xref: /openbsd/lib/libpcap/pcap-filter.5 (revision d89ec533) 
1.\"     $OpenBSD: pcap-filter.5,v 1.10 2021/09/07 06:48:42 denis Exp $
2.\"
3.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
4.\"	The Regents of the University of California.  All rights reserved.
5.\" All rights reserved.
6.\"
7.\" Redistribution and use in source and binary forms, with or without
8.\" modification, are permitted provided that: (1) source code distributions
9.\" retain the above copyright notice and this paragraph in its entirety, (2)
10.\" distributions including binary code include the above copyright notice and
11.\" this paragraph in its entirety in the documentation or other materials
12.\" provided with the distribution, and (3) all advertising materials mentioning
13.\" features or use of this software display the following acknowledgement:
14.\" ``This product includes software developed by the University of California,
15.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16.\" the University nor the names of its contributors may be used to endorse
17.\" or promote products derived from this software without specific prior
18.\" written permission.
19.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22.\"
23.Dd $Mdocdate: September 7 2021 $
24.Dt PCAP-FILTER 5
25.Os
26.Sh NAME
27.Nm pcap-filter
28.Nd packet filter syntax
29.Sh DESCRIPTION
30.Xr pcap_compile 3
31compiles pcap filters for software such as
32.Xr tcpdump 8 .
33The resulting filter program can then be applied to
34some stream of packets to determine which packets will be supplied to
35.Xr pcap_loop 3 ,
36.Xr pcap_dispatch 3 ,
37.Xr pcap_next 3 ,
38or
39.Xr pcap_next_ex 3 .
40.Pp
41The filter expression consists of one or more
42.Em primitives .
43Primitives usually consist of an
44.Ar id
45.Pq name or number
46preceded by one or more qualifiers.
47There are three different kinds of qualifier:
48.Bl -tag -width "proto"
49.It Ar type
50Specify which kind of address component the
51.Ar id
52name or number refers to.
53Possible types are
54.Cm host ,
55.Cm net
56and
57.Cm port .
58E.g.,
59.Dq host foo ,
60.Dq net 128.3 ,
61.Dq port 20 .
62If there is no type qualifier,
63.Cm host
64is assumed.
65.It Ar dir
66Specify a particular transfer direction to and/or from
67.Ar id .
68Possible directions are
69.Cm src ,
70.Cm dst ,
71.Cm src or dst ,
72.Cm src and dst ,
73.Cm ra ,
74.Cm ta ,
75.Cm addr1 ,
76.Cm addr2 ,
77.Cm addr3 ,
78and
79.Cm addr4 .
80E.g.,
81.Dq src foo ,
82.Dq dst net 128.3 ,
83.Dq src or dst port ftp-data .
84If there is no
85.Ar dir
86qualifier,
87.Cm src or dst
88is assumed.
89The
90.Cm ra ,
91.Cm ta ,
92.Cm addr1 ,
93.Cm addr2 ,
94.Cm addr3 ,
95and
96.Cm addr4
97qualifiers are only valid for IEEE 802.11 Wireless LAN link layers.
98For null link layers (i.e., point-to-point protocols such as SLIP
99.Pq Serial Line Internet Protocol
100or the
101.Xr pflog 4
102header), the
103.Cm inbound
104and
105.Cm outbound
106qualifiers can be used to specify a desired direction.
107.It Ar proto
108Restrict the match to a particular protocol.
109Possible protocols are:
110.Cm ah ,
111.Cm arp ,
112.Cm atalk ,
113.Cm decnet ,
114.Cm esp ,
115.Cm ether ,
116.Cm fddi ,
117.Cm icmp ,
118.Cm icmp6 ,
119.Cm igmp ,
120.Cm igrp ,
121.Cm ip ,
122.Cm ip6 ,
123.Cm lat ,
124.Cm mopdl ,
125.Cm moprc ,
126.Cm pim ,
127.Cm rarp ,
128.Cm sca ,
129.Cm stp ,
130.Cm tcp ,
131.Cm udp ,
132and
133.Cm wlan .
