1.\" $OpenBSD: pcap-filter.5,v 1.5 2020/08/03 03:40:02 dlg Exp $ 2.\" 3.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 4.\" The Regents of the University of California. All rights reserved. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that: (1) source code distributions 9.\" retain the above copyright notice and this paragraph in its entirety, (2) 10.\" distributions including binary code include the above copyright notice and 11.\" this paragraph in its entirety in the documentation or other materials 12.\" provided with the distribution, and (3) all advertising materials mentioning 13.\" features or use of this software display the following acknowledgement: 14.\" ``This product includes software developed by the University of California, 15.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 16.\" the University nor the names of its contributors may be used to endorse 17.\" or promote products derived from this software without specific prior 18.\" written permission. 19.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 20.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 21.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 22.\" 23.Dd $Mdocdate: August 3 2020 $ 24.Dt PCAP-FILTER 5 25.Os 26.Sh NAME 27.Nm pcap-filter 28.Nd packet filter syntax 29.Sh DESCRIPTION 30.Xr pcap_compile 3 31compiles pcap filters for software such as 32.Xr tcpdump 8 . 33The resulting filter program can then be applied to 34some stream of packets to determine which packets will be supplied to 35.Xr pcap_loop 3 , 36.Xr pcap_dispatch 3 , 37.Xr pcap_next 3 , 38or 39.Xr pcap_next_ex 3 . 40.Pp 41The filter expression consists of one or more 42.Em primitives . 43Primitives usually consist of an ID (name or number) 44preceded by one or more qualifiers. 45There are three different kinds of qualifier: 46.Bl -tag -width "proto" 47.It type 48Type qualifiers say what kind of thing the ID name or number refers to. 49Possible types are 50.Cm host , 51.Cm net , 52and 53.Cm port . 54For example, 55.Dq host foo , 56.Dq net 128.3 , 57and 58.Dq port 20 . 59If there is no type qualifier, 60.Cm host 61is assumed. 62.It dir 63Dir qualifiers specify a particular transfer direction to and/or from an ID. 64Possible directions are 65.Cm src , 66.Cm dst , 67.Cm src or dst , 68.Cm src and dst , 69.Cm ra , 70.Cm ta , 71.Cm addr1 , 72.Cm addr2 , 73.Cm addr3 , 74and 75.Cm addr4 . 76For example, 77.Cm src foo , 78.Cm dst net 128.3 , 79.Cm src or dst port ftp-data . 80If there is no dir qualifier, 81.Cm src or dst 82is assumed. 83The 84.Cm ra , 85.Cm ta , 86.Cm addr1 , 87.Cm addr2 , 88.Cm addr3 , 89and 90.Cm addr4 91qualifiers are only valid for IEEE 802.11 Wireless LAN link layers. 92For some link layers, such as SLIP and the "cooked" Linux capture mode 93used for the "any" device and for some other device types, the 94.Cm inbound 95and 96.Cm outbound 97qualifiers can be used to specify a desired direction. 98.It proto 99Proto qualifiers restrict the match to a particular protocol. 100Possible 101protos are: 102.Cm ether , 103.Cm fddi , 104.Cm tr , 105.Cm wlan , 106.Cm ip , 107.Cm ip6 , 108.Cm arp , 109.Cm rarp , 110.Cm decnet , 111.Cm tcp , 112and 113.Cm udp . 114For example, 115.Dq ether src foo , 116.Dq arp net 128.3 , 117.Dq tcp port 21 , 118and 119.Dq wlan addr2 0:2:3:4:5:6 . 120If there is no proto qualifier, 121all protocols consistent with the type are assumed. 122For example, 123.Dq src foo 124means 125.Dq (ip or arp or rarp) src foo 126(except the latter is not legal syntax); 127.Dq net bar 128means 129.Dq (ip or arp or rarp) net bar ; 130and 131.Dq port 53 132means 133.Dq (tcp or udp) port 53 . 