multicast: 914.Pp 915.Dl ether[0] & 1 = 0 and ip[16] >= 224 916.Pp 917To select all ICMP packets that are not echo requests/replies (i.e. not ping packets): 918.Pp 919.Dl icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply 920.Sh SEE ALSO 921.Xr pcap_open_live 3 , 922.Xr tcpdump 8 923.Sh AUTHORS 924.An -nosplit 925The original authors are 926.An Van Jacobson , 927.An Craig Leres , 928and 929.An Steven McCanne , 930all of the 931Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. 932.\" Fixes should be submitted to http://sourceforge.net/tracker/?group_id=53067 933