134E.g.,
135.Dq ether src foo ,
136.Dq arp net 128.3 ,
137.Dq tcp port 21 ,
138and
139.Dq wlan addr2 0:2:3:4:5:6 .
140If there is no protocol qualifier,
141all protocols consistent with the type are assumed.
142E.g.,
143.Dq src foo
144means
145.Do
146.Pq ip or arp or rarp
147src foo
148.Dc
149.Pq except the latter is not legal syntax ;
150.Dq net bar
151means
152.Do
153.Pq ip or arp or rarp
154net bar
155.Dc ;
156and
157.Dq port 53
158means
159.Do
160.Pq TCP or UDP
161port 53
162.Dc .
163.Pp
164.Cm fddi
165is actually an alias for
166.Cm ether ;
167the parser treats them identically as meaning
168.Qo
169the data link level used on the specified network interface
170.Qc .
171FDDI
172.Pq Fiber Distributed Data Interface
173headers contain Ethernet-like source and destination addresses,
174and often contain Ethernet-like packet types,
175so it's possible to filter these FDDI fields just as with the analogous
176Ethernet fields.
177FDDI headers also contain other fields,
178but they cannot be named explicitly in a filter expression.
179.Pp
180Similarly,
181.Cm tr
182and
183.Cm wlan
184are aliases for
185.Cm ether ;
186the previous paragraph's statements about FDDI headers also apply to Token Ring
187and 802.11 wireless LAN headers.
188For 802.11 headers, the destination address is the DA field
189and the source address is the SA field;
190the BSSID, RA, and TA fields aren't tested.
191.El
192.Pp
193In addition to the above, there are some special primitive
194keywords that don't follow the pattern:
195.Cm gateway ,
196.Cm broadcast ,
197.Cm less ,
198.Cm greater ,
199and arithmetic expressions.
200All of these are described below.
201.Pp
202More complex filter expressions are built up by using the words
203.Cm and ,
204.Cm or ,
205and
206.Cm not
207to combine primitives
208e.g.,
209.Do
210host foo and not port ftp and not port ftp-data
211.Dc .
212To save typing, identical qualifier lists can be omitted
213e.g.,
214.Dq tcp dst port ftp or ftp-data or domain
215is exactly the same as
216.Do
217tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain
218.Dc .
219.Pp
220Allowable primitives are:
221.Bl -tag -width "ether proto proto"
222.It Cm dst host Ar host
223True if the IPv4/v6 destination field of the packet is
224.Ar host ,
225which may be either an address or a name.
226.It Cm src host Ar host
227True if the IPv4/v6 source field of the packet is
228.Ar host .
229.It Cm host Ar host
230True if either the IPv4/v6 source or destination of the packet is
231.Ar host .
232.Pp
233Any of the above
234.Ar host
235expressions can be prepended with the keywords,
236.Cm ip , arp , rarp ,
237or
238.Cm ip6 ,
239as in:
240.Pp
241.D1 Cm ip host Ar host
242.Pp
243which is equivalent to:
244.Bd -ragged -offset indent
245.Cm ether proto
246.Ar ip
247.Cm and host
248.Ar host
249.Ed
250.Pp
251If
252.Ar host
253is a name with multiple IP addresses, each address will be checked for a match.
254.It Cm ether dst Ar ehost
255True if the Ethernet destination address is
256.Ar ehost .
257.Ar ehost
258may be either a name from
259.Pa /etc/ethers
260or a number (see
261.Xr ether_aton 3
262for a numeric format).
263.It Cm ether src Ar ehost
264True if the Ethernet source address is
265.Ar ehost .
266.It Cm ether host Ar ehost
267True if either the Ethernet source or destination address is
268.Ar ehost .
269.It Cm gateway Ar host
270True if the packet used
271.Ar host
272as a gateway; i.e., the Ethernet source or destination address was
273.Ar host
274but neither the IP source nor the IP destination was
275.Ar host .