134.Pp 135.Cm fddi 136is actually an alias for 137.Cm ether ; 138the parser treats them identically as meaning 139"the data link level used on the specified network interface". 140FDDI headers contain Ethernet-like source and destination addresses, 141and often contain Ethernet-like packet types, 142so it's possible to filter these FDDI fields just as with the analogous Ethernet fields. 143FDDI headers also contain other fields, 144but they cannot be named explicitly in a filter expression. 145.Pp 146Similarly, 147.Cm tr 148and 149.Cm wlan 150are aliases for 151.Cm ether ; 152the previous paragraph's statements about FDDI headers also apply to Token Ring 153and 802.11 wireless LAN headers. 154For 802.11 headers, the destination address is the DA field 155and the source address is the SA field; 156the BSSID, RA, and TA fields aren't tested. 157.El 158.Pp 159In addition to the above, 160there are some special primitives that don't follow the pattern: 161.Cm gateway , 162.Cm broadcast , 163.Cm less , 164.Cm greater , 165and arithmetic expressions. 166All of these are described below. 167.Pp 168More complex filter expressions are built up by using the words 169.Cm and , 170.Cm or , 171and 172.Cm not 173to combine primitives. 174For example, 175.Dq host foo and not port ftp and not port ftp-data . 176To save typing, identical qualifier lists can be omitted, 177so that 178.Dq tcp dst port ftp or ftp-data or domain 179is exactly the same as 180.Dq tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain . 181.Pp 182Allowable primitives are: 183.Bl -tag -width "ether proto proto" 184.It Cm dst host Ar host 185True if the IPv4/v6 destination field of the packet is 186.Ar host , 187which may be either an address or a name. 188.It Cm src host Ar host 189True if the IPv4/v6 source field of the packet is 190.Ar host . 191.It Cm host Ar host 192True if either the IPv4/v6 source or destination of the packet is 193.Ar host . 194.Pp 195Any of the above host expressions can be prepended with the keywords, 196.Cm ip , arp , rarp , 197or 198.Cm ip6 , 199as in: 200.Pp 201.D1 Cm ip host Ar host 202.Pp 203which is equivalent to: 204.Bd -ragged -offset indent 205.Cm ether proto 206.Ar ip 207.Cm and host 208.Ar host 209.Ed 210.Pp 211If 212.Ar host 213is a name with multiple IP addresses, 214each address will be checked for a match. 215.It Cm ether dst Ar ehost 216True if the Ethernet destination address is 217.Ar ehost , 218which may be either a name from 219.Pa /etc/ethers 220or a number (see 221.Xr ether_aton 3 222for numeric format). 223.It Cm ether src Ar ehost 224True if the Ethernet source address is 225.Ar ehost . 226.It Cm ether host Ar ehost 227True if either the Ethernet source or destination address is 228.Ar ehost . 229.It Cm gateway host 230True if the packet used 231.Ar host 232as a gateway. 233That is, 234the Ethernet source or destination address was 235.Ar host 236but neither the IP source nor the IP destination was 237.Ar host . 238.Ar host 239must be a name and must be found both by the machine's host-name-to-IP-address resolution 240mechanisms (host name file, DNS, NIS, etc.) and by the machine's 241host-name-to-Ethernet-address resolution mechanism 242(such as 243.Pa /etc/ethers ) . 244An equivalent expression is: 245.Bd -ragged -offset indent 246.Cm ether host 247.Ar ehost 248.Cm and not host 249.Ar host 250.Ed 251.Pp 252which can be used with either names or numbers for host/ehost. 253This syntax does not work in an IPv6-enabled configuration at this moment. 254.It Cm dst net Ar net 255True if the IPv4/v6 destination address of the packet has a network 256number of 257.Ar net , 258which may be either a name from the networks database 259(such as 260.Pa /etc/networks ) 261or a network number. 