1.\" $OpenBSD: pcap-filter.5,v 1.3 2019/12/17 15:22:48 jca Exp $ 2.\" 3.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 4.\" The Regents of the University of California. All rights reserved. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that: (1) source code distributions 9.\" retain the above copyright notice and this paragraph in its entirety, (2) 10.\" distributions including binary code include the above copyright notice and 11.\" this paragraph in its entirety in the documentation or other materials 12.\" provided with the distribution, and (3) all advertising materials mentioning 13.\" features or use of this software display the following acknowledgement: 14.\" ``This product includes software developed by the University of California, 15.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 16.\" the University nor the names of its contributors may be used to endorse 17.\" or promote products derived from this software without specific prior 18.\" written permission. 19.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 20.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 21.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 22.\" 23.Dd $Mdocdate: December 17 2019 $ 24.Dt PCAP-FILTER 5 25.Os 26.Sh NAME 27.Nm pcap-filter 28.Nd packet filter syntax 29.Sh DESCRIPTION 30.Xr pcap_compile 3 31compiles pcap filters for software such as 32.Xr tcpdump 8 . 33The resulting filter program can then be applied to 34some stream of packets to determine which packets will be supplied to 35.Xr pcap_loop 3 , 36.Xr pcap_dispatch 3 , 37.Xr pcap_next 3 , 38or 39.Xr pcap_next_ex 3 . 40.Pp 41The filter expression consists of one or more 42.Em primitives . 43Primitives usually consist of an ID (name or number) 44preceded by one or more qualifiers. 45There are three different kinds of qualifier: 46.Bl -tag -width "proto" 47.It type 48Type qualifiers say what kind of thing the ID name or number refers to. 49Possible types are 50.Cm host , 51.Cm net , 52and 53.Cm port . 54For example, 55.Dq host foo , 56.Dq net 128.3 , 57and 58.Dq port 20 . 59If there is no type qualifier, 60.Cm host 61is assumed. 62.It dir 63Dir qualifiers specify a particular transfer direction to and/or from an ID. 64Possible directions are 65.Cm src , 66.Cm dst , 67.Cm src or dst , 68.Cm src and dst , 69.Cm ra , 70.Cm ta , 71.Cm addr1 , 72.Cm addr2 , 73.Cm addr3 , 74and 75.Cm addr4 . 76For example, 77.Cm src foo , 78.Cm dst net 128.3 , 79.Cm src or dst port ftp-data . 80If there is no dir qualifier, 81.Cm src or dst 82is assumed. 83The 84.Cm ra , 85.Cm ta , 86.Cm addr1 , 87.Cm addr2 , 88.Cm addr3 , 89and 90.Cm addr4 91qualifiers are only valid for IEEE 802.11 Wireless LAN link layers. 92For some link layers, such as SLIP and the "cooked" Linux capture mode 93used for the "any" device and for some other device types, the 94.Cm inbound 95and 96.Cm outbound 97qualifiers can be used to specify a desired direction. 98.It proto 99Proto qualifiers restrict the match to a particular protocol. 100Possible 101protos are: 102.Cm ether , 103.Cm fddi , 104.Cm tr , 105.Cm wlan , 106.Cm ip , 107.Cm ip6 , 108.Cm arp , 109.Cm rarp , 110.Cm decnet , 111.Cm tcp , 112and 113.Cm udp . 114For example, 115.Dq ether src foo , 116.Dq arp net 128.3 , 117.Dq tcp port 21 , 118and 119.Dq wlan addr2 0:2:3:4:5:6 . 120If there is no proto qualifier, 121all protocols consistent with the type are assumed. 122For example, 123.Dq src foo 124means 125.Dq (ip or arp or rarp) src foo 126(except the latter is not legal syntax); 127.Dq net bar 128means 129.Dq (ip or arp or rarp) net bar ; 130and 131.Dq port 53 132means 133.Dq (tcp or udp) port 53 . 134.Pp 135.Cm fddi 136is actually an alias for 137.Cm ether ; 138the parser treats them identically as meaning 139"the data link level used on the specified network interface". 