276.Ar host
277must be a name and must be found both by the machine's
278host-name-to-IP-address resolution mechanisms (host name file, DNS, NIS,
279etc.) and by the machine's host-name-to-Ethernet-address resolution mechanism
280(such as
281.Pa /etc/ethers ) .
282An equivalent expression is:
283.Bd -ragged -offset indent
284.Cm ether host
285.Ar ehost
286.Cm and not host
287.Ar host
288.Ed
289.Pp
290which can be used with either names or numbers for host/ehost.
291This syntax does not work in an IPv6-enabled configuration at this moment.
292.It Cm dst net Ar net
293True if the IPv4/v6 destination address of the packet has a network
294number of
295.Ar net ,
296which may be either a name from the networks database
297(such as
298.Pa /etc/networks )
299or a network number.
300An IPv4 network number can be written as a dotted quad (e.g. 192.168.1.0),
301dotted triple (e.g. 192.168.1), dotted pair (e.g 172.16),
302or single number (e.g. 10);
303the netmask is 255.255.255.255 for a dotted quad
304(which means that it's really a host match),
305255.255.255.0 for a dotted triple, 255.255.0.0 for a dotted pair,
306or 255.0.0.0 for a single number.
307An IPv6 network number must be written out fully;
308the netmask is ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,
309so IPv6 "network" matches are really always host matches,
310and a network match requires a netmask length.
311.It Cm src net Ar net
312True if the IPv4/v6 source address of the packet has a network number of
313.Ar net .
314.It Cm net Ar net
315True if either the IPv4/v6 source or destination address of the packet
316has a network number of
317.Ar net .
318.It Cm net Ar net Cm mask Ar netmask
319True if the IPv4 address matches
320.Ar net
321with the specific
322.Ar netmask .
323May be qualified with
324.Cm src
325or
326.Cm dst .
327Note that this syntax is not valid for IPv6 networks.
328.It Cm net Ar net Ns / Ns Ar len
329True if the IPv4/v6 address matches
330.Ar net
331with a netmask
332.Ar len
333bits wide.
334May be qualified with
335.Cm src
336or
337.Cm dst .
338.It Cm dst port Ar port
339True if the packet is IP/TCP, IP/UDP, IP6/TCP or IP6/UDP
340and has a destination port value of
341.Ar port .
342The
343.Ar port
344can be a number or a name used in
345.Pa /etc/services
346(see
347.Xr tcp 4
348and
349.Xr udp 4 ) .
350If a name is used, both the port number and protocol are checked.
351If a number or ambiguous name is used,
352only the port number is checked (e.g.\&
353.Dq dst port 513
354will print both
355TCP/login traffic and UDP/who traffic, and
356.Dq port domain
357will print both TCP/domain and UDP/domain traffic).
358.It Cm src port Ar port
359True if the packet has a source port value of
360.Ar port .
361.It Cm port Ar port
362True if either the source or destination port of the packet is
363.Ar port .
364.Pp
365Any of the above port expressions can be prepended with the keywords
366.Cm tcp
367or
368.Cm udp ,
369as in:
370.Pp
371.D1 Cm tcp src port Ar port
372.Pp
373which matches only TCP packets whose source port is
374.Ar port .
375.It Cm less Ar length
376True if the packet has a length less than or equal to
377.Ar length .
378This is equivalent to:
379.Pp
380.D1 Cm len <= Ar length
381.It Cm greater Ar length
382True if the packet has a length greater than or equal to
383.Ar length .
384This is equivalent to:
385.Pp
386.D1 Cm len >= Ar length
387.It Cm sample Ar samplerate
388True if the packet has been randomly selected or sampled at a rate of 1 per
389.Ar samplerate .
390.It Cm ip proto Ar protocol
391True if the packet is an IPv4 packet (see
392.Xr ip 4 )
393of protocol type
394.Ar protocol .
395.Ar protocol
396can be a number, or one of the names from
397.Xr protocols 5 ,
398such as
399.Cm icmp ,
400.Cm icmp6 ,
401.Cm igmp ,
402.Cm igrp ,
403.Cm pim ,
404.Cm ah ,
405.Cm esp ,
406.Cm vrrp ,
407.Cm udp ,
408or
409.Cm tcp .