262An IPv4 network number can be written as a dotted quad (e.g. 192.168.1.0), 263dotted triple (e.g. 192.168.1), dotted pair (e.g 172.16), 264or single number (e.g. 10); 265the netmask is 255.255.255.255 for a dotted quad 266(which means that it's really a host match), 267255.255.255.0 for a dotted triple, 255.255.0.0 for a dotted pair, 268or 255.0.0.0 for a single number. 269An IPv6 network number must be written out fully; 270the netmask is ff:ff:ff:ff:ff:ff:ff:ff, 271so IPv6 "network" matches are really always host matches, 272and a network match requires a netmask length. 273.It Cm src net Ar net 274True if the IPv4/v6 source address of the packet has a network number of 275.Ar net . 276.It Cm net Ar net 277True if either the IPv4/v6 source or destination address of the packet 278has a network number of 279.Ar net . 280.It Cm net Ar net Cm mask Ar netmask 281True if the IPv4 address matches 282.Ar net 283with the specific 284.Ar netmask . 285May be qualified with 286.Cm src 287or 288.Cm dst . 289Note that this syntax is not valid for IPv6 networks. 290.It Cm net Ar net Ns / Ns Ar len 291True if the IPv4/v6 address matches 292.Ar net 293with a netmask 294.Ar len 295bits wide. 296May be qualified with 297.Cm src 298or 299.Cm dst . 300.It Cm dst port Ar port 301True if the packet is IP/TCP, IP/UDP, IP6/TCP or IP6/UDP 302and has a destination port value of 303.Ar port . 304The 305.Ar port 306can be a number or a name used in 307.Pa /etc/services 308(see 309.Xr tcp 4 310and 311.Xr udp 4 ) . 312If a name is used, both the port number and protocol are checked. 313If a number or ambiguous name is used, 314only the port number is checked (e.g.\& 315.Dq dst port 513 316will print both 317TCP/login traffic and UDP/who traffic, and 318.Dq port domain 319will print both TCP/domain and UDP/domain traffic). 320.It Cm src port Ar port 321True if the packet has a source port value of 322.Ar port . 323.It Cm port Ar port 324True if either the source or destination port of the packet is 325.Ar port . 326.It Cm less Ar length 327True if the packet has a length less than or equal to 328.Ar length . 329This is equivalent to 330.Cm len <= Ar length . 331.It Cm greater Ar length 332True if the packet has a length greater than or equal to 333.Ar length . 334This is equivalent to 335.Cm len >= Ar length . 336.It Cm sample Ar samplerate 337True if the packet has been randomly selected or sampled at a rate of 1 per 338.Ar samplerate . 339.It Cm ip proto Ar protocol 340True if the packet is an IPv4 packet (see 341.Xr ip 4 ) 342of protocol type 343.Ar protocol . 344.Ar protocol 345can be a number, or one of the names 346.Cm icmp , 347.Cm icmp6 , 348.Cm igmp , 349.Cm igrp , 350.Cm pim , 351.Cm ah , 352.Cm esp , 353.Cm vrrp , 354.Cm udp , 355or 356.Cm tcp . 357Note that the identifiers 358.Cm tcp , 359.Cm udp , 360and 361.Cm icmp 362are also keywords and must be escaped using a backslash character 363.Pq \e . 364Note that this primitive does not chase the protocol header chain. 365.It Cm ip6 proto Ar protocol 366True if the packet is an IPv6 packet of protocol type 367.Ar protocol . 368Note that this primitive does not chase the protocol header chain. 369.It Cm ether broadcast 370True if the packet is an Ethernet broadcast packet. 371The 372.Cm ether 373keyword is optional. 374.It Cm ip broadcast 375True if the packet is an IPv4 broadcast packet. 