140FDDI headers contain Ethernet-like source and destination addresses, 141and often contain Ethernet-like packet types, 142so it's possible to filter these FDDI fields just as with the analogous Ethernet fields. 143FDDI headers also contain other fields, 144but they cannot be named explicitly in a filter expression. 145.Pp 146Similarly, 147.Cm tr 148and 149.Cm wlan 150are aliases for 151.Cm ether ; 152the previous paragraph's statements about FDDI headers also apply to Token Ring 153and 802.11 wireless LAN headers. 154For 802.11 headers, the destination address is the DA field 155and the source address is the SA field; 156the BSSID, RA, and TA fields aren't tested. 157.El 158.Pp 159In addition to the above, 160there are some special primitives that don't follow the pattern: 161.Cm gateway , 162.Cm broadcast , 163.Cm less , 164.Cm greater , 165and arithmetic expressions. 166All of these are described below. 167.Pp 168More complex filter expressions are built up by using the words 169.Cm and , 170.Cm or , 171and 172.Cm not 173to combine primitives. 174For example, 175.Dq host foo and not port ftp and not port ftp-data . 176To save typing, identical qualifier lists can be omitted, 177so that 178.Dq tcp dst port ftp or ftp-data or domain 179is exactly the same as 180.Dq tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain . 181.Pp 182Allowable primitives are: 183.Bl -tag -width "ether proto proto" 184.It Cm dst host Ar host 185True if the IPv4/v6 destination field of the packet is 186.Ar host , 187which may be either an address or a name. 188.It Cm src host Ar host 189True if the IPv4/v6 source field of the packet is 190.Ar host . 191.It Cm host Ar host 192True if either the IPv4/v6 source or destination of the packet is 193.Ar host . 194.Pp 195Any of the above host expressions can be prepended with the keywords, 196.Cm ip , arp , rarp , 197or 198.Cm ip6 , 199as in: 200.Pp 201.D1 Cm ip host Ar host 202.Pp 203which is equivalent to: 204.Bd -ragged -offset indent 205.Cm ether proto 206.Ar ip 207.Cm and host 208.Ar host 209.Ed 210.Pp 211If 212.Ar host 213is a name with multiple IP addresses, 214each address will be checked for a match. 215.It Cm ether dst Ar ehost 216True if the Ethernet destination address is 217.Ar ehost , 218which may be either a name from 219.Pa /etc/ethers 220or a number (see 221.Xr ether_aton 3 222for numeric format). 223.It Cm ether src Ar ehost 224True if the Ethernet source address is 225.Ar ehost . 226.It Cm ether host Ar ehost 227True if either the Ethernet source or destination address is 228.Ar ehost . 229.It Cm gateway host 230True if the packet used 231.Ar host 232as a gateway. 233That is, 234the Ethernet source or destination address was 235.Ar host 236but neither the IP source nor the IP destination was 237.Ar host . 238.Ar host 239must be a name and must be found both by the machine's host-name-to-IP-address resolution 240mechanisms (host name file, DNS, NIS, etc.) and by the machine's 241host-name-to-Ethernet-address resolution mechanism 242(such as 243.Pa /etc/ethers ) . 244An equivalent expression is: 245.Bd -ragged -offset indent 246.Cm ether host 247.Ar ehost 248.Cm and not host 249.Ar host 250.Ed 251.Pp 252which can be used with either names or numbers for host/ehost. 253This syntax does not work in an IPv6-enabled configuration at this moment. 254.It Cm dst net Ar net 255True if the IPv4/v6 destination address of the packet has a network 256number of 257.Ar net , 258which may be either a name from the networks database 259(such as 260.Pa /etc/networks ) 261or a network number. 262An IPv4 network number can be written as a dotted quad (e.g. 192.168.1.0), 263dotted triple (e.g. 192.168.1), dotted pair (e.g 172.16), 264or single number (e.g. 10); 265the netmask is 255.255.255.255 for a dotted quad 266(which means that it's really a host match), 267255.255.255.0 for a dotted triple, 255.255.0.0 for a dotted pair, 268or 255.0.0.0 for a single number. 