410Note that the identifiers
411.Cm tcp ,
412.Cm udp ,
413and
414.Cm icmp
415are also keywords and must be escaped using a backslash character
416.Pq \e .
417Note that this primitive does not chase the protocol header chain.
418.It Cm ip6 proto Ar protocol
419True if the packet is an IPv6 packet of protocol type
420.Ar protocol .
421Note that this primitive does not chase the protocol header chain.
422.It Cm ether broadcast
423True if the packet is an Ethernet broadcast packet.
424The
425.Cm ether
426keyword is optional.
427.It Cm ip broadcast
428True if the packet is an IPv4 broadcast packet.
429It checks for both the all-zeroes and all-ones broadcast conventions,
430and looks up the subnet mask on the interface on which the capture is
431being done.
432.Pp
433If the subnet mask of the interface on which the capture is being done
434is not known, a value of PCAP_NETMASK_UNKNOWN can be supplied;
435tests for IPv4 broadcast addresses will fail to compile,
436but all other tests in the filter program will be OK.
437.It Cm ether multicast
438True if the packet is an Ethernet multicast packet.
439The
440.Cm ether
441keyword is optional.
442This is shorthand for
443.Dq ether[0] & 1 != 0 .
444.It Cm ip multicast
445True if the packet is an IPv4 multicast packet.
446.It Cm ip6 multicast
447True if the packet is an IPv6 multicast packet.
448.It Cm ether proto Ar protocol
449True if the packet is of ether type
450.Ar protocol .
451.Ar protocol
452can be a number, or one of the names
453.Cm ip ,
454.Cm ip6 ,
455.Cm arp ,
456.Cm rarp ,
457.Cm atalk ,
458.Cm atalkarp ,
459.Cm decnet ,
460.Cm decdts ,
461.Cm decdns ,
462.Cm lanbridge ,
463.Cm lat ,
464.Cm mopdl ,
465.Cm moprc ,
466.Cm pup ,
467.Cm sca ,
468.Cm sprite ,
469.Cm stp ,
470.Cm vexp ,
471.Cm vprod ,
472or
473.Cm xns .
474These identifiers are also keywords and must be escaped
475using a backslash character
476.Pq Sq \e .
477.Pp
478In the case of FDDI (e.g.,
479.Dq fddi protocol arp ) ,
480and IEEE 802.11 wireless LANS (such as
481.Dq wlan protocol arp ) ,
482for most of those protocols
483the protocol identification comes from the 802.2 Logical Link Control
484.Pq LLC
485header, which is usually layered on top of the FDDI or 802.11 header.
486.Pp
487When filtering for most protocol identifiers on FDDI or 802.11,
488the filter checks only the protocol ID field of an LLC header
489in so-called SNAP format with an Organizational Unit Identifier (OUI) of
4900x000000, for encapsulated Ethernet; it doesn't check whether the packet
491is in SNAP format with an OUI of 0x000000.
492The exceptions are:
493.Bl -tag -width "atalk"
494.It iso
495The filter checks the DSAP (Destination Service Access Point) and
496SSAP (Source Service Access Point) fields of the LLC header.
497.It stp
498The filter checks the DSAP of the LLC header.
499.It atalk
500The filter checks for a SNAP-format packet with an OUI of 0x080007
501and the AppleTalk etype.
502.El
503.Pp
504In the case of Ethernet, the filter checks the Ethernet type field
505for most of those protocols.
506The exceptions are:
507.Bl -tag -width "iso and stp"
508.It iso and stp
509The filter checks for an 802.3 frame and then checks the LLC header as
510it does for FDDI and 802.11.
511.It atalk
512The filter checks both for the AppleTalk etype in an Ethernet frame and
513for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11.
514.El
515.It Cm decnet src Ar host
516True if the DECNET source address is
517.Ar host ,
518which may be an address of the form
519.Dq 10.123 ,
520or a DECNET host name.