376It checks for both the all-zeroes and all-ones broadcast conventions, 377and looks up the subnet mask on the interface on which the capture is 378being done. 379.Pp 380If the subnet mask of the interface on which the capture is being done 381is not available, 382this check will not work correctly. 383.It Cm ether multicast 384True if the packet is an Ethernet multicast packet. 385The 386.Cm ether 387keyword is optional. 388This is shorthand for 389.Dq ether[0] & 1 != 0 . 390.It Cm ip multicast 391True if the packet is an IPv4 multicast packet. 392.It Cm ip6 multicast 393True if the packet is an IPv6 multicast packet. 394.It Cm ether proto Ar protocol 395True if the packet is of ether type 396.Ar protocol . 397.Ar protocol 398can be a number, or one of the names 399.Cm ip , 400.Cm ip6 , 401.Cm arp , 402.Cm rarp , 403.Cm atalk , 404.Cm decnet , 405.Cm sca , 406.Cm lat , 407or 408.Cm stp . 409Note these identifiers are also keywords 410and must be escaped using a backslash character 411.Pq \e . 412.Pp 413In the case of FDDI (such as "fddi protocol arp") 414and IEEE 802.11 wireless LANS (such as "wlan protocol arp"), 415for most of those protocols 416the protocol identification comes from 417the 802.2 Logical Link Control (LLC) header, 418which is usually layered on top of the FDDI or 802.11 header. 419.Pp 420When filtering for most protocol identifiers on FDDI or 802.11, 421the filter checks only the protocol ID field of an LLC header 422in so-called SNAP format with an Organizational Unit Identifier (OUI) of 4230x000000, for encapsulated Ethernet; it doesn't check whether the packet 424is in SNAP format with an OUI of 0x000000. 425The exceptions are: 426.Bl -tag -width "atalk" 427.It iso 428The filter checks the DSAP (Destination Service Access Point) and 429SSAP (Source Service Access Point) fields of the LLC header. 430.It stp 431The filter checks the DSAP of the LLC header. 432.It atalk 433The filter checks for a SNAP-format packet with an OUI of 0x080007 434and the AppleTalk etype. 435.El 436.Pp 437In the case of Ethernet, the filter checks the Ethernet type field 438for most of those protocols. 439The exceptions are: 440.Bl -tag -width "iso and stp" 441.It iso and stp 442The filter checks for an 802.3 frame and then checks the LLC header as 443it does for FDDI and 802.11. 444.It atalk 445The filter checks both for the AppleTalk etype in an Ethernet frame and 446for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11. 447.El 448.It Cm decnet src Ar host 449True if the DECNET source address is 450.Ar host , 451which may be an address of the form "10.123", or a DECNET hostname. 452DECNET hostname support is only available on ULTRIX systems 453that are configured to run DECNET. 454.It Cm decnet dst Ar host 455True if the DECNET destination address is 456.Ar host . 457.It Cm decnet host Ar host 458True if either the DECNET source or destination address is 459.Ar host . 460.It Cm ifname Ar interface 461True if the packet was logged as coming from the specified interface 462(applies only to packets logged by 463.Xr pf 4 ) . 464.It Cm on Ar interface 465Synonymous with the 466.Cm ifname 467modifier. 468.It Cm rnr Ar num 469True if the packet was logged as matching the specified PF rule number 470(applies only to packets logged by 471.Xr pf 4 ) . 472.It Cm rulenum Ar num 473Synonymous with the 474.Cm rnr 475modifier. 476.It Cm reason Ar code 477True if the packet was logged with the specified PF reason code. 478The known codes are: 479.Cm match , 480.Cm bad-offset , 481.Cm fragment , 482.Cm short , 483.Cm normalize , 484and 485.Cm memory 486(applies only to packets logged by 487.Xr pf 4 ) . 488.It Cm rset Ar name 489True if the packet was logged as matching the specified PF ruleset 490name of an anchored ruleset (applies only to packets logged by 491.Xr pf 4 ) . 