269An IPv6 network number must be written out fully; 270the netmask is ff:ff:ff:ff:ff:ff:ff:ff, 271so IPv6 "network" matches are really always host matches, 272and a network match requires a netmask length. 273.It Cm src net Ar net 274True if the IPv4/v6 source address of the packet has a network number of 275.Ar net . 276.It Cm net Ar net 277True if either the IPv4/v6 source or destination address of the packet 278has a network number of 279.Ar net . 280.It Cm net Ar net Cm mask Ar netmask 281True if the IPv4 address matches 282.Ar net 283with the specific 284.Ar netmask . 285May be qualified with 286.Cm src 287or 288.Cm dst . 289Note that this syntax is not valid for IPv6 networks. 290.It Cm net Ar net Ns / Ns Ar len 291True if the IPv4/v6 address matches 292.Ar net 293with a netmask 294.Ar len 295bits wide. 296May be qualified with 297.Cm src 298or 299.Cm dst . 300.It Cm dst port Ar port 301True if the packet is IP/TCP, IP/UDP, IP6/TCP or IP6/UDP 302and has a destination port value of 303.Ar port . 304The 305.Ar port 306can be a number or a name used in 307.Pa /etc/services 308(see 309.Xr tcp 4 310and 311.Xr udp 4 ) . 312If a name is used, both the port number and protocol are checked. 313If a number or ambiguous name is used, 314only the port number is checked (e.g.\& 315.Dq dst port 513 316will print both 317TCP/login traffic and UDP/who traffic, and 318.Dq port domain 319will print both TCP/domain and UDP/domain traffic). 320.It Cm src port Ar port 321True if the packet has a source port value of 322.Ar port . 323.It Cm port Ar port 324True if either the source or destination port of the packet is 325.Ar port . 326.It Cm less Ar length 327True if the packet has a length less than or equal to 328.Ar length . 329This is equivalent to 330.Cm len <= Ar length . 331.It Cm greater Ar length 332True if the packet has a length greater than or equal to 333.Ar length . 334This is equivalent to 335.Cm len >= Ar length . 336.It Cm ip proto Ar protocol 337True if the packet is an IPv4 packet (see 338.Xr ip 4 ) 339of protocol type 340.Ar protocol . 341.Ar protocol 342can be a number, or one of the names 343.Cm icmp , 344.Cm icmp6 , 345.Cm igmp , 346.Cm igrp , 347.Cm pim , 348.Cm ah , 349.Cm esp , 350.Cm vrrp , 351.Cm udp , 352or 353.Cm tcp . 354Note that the identifiers 355.Cm tcp , 356.Cm udp , 357and 358.Cm icmp 359are also keywords and must be escaped using a backslash character 360.Pq \e . 361Note that this primitive does not chase the protocol header chain. 362.It Cm ip6 proto Ar protocol 363True if the packet is an IPv6 packet of protocol type 364.Ar protocol . 365Note that this primitive does not chase the protocol header chain. 366.It Cm ether broadcast 367True if the packet is an Ethernet broadcast packet. 368The 369.Cm ether 370keyword is optional. 371.It Cm ip broadcast 372True if the packet is an IPv4 broadcast packet. 373It checks for both the all-zeroes and all-ones broadcast conventions, 374and looks up the subnet mask on the interface on which the capture is 375being done. 376.Pp 377If the subnet mask of the interface on which the capture is being done 378is not available, 379this check will not work correctly. 380.It Cm ether multicast 381True if the packet is an Ethernet multicast packet. 382The 383.Cm ether 384keyword is optional. 385This is shorthand for 386.Dq ether[0] & 1 != 0 . 387.It Cm ip multicast 388True if the packet is an IPv4 multicast packet. 389.It Cm ip6 multicast 390True if the packet is an IPv6 multicast packet. 391.It Cm ether proto Ar protocol 392True if the packet is of ether type 393.Ar protocol . 394.Ar protocol 395can be a number, or one of the names 396.Cm ip , 397.Cm ip6 , 398.Cm arp , 399.Cm rarp , 400.Cm atalk , 401.Cm decnet , 402.Cm sca , 403.Cm lat , 404or 405.Cm stp . 406Note these identifiers are also keywords 407and must be escaped using a backslash character 408.Pq \e . 