521DECNET host name support is only available on systems that are
522configured to run DECNET.
523.It Cm decnet dst Ar host
524True if the DECNET destination address is
525.Ar host .
526.It Cm decnet host Ar host
527True if either the DECNET source or destination address is
528.Ar host .
529.It Cm ifname Ar interface
530True if the packet was logged as coming from the specified interface
531(applies only to packets logged by
532.Xr pf 4 ) .
533.It Cm on Ar interface
534Synonymous with the
535.Cm ifname
536modifier.
537.It Cm rnr Ar num
538True if the packet was logged as matching the specified PF rule number
539in the main ruleset (applies only to packets logged by
540.Xr pf 4 ) .
541.It Cm rulenum Ar num
542Synonymous with the
543.Cm rnr
544modifier.
545.It Cm reason Ar code
546True if the packet was logged with the specified PF reason code.
547Known codes are:
548.Cm match ,
549.Cm bad-offset ,
550.Cm fragment ,
551.Cm short ,
552.Cm normalize ,
553.Cm memory ,
554.Cm bad-timestamp ,
555.Cm congestion ,
556.Cm ip-option ,
557.Cm proto-cksum ,
558.Cm state-mismatch ,
559.Cm state-insert ,
560.Cm state-limit ,
561.Cm src-limit ,
562and
563.Cm synproxy
564(applies only to packets logged by
565.Xr pf 4 ) .
566.It Cm rset Ar name
567True if the packet was logged as matching the specified PF ruleset
568name of an anchored ruleset (applies only to packets logged by
569.Xr pf 4 ) .
570.It Cm ruleset Ar name
571Synonymous with the
572.Cm rset
573modifier.
574.It Cm srnr Ar num
575True if the packet was logged as matching the specified PF rule number
576of an anchored ruleset (applies only to packets logged by
577.Xr pf 4 ) .
578.It Cm subrulenum Ar num
579Synonymous with the
580.Cm srnr
581modifier.
582.It Cm action Ar act
583True if PF took the specified action when the packet was logged.
584Known actions are:
585.Cm pass
586and
587.Cm block ,
588.Cm nat ,
589.Cm rdr ,
590.Cm binat ,
591.Cm match
592and
593.Cm scrub
594(applies only to packets logged by
595.Xr pf 4 ) .
596.It Cm ip , ip6 , arp , rarp , atalk , decnet , iso , stp
597Abbreviations for
598.Cm ether proto Ar p ,
599where
600.Ar p
601is one of the above protocols.
602.It Cm lat , moprc , mopdl
603Abbreviations for
604.Cm ether proto Ar p ,
605where
606.Ar p
607is one of the above protocols.
608Note that not all applications using
609.Xr pcap_open_live 3
610currently know how to parse these protocols (ie.
611.Xr tcpdump 8 ) .
612.It Xo
613.Cm ah ,
614.Cm esp ,
615.Cm icmp ,
616.Cm icmp6 ,
617.Cm igmp ,
618.Cm igrp ,
619.Cm pim ,
620.Cm tcp ,
621.Cm udp
622.Xc
623Abbreviations for
624.Cm ip proto Ar p
625or
626.Cm ip6 proto Ar p ,
627where
628.Ar p
629is one of the above protocols.
630.It Cm wlan addr1 Ar ehost
631True if the first IEEE 802.11 address is
632.Ar ehost .
633.It Cm wlan addr2 Ar ehost
634True if the second IEEE 802.11 address is
635.Ar ehost .
636.It Cm wlan addr3 Ar ehost
637True if the third IEEE 802.11 address is
638.Ar ehost .
639.It Cm wlan addr4 Ar ehost
640True if the fourth IEEE 802.11 address is
641.Ar ehost .
642The fourth address field is only used for
643WDS (Wireless Distribution System) frames.
644.It Cm wlan host Ar ehost
645True if either the first, second, third, or fourth
646IEEE 802.11 address is
647.Ar ehost .
648.It Cm type Ar wlan_type
649True if the IEEE 802.11 frame type matches the specified
650.Ar wlan_type .