492.It Cm ruleset Ar name 493Synonymous with the 494.Cm rset 495modifier. 496.It Cm srnr Ar num 497True if the packet was logged as matching the specified PF rule number 498of an anchored ruleset (applies only to packets logged by 499.Xr pf 4 ) . 500.It Cm subrulenum Ar num 501Synonymous with the 502.Cm srnr 503modifier. 504.It Cm action Ar act 505True if PF took the specified action when the packet was logged. 506Known actions are: 507.Cm pass 508and 509.Cm block 510and, with later versions of 511.Xr pf 4 , 512.Cm nat , 513.Cm rdr , 514.Cm binat 515and 516.Cm scrub 517(applies only to packets logged by 518.Xr pf 4 ) . 519.It Cm ip , ip6 , arp , rarp , atalk , decnet , iso , stp 520Abbreviations for 521.Cm ether proto Ar p , 522where 523.Ar p 524is one of the above protocols. 525.It Cm lat , moprc , mopdl 526Abbreviations for 527.Cm ether proto Ar p , 528where 529.Ar p 530is one of the above protocols. 531Note that not all applications using 532.Xr pcap_open_live 3 533currently know how to parse these protocols. 534.It Cm type Ar wlan_type 535True if the IEEE 802.11 frame type matches the specified 536.Ar wlan_type . 537Valid types are: 538.Cm mgt , 539.Cm ctl , 540and 541.Cm data . 542.It Cm type Ar wlan_type Cm subtype Ar wlan_subtype 543True if the IEEE 802.11 frame type matches the specified 544.Ar wlan_type 545and frame subtype matches the specified 546.Ar wlan_subtype . 547.Pp 548If the specified 549.Ar wlan_type 550is 551.Cm mgtv , 552then valid values for 553.Ar wlan_subtype 554are 555.Cm assoc-req , 556.Cm assoc-resp , 557.Cm reassoc-req , 558.Cm reassoc-resp , 559.Cm probe-req , 560.Cm probe-resp , 561.Cm beacon , 562.Cm atim , 563.Cm disassoc , 564.Cm auth , 565and 566.Cm deauth . 567.Pp 568If the specified 569.Ar wlan_type 570is 571.Cm ctl , 572then valid values for 573.Ar wlan_subtype 574are 575.Cm ps-poll , 576.Cm rts , 577.Cm cts , 578.Cm ack , 579.Cm cf-end , 580and 581.Cm cf-end-ack . 582.Pp 583If the specified 584.Ar wlan_type 585is 586.Cm data , 587then valid values for 588.Ar wlan_subtype 589are 590.Cm data , 591.Cm data-cf-ack , 592.Cm data-cf-poll , 593.Cm data-cf-ack-poll , 594.Cm null , 595.Cm cf-ack , 596.Cm cf-poll , 597.Cm cf-ack-poll , 598.Cm qos-data , 599.Cm qos-data-cf-ack , 600.Cm qos-data-cf-poll , 601.Cm qos-data-cf-ack-poll , 602.Cm qos , 603.Cm qos-cf-poll , 604and 605.Cm qos-cf-ack-poll . 606.It Cm subtype Ar wlan_subtype 607True if the IEEE 802.11 frame subtype matches the specified 608.Ar wlan_subtype 609and frame has the type to which the specified 610.Ar wlan_subtype 611belongs. 612.It Cm dir Ar dir 613True if the IEEE 802.11 frame direction matches the specified 614.Cm dir . 615Valid directions are: 616.Cm nods , 617.Cm tods , 618.Cm fromds , 619.Cm dstods , 620or a numeric value. 621.It Cm vlan Op Ar vlan_id 622True if the packet is an IEEE 802.1Q VLAN packet. 623If 624.Ar vlan_id 625is specified, only true if the packet has the specified ID. 626Note that the first 627.Cm vlan 628keyword encountered in 629.Ar expression 630changes the decoding offsets for the remainder of 631.Ar expression 632on the assumption that the packet is a VLAN packet. 633This expression may be used more than once, to filter on VLAN hierarchies. 634Each use of that expression increments the filter offsets by 4. 635.Pp 636For example, 637to filter on VLAN 200 encapsulated within VLAN 100: 638.Pp 639.Dl vlan 100 && vlan 200 640.Pp 641To filter IPv4 protocols encapsulated in VLAN 300 encapsulated within any 642higher order VLAN: 643.Pp 644.Dl vlan && vlan 300 && ip 645.It mpls Op Ar label 646True if the packet is an MPLS (Multi-Protocol Label Switching) packet. 