409.Pp 410In the case of FDDI (such as "fddi protocol arp") 411and IEEE 802.11 wireless LANS (such as "wlan protocol arp"), 412for most of those protocols 413the protocol identification comes from 414the 802.2 Logical Link Control (LLC) header, 415which is usually layered on top of the FDDI or 802.11 header. 416.Pp 417When filtering for most protocol identifiers on FDDI or 802.11, 418the filter checks only the protocol ID field of an LLC header 419in so-called SNAP format with an Organizational Unit Identifier (OUI) of 4200x000000, for encapsulated Ethernet; it doesn't check whether the packet 421is in SNAP format with an OUI of 0x000000. 422The exceptions are: 423.Bl -tag -width "atalk" 424.It iso 425The filter checks the DSAP (Destination Service Access Point) and 426SSAP (Source Service Access Point) fields of the LLC header. 427.It stp 428The filter checks the DSAP of the LLC header. 429.It atalk 430The filter checks for a SNAP-format packet with an OUI of 0x080007 431and the AppleTalk etype. 432.El 433.Pp 434In the case of Ethernet, the filter checks the Ethernet type field 435for most of those protocols. 436The exceptions are: 437.Bl -tag -width "iso and stp" 438.It iso and stp 439The filter checks for an 802.3 frame and then checks the LLC header as 440it does for FDDI and 802.11. 441.It atalk 442The filter checks both for the AppleTalk etype in an Ethernet frame and 443for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11. 444.El 445.It Cm decnet src Ar host 446True if the DECNET source address is 447.Ar host , 448which may be an address of the form "10.123", or a DECNET hostname. 449DECNET hostname support is only available on ULTRIX systems 450that are configured to run DECNET. 451.It Cm decnet dst Ar host 452True if the DECNET destination address is 453.Ar host . 454.It Cm decnet host Ar host 455True if either the DECNET source or destination address is 456.Ar host . 457.It Cm ifname Ar interface 458True if the packet was logged as coming from the specified interface 459(applies only to packets logged by 460.Xr pf 4 ) . 461.It Cm on Ar interface 462Synonymous with the 463.Cm ifname 464modifier. 465.It Cm rnr Ar num 466True if the packet was logged as matching the specified PF rule number 467(applies only to packets logged by 468.Xr pf 4 ) . 469.It Cm rulenum Ar num 470Synonymous with the 471.Cm rnr 472modifier. 473.It Cm reason Ar code 474True if the packet was logged with the specified PF reason code. 475The known codes are: 476.Cm match , 477.Cm bad-offset , 478.Cm fragment , 479.Cm short , 480.Cm normalize , 481and 482.Cm memory 483(applies only to packets logged by 484.Xr pf 4 ) . 485.It Cm rset Ar name 486True if the packet was logged as matching the specified PF ruleset 487name of an anchored ruleset (applies only to packets logged by 488.Xr pf 4 ) . 489.It Cm ruleset Ar name 490Synonymous with the 491.Cm rset 492modifier. 493.It Cm srnr Ar num 494True if the packet was logged as matching the specified PF rule number 495of an anchored ruleset (applies only to packets logged by 496.Xr pf 4 ) . 497.It Cm subrulenum Ar num 498Synonymous with the 499.Cm srnr 500modifier. 501.It Cm action Ar act 502True if PF took the specified action when the packet was logged. 503Known actions are: 504.Cm pass 505and 506.Cm block 507and, with later versions of 508.Xr pf 4 , 509.Cm nat , 510.Cm rdr , 511.Cm binat 512and 513.Cm scrub 514(applies only to packets logged by 515.Xr pf 4 ) . 516.It Cm ip , ip6 , arp , rarp , atalk , decnet , iso , stp 517Abbreviations for 518.Cm ether proto Ar p , 519where 520.Ar p 521is one of the above protocols. 522.It Cm lat , moprc , mopdl 523Abbreviations for 524.Cm ether proto Ar p , 525where 526.Ar p 527is one of the above protocols. 528Note that not all applications using 529.Xr pcap_open_live 3 530currently know how to parse these protocols. 531.It Cm type Ar wlan_type 532True if the IEEE 802.11 frame type matches the specified 533.Ar wlan_type . 534Valid types are: 535.Cm mgt , 536.Cm ctl , 537and 538.Cm data . 