651Valid types are:
652.Cm mgt ,
653.Cm ctl ,
654.Cm data ,
655or a numeric value.
656.It Cm type Ar wlan_type Cm subtype Ar wlan_subtype
657True if the IEEE 802.11 frame type matches the specified
658.Ar wlan_type
659and frame subtype matches the specified
660.Ar wlan_subtype .
661.Pp
662If the specified
663.Ar wlan_type
664is
665.Cm mgtv ,
666then valid values for
667.Ar wlan_subtype
668are
669.Cm assoc-req ,
670.Cm assoc-resp ,
671.Cm reassoc-req ,
672.Cm reassoc-resp ,
673.Cm probe-req ,
674.Cm probe-resp ,
675.Cm beacon ,
676.Cm atim ,
677.Cm disassoc ,
678.Cm auth ,
679and
680.Cm deauth .
681.Pp
682If the specified
683.Ar wlan_type
684is
685.Cm ctl ,
686then valid values for
687.Ar wlan_subtype
688are
689.Cm ps-poll ,
690.Cm rts ,
691.Cm cts ,
692.Cm ack ,
693.Cm cf-end ,
694and
695.Cm cf-end-ack .
696.Pp
697If the specified
698.Ar wlan_type
699is
700.Cm data ,
701then valid values for
702.Ar wlan_subtype
703are
704.Cm data ,
705.Cm data-cf-ack ,
706.Cm data-cf-poll ,
707.Cm data-cf-ack-poll ,
708.Cm null ,
709.Cm cf-ack ,
710.Cm cf-poll ,
711.Cm cf-ack-poll ,
712.Cm qos-data ,
713.Cm qos-data-cf-ack ,
714.Cm qos-data-cf-poll ,
715.Cm qos-data-cf-ack-poll ,
716.Cm qos ,
717.Cm qos-cf-poll ,
718and
719.Cm qos-cf-ack-poll .
720.It Cm subtype Ar wlan_subtype
721True if the IEEE 802.11 frame subtype matches the specified
722.Ar wlan_subtype
723and frame has the type to which the specified
724.Ar wlan_subtype
725belongs.
726.It Cm dir Ar dir
727True if the IEEE 802.11 frame direction matches the specified
728.Cm dir .
729Valid directions are:
730.Cm nods ,
731.Cm tods ,
732.Cm fromds ,
733.Cm dstods ,
734or a numeric value.
735.It Cm vlan Op Ar vlan_id
736True if the packet is an IEEE 802.1Q VLAN packet.
737If
738.Ar vlan_id
739is specified, only true if the packet has the specified ID.
740Note that the first
741.Cm vlan
742keyword encountered in
743.Ar expression
744changes the decoding offsets for the remainder of
745.Ar expression
746on the assumption that the packet is a VLAN packet.
747This expression may be used more than once, to filter on VLAN hierarchies.
748Each use of that expression increments the filter offsets by 4.
749.Pp
750For example,
751to filter on VLAN 200 encapsulated within VLAN 100:
752.Pp
753.Dl vlan 100 && vlan 200
754.Pp
755To filter IPv4 protocols encapsulated in VLAN 300 encapsulated within any
756higher order VLAN:
757.Pp
758.Dl vlan && vlan 300 && ip
759.It Cm mpls Op Ar label
760True if the packet is an MPLS (Multi-Protocol Label Switching) packet.
761If
762.Ar label
763is specified, only true if the packet has the specified label.
764Note that the first
765.Cm mpls
766keyword encountered in
767.Ar expression
768changes the decoding offsets for the remainder of
769.Ar expression
770on the assumption that the packet is an MPLS packet.
771This expression may be used more than once, to filter on MPLS labels.
772Each use of that expression increments the filter offsets by 4.