647If 648.Ar label 649is specified, only true if the packet has the specified label. 650Note that the first 651.Cm mpls 652keyword encountered in 653.Ar expression 654changes the decoding offsets for the remainder of 655.Ar expression 656on the assumption that the packet is an MPLS packet. 657This expression may be used more than once, to filter on MPLS labels. 658Each use of that expression increments the filter offsets by 4. 659.Pp 660For example, 661to filter on MPLS label 42 first and requires the next label to be 12: 662.Pp 663.Dl mpls 42 && mpls 12 664.Pp 665To filter on network 192.0.2.0/24 transported inside packets with label 42: 666.Pp 667.Dl mpls 42 && net 192.0.2.0/24 668.It Cm tcp , udp , icmp 669Abbreviations for 670.Cm ip proto Ar p 671or 672.Cm ip6 proto Ar p , 673where 674.Ar p 675is one of the above protocols. 676.It Ar expr relop expr 677True if the relation holds, where 678.Ar relop 679is one of 680.Sq > , 681.Sq < , 682.Sq >= , 683.Sq <= , 684.Sq = , 685.Sq != , 686and 687.Ar expr 688is an arithmetic expression composed of integer constants 689(expressed in standard C syntax), the normal binary operators 690.Pf ( Sq + , 691.Sq - , 692.Sq * , 693.Sq / , 694.Sq & , 695.Sq | , 696.Sq << , 697.Sq >> ) , 698a length operator, a random operator, and special packet data accessors. 699Note that all comparisons are unsigned, so that, for example, 7000x80000000 and 0xffffffff are > 0. 701To access data inside the packet, use the following syntax: 702.Pp 703.D1 Ar proto Ns Op Ar expr : Ns Ar size 704.Pp 705.Ar proto 706is one of 707.Cm ether , 708.Cm fddi , 709.Cm tr , 710.Cm wlan , 711.Cm ppp , 712.Cm slip , 713.Cm link , 714.Cm ip , 715.Cm arp , 716.Cm rarp , 717.Cm tcp , 718.Cm udp , 719.Cm icmp , 720.Cm ip6 , 721or 722.Cm radio , 723and indicates the protocol layer for the index operation 724.Pf ( Cm ether , 725.Cm fddi , 726.Cm wlan , 727.Cm tr , 728.Cm ppp , 729.Cm slip , 730and 731.Cm link 732all refer to the link layer; 733.Cm radio 734refers to the "radio header" added to some 802.11 captures). 735Note that 736.Cm tcp , 737.Cm udp , 738and other upper-layer protocol types only apply to IPv4, not IPv6 739(this will be fixed in the future). 740The byte offset, relative to the indicated protocol layer, is given by 741.Ar expr . 742.Ar size 743is optional and indicates the number of bytes in the field of interest; 744it can be either one, two, or four, and defaults to one. 745The length operator, indicated by the keyword 746.Ar len , 747gives the length of the packet. 748The random operator, indicated by the keyword 749.Ar random , 750generates a random number. 751.Pp 752For example, 753.Dq ether[0] & 1 != 0 754catches all multicast traffic. 755The expression 756.Dq ip[0] & 0xf != 5 757catches all IPv4 packets with options. 758The expression 759.Dq ip[6:2] & 0x1fff = 0 760catches only unfragmented IPv4 datagrams and frag zero of fragmented 761IPv4 datagrams. 762This check is implicitly applied to the 763.Cm tcp 764and 765.Cm udp 766index operations. 767For instance, 768.Dq tcp[0] 769always means the first byte of the TCP 770.Ar header , 771and never means the first byte of an intervening fragment. 772.Pp 773Some offsets and field values may be expressed as names rather than 774as numeric values. 775The following protocol header field offsets are available: 776.Cm icmptype 777(ICMP type field), 778.Cm icmpcode 779(ICMP code field), and 780.Cm tcpflags 781(TCP flags field). 782.Pp 783The following ICMP type field values are available: 784.Cm icmp-echoreply , 785.Cm icmp-unreach , 786.Cm icmp-sourcequench , 787.Cm icmp-redirect , 788.Cm icmp-echo , 789.Cm icmp-routeradvert , 790.Cm icmp-routersolicit , 791.Cm icmp-timxceed , 792.Cm icmp-paramprob , 793.Cm icmp-tstamp , 794.Cm icmp-tstampreply , 795.Cm icmp-ireq , 796.Cm icmp-ireqreply , 797.Cm icmp-maskreq , 798.Cm and 799.Cm icmp-maskreply . 800.Pp 801The following TCP flags field values are available: 802.Cm tcp-fin , 803.Cm tcp-syn , 804.Cm tcp-rst , 805.Cm tcp-push , 806.Cm tcp-ack , 807.Cm tcp-urg . 808.El 809.Pp 810Primitives may be combined using 811a parenthesized group of primitives and operators. 812Parentheses are special to the shell and must be escaped. 813.Bd -ragged -offset indent 814Negation 815.Po 816.Dq Cm \&! 817or 818.Dq Cm not 819.Pc 820.Pp 821Concatenation 822.Po 823.Dq Cm && 824or 825.Dq Cm and 826.Pc 827.Pp 828Alternation 829.Po 830.Dq Cm || 831or 832.Dq Cm or 833.Pc 834.Ed 835.Pp 836Negation has highest precedence. 837Alternation and concatenation have equal precedence and associate 838left to right. 839Note that explicit 840.Cm and 841tokens, not juxtaposition, 842are now required for concatenation. 843.Pp 844If an identifier is given without a keyword, the most recent keyword 845is assumed. 846For example, 847.Dq not host vs and ace 848is short for 849.Dq not host vs and host ace , 850which shouldn't be confused with 851.Dq not (\& host vs or ace )\& . 852.Sh EXAMPLES 853To select all packets arriving at or departing from 854.Dq sundown : 855.Pp 856.Dl host sundown 857.Pp 858To select traffic between 859.Dq helios 860and either 861.Dq hot 862or 863.Dq ace : 864.Pp 865.Dl host helios and \e( hot or ace \e) 866.Pp 867To select all IP packets between 868.Dq ace 869and any host except 870.Dq helios : 871.Pp 872.Dl ip host ace and not helios 873.Pp 874To select all traffic between local hosts and hosts at Berkeley: 875.Pp 876.Dl net ucb-ether 877.Pp 878To select all FTP traffic through internet gateway 879.Dq snup : 880.Pp 881.Dl gateway snup and (port ftp or ftp-data) 882.Pp 883To select traffic neither sourced from nor destined for local network 884192.168.7.0/24 885(if you gateway to one other net, this stuff should never make it 886onto your local net): 887.Pp 888.Dl ip and not net 192.168.7.0/24 889.Pp 890To select the start and end packets (the SYN and FIN packets) of each 891TCP connection that involves a host not in local network 192.168.7.0/24: 892.Bd -literal -offset indent 893tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst \e 894 net 192.168.7.0/24 895.Ed 896.Pp 897To select all IPv4 HTTP packets to and from port 80, i.e. print only 898packets that contain data and not, for example, SYN and FIN packets and 899ACK-only packets 900(IPv6 is left as an exercise for the reader): 901.Bd -literal -offset indent 902tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) \e 903 - ((tcp[12]&0xf0)>>2)) != 0) 904.Ed 905.Pp 906To select IP packets longer than 576 bytes sent through gateway 907.Dq snup : 908.Pp 909.Dl gateway snup and ip[2:2] > 576 910.Pp 911To select IP broadcast or multicast packets 912that were not sent via Ethernet broadcast or multicast: 913.Pp 914.Dl ether[0] & 1 = 0 and ip[16] >= 224 915.Pp 916To select all ICMP packets that are not echo requests/replies (i.e. not ping packets): 917.Pp 918.Dl icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply 919.Sh SEE ALSO 920.Xr pcap_open_live 3 , 921.Xr tcpdump 8 922.Sh AUTHORS 923.An -nosplit 924The original authors are 925.An Van Jacobson , 926.An Craig Leres , 927and 928.An Steven McCanne , 929all of the 930Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. 931.\" Fixes should be submitted to http://sourceforge.net/tracker/?group_id=53067 932