539.It Cm type Ar wlan_type Cm subtype Ar wlan_subtype 540True if the IEEE 802.11 frame type matches the specified 541.Ar wlan_type 542and frame subtype matches the specified 543.Ar wlan_subtype . 544.Pp 545If the specified 546.Ar wlan_type 547is 548.Cm mgtv , 549then valid values for 550.Ar wlan_subtype 551are 552.Cm assoc-req , 553.Cm assoc-resp , 554.Cm reassoc-req , 555.Cm reassoc-resp , 556.Cm probe-req , 557.Cm probe-resp , 558.Cm beacon , 559.Cm atim , 560.Cm disassoc , 561.Cm auth , 562and 563.Cm deauth . 564.Pp 565If the specified 566.Ar wlan_type 567is 568.Cm ctl , 569then valid values for 570.Ar wlan_subtype 571are 572.Cm ps-poll , 573.Cm rts , 574.Cm cts , 575.Cm ack , 576.Cm cf-end , 577and 578.Cm cf-end-ack . 579.Pp 580If the specified 581.Ar wlan_type 582is 583.Cm data , 584then valid values for 585.Ar wlan_subtype 586are 587.Cm data , 588.Cm data-cf-ack , 589.Cm data-cf-poll , 590.Cm data-cf-ack-poll , 591.Cm null , 592.Cm cf-ack , 593.Cm cf-poll , 594.Cm cf-ack-poll , 595.Cm qos-data , 596.Cm qos-data-cf-ack , 597.Cm qos-data-cf-poll , 598.Cm qos-data-cf-ack-poll , 599.Cm qos , 600.Cm qos-cf-poll , 601and 602.Cm qos-cf-ack-poll . 603.It Cm subtype Ar wlan_subtype 604True if the IEEE 802.11 frame subtype matches the specified 605.Ar wlan_subtype 606and frame has the type to which the specified 607.Ar wlan_subtype 608belongs. 609.It Cm dir Ar dir 610True if the IEEE 802.11 frame direction matches the specified 611.Cm dir . 612Valid directions are: 613.Cm nods , 614.Cm tods , 615.Cm fromds , 616.Cm dstods , 617or a numeric value. 618.It Cm vlan Op Ar vlan_id 619True if the packet is an IEEE 802.1Q VLAN packet. 620If 621.Ar vlan_id 622is specified, only true if the packet has the specified ID. 623Note that the first 624.Cm vlan 625keyword encountered in 626.Ar expression 627changes the decoding offsets for the remainder of 628.Ar expression 629on the assumption that the packet is a VLAN packet. 630This expression may be used more than once, to filter on VLAN hierarchies. 631Each use of that expression increments the filter offsets by 4. 632.Pp 633For example, 634to filter on VLAN 200 encapsulated within VLAN 100: 635.Pp 636.Dl vlan 100 && vlan 200 637.Pp 638To filter IPv4 protocols encapsulated in VLAN 300 encapsulated within any 639higher order VLAN: 640.Pp 641.Dl vlan && vlan 300 && ip 642.It mpls Op Ar label 643True if the packet is an MPLS (Multi-Protocol Label Switching) packet. 644If 645.Ar label 646is specified, only true if the packet has the specified label. 647Note that the first 648.Cm mpls 649keyword encountered in 650.Ar expression 651changes the decoding offsets for the remainder of 652.Ar expression 653on the assumption that the packet is an MPLS packet. 654This expression may be used more than once, to filter on MPLS labels. 655Each use of that expression increments the filter offsets by 4. 656.Pp 657For example, 658to filter on MPLS label 42 first and requires the next label to be 12: 659.Pp 660.Dl mpls 42 && mpls 12 661.Pp 662To filter on network 192.0.2.0/24 transported inside packets with label 42: 663.Pp 664.Dl mpls 42 && net 192.0.2.0/24 665.It Cm tcp , udp , icmp 666Abbreviations for 667.Cm ip proto Ar p 668or 669.Cm ip6 proto Ar p , 670where 671.Ar p 672is one of the above protocols. 673.It Ar expr relop expr 674True if the relation holds, where 675.Ar relop 676is one of 677.Sq > , 678.Sq < , 679.Sq >= , 680.Sq <= , 681.Sq = , 682.Sq != , 683and 684.Ar expr 685is an arithmetic expression composed of integer constants 686(expressed in standard C syntax), the normal binary operators 687.Pf ( Sq + , 688.Sq - , 689.Sq * , 690.Sq / , 691.Sq & , 692.Sq | , 693.Sq << , 694.Sq >> ) , 695a length operator, and special packet data accessors. 696Note that all comparisons are unsigned, so that, for example, 6970x80000000 and 0xffffffff are > 0. 698To access data inside the packet, use the following syntax: 699.Pp 700.D1 Ar proto Ns Op Ar expr : Ns Ar size