773.Pp
774For example,
775to filter on MPLS label 42 first and requires the next label to be 12:
776.Pp
777.Dl mpls 42 && mpls 12
778.Pp
779To filter on network 192.0.2.0/24 transported inside packets with label 42:
780.Pp
781.Dl mpls 42 && net 192.0.2.0/24
782.It Ar expr relop expr
783True if the relation holds, where
784.Ar relop
785is one of
786.Sq > ,
787.Sq < ,
788.Sq >= ,
789.Sq <= ,
790.Sq = ,
791.Sq != ,
792and
793.Ar expr
794is an arithmetic expression composed of integer constants
795(expressed in standard C syntax), the normal binary operators
796.Pf ( Sq + ,
797.Sq - ,
798.Sq * ,
799.Sq / ,
800.Sq & ,
801.Sq | ,
802.Sq << ,
803.Sq >> ) ,
804a length operator, a random operator, and special packet data accessors.
805Note that all comparisons are unsigned, so that, for example,
8060x80000000 and 0xffffffff are > 0.
807To access data inside the packet, use the following syntax:
808.Pp
809.D1 Ar proto Ns Op Ar expr : Ns Ar size
810.Pp
811.Ar proto
812is one of
813.Cm ether ,
814.Cm fddi ,
815.Cm tr ,
816.Cm wlan ,
817.Cm ppp ,
818.Cm slip ,
819.Cm link ,
820.Cm ip ,
821.Cm arp ,
822.Cm rarp ,
823.Cm tcp ,
824.Cm udp ,
825.Cm icmp ,
826.Cm ip6 ,
827or
828.Cm radio ,
829and indicates the protocol layer for the index operation
830.Pf ( Cm ether ,
831.Cm fddi ,
832.Cm wlan ,
833.Cm tr ,
834.Cm ppp ,
835.Cm slip ,
836and
837.Cm link
838all refer to the link layer;
839.Cm radio
840refers to the "radio header" added to some 802.11 captures).
841Note that
842.Cm tcp ,
843.Cm udp ,
844and other upper-layer protocol types only apply to IPv4, not IPv6
845(this will be fixed in the future).
846The byte offset, relative to the indicated protocol layer, is given by
847.Ar expr .
848.Ar size
849is optional and indicates the number of bytes in the field of interest;
850it can be either one, two, or four, and defaults to one.
851The length operator, indicated by the keyword
852.Cm len ,
853gives the length of the packet.
854The random operator, indicated by the keyword
855.Cm random ,
856generates a random number.
857.Pp
858For example,
859.Dq ether[0] & 1 != 0
860catches all multicast traffic.
861The expression
862.Dq ip[0] & 0xf != 5
863catches all IPv4 packets with options.
864The expression
865.Dq ip[6:2] & 0x1fff = 0
866catches only unfragmented IPv4 datagrams and frag zero of fragmented
867IPv4 datagrams.
868This check is implicitly applied to the
869.Cm tcp
870and
871.Cm udp
872index operations.
873For instance,
874.Dq tcp[0]
875always means the first byte of the TCP header,
876and never means the first byte of an intervening fragment.
877.Pp
878Some offsets and field values may be expressed as names rather than
879as numeric values.
880The following protocol header field offsets are available:
881.Cm icmptype
882(ICMP type field),
883.Cm icmpcode
884(ICMP code field), and
885.Cm tcpflags
886(TCP flags field).
887.Pp
888The following ICMP type field values are available:
889.Cm icmp-echoreply ,
890.Cm icmp-unreach ,
891.Cm icmp-sourcequench ,
892.Cm icmp-redirect ,
893.Cm icmp-echo ,
894.Cm icmp-routeradvert ,
895.Cm icmp-routersolicit ,
896.Cm icmp-timxceed ,
897.Cm icmp-paramprob ,
898.Cm icmp-tstamp ,
899.Cm icmp-tstampreply ,
900.Cm icmp-ireq ,
901.Cm icmp-ireqreply ,
902.Cm icmp-maskreq ,
903.Cm and
904.Cm icmp-maskreply .
905.Pp
906The following TCP flags field values are available:
907.Cm tcp-fin ,
908.Cm tcp-syn ,
909.Cm tcp-rst ,
910.Cm tcp-push ,
911.Cm tcp-ack ,
912.Cm tcp-urg .
913.El
914.Pp
915Primitives may be combined using
916a parenthesized group of primitives and operators.
917Parentheses are special to the shell and must be escaped.
918Allowable primitives and operators are:
919.Bd -ragged -offset indent
920Negation
921.Po
922.Dq Cm \&!
923or
924.Dq Cm not
925.Pc
926.Pp
927Concatenation
928.Po
929.Dq Cm &&
930or
931.Dq Cm and
932.Pc
933.Pp
934Alternation
935.Po
936.Dq Cm ||
937or
938.Dq Cm or
939.Pc
940.Ed
941.Pp
942Negation has highest precedence.
943Alternation and concatenation have equal precedence and associate
944left to right.
945Explicit
946.Cm and
947tokens, not juxtaposition,
948are now required for concatenation.
949.Pp
950If an identifier is given without a keyword, the most recent keyword
951is assumed.
952For example,
953For example,
954.Bd -ragged -offset indent
955.Cm not host
956vs
957.Cm and
958ace
959.Ed
960.Pp
961is short for
962.Bd -ragged -offset indent
963.Cm not host
964vs
965.Cm and host
966ace
967.Ed
968.Pp
969which should not be confused with
970.Bd -ragged -offset indent
971.Cm not
972.Pq Cm host No vs Cm or No ace
973.Ed
974.Sh EXAMPLES
975To select all packets arriving at or departing from
976.Dq sundown :
977.Pp
978.Dl host sundown
979.Pp
980To select traffic between
981.Dq helios
982and either
983.Dq hot
984or
985.Dq ace :
986.Pp
987.Dl host helios and \e( hot or ace \e)
988.Pp
989To select all IP packets between
990.Dq ace
991and any host except
992.Dq helios :
993.Pp
994.Dl ip host ace and not helios
995.Pp
996To select all traffic between local hosts and hosts at Berkeley:
997.Pp
998.Dl net ucb-ether
999.Pp
1000To select all FTP traffic through internet gateway
1001.Dq snup :
1002.Pp
1003.Dl gateway snup and (port ftp or ftp-data)
1004.Pp
1005To select traffic neither sourced from nor destined for local network
1006192.168.7.0/24
1007(if you gateway to one other net, this stuff should never make it
1008onto your local net):
1009.Pp
1010.Dl ip and not net 192.168.7.0/24
1011.Pp
1012To select the start and end packets (the SYN and FIN packets) of each
1013TCP connection that involves a host not in local network 192.168.7.0/24:
1014.Bd -literal -offset indent
1015tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst \e
1016	net 192.168.7.0/24
1017.Ed
1018.Pp
1019To select all IPv4 HTTP packets to and from port 80, i.e. print only
1020packets that contain data and not, for example, SYN and FIN packets and
1021ACK-only packets
1022(IPv6 is left as an exercise for the reader):
1023.Bd -literal -offset indent
1024tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) \e
1025	- ((tcp[12]&0xf0)>>2)) != 0)
1026.Ed
1027.Pp
1028To select IP packets longer than 576 bytes sent through gateway
1029.Dq snup :
1030.Pp
1031.Dl gateway snup and ip[2:2] > 576
1032.Pp
1033To select IP broadcast or multicast packets
1034that were not sent via Ethernet broadcast or multicast:
1035.Pp
1036.Dl ether[0] & 1 = 0 and ip[16] >= 224
1037.Pp
1038To select all ICMP packets that are not echo requests/replies
1039(i.e. not ping packets):
1040.Pp
1041.Dl icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
1042.Sh SEE ALSO
1043.Xr pcap_open_live 3 ,
1044.Xr tcpdump 8
1045.Sh AUTHORS
1046.An -nosplit
1047The original authors are
1048.An Van Jacobson ,
1049.An Craig Leres ,
1050and
1051.An Steven McCanne ,
1052all of the
1053Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
1054.\" Fixes should be submitted to http://sourceforge.net/tracker/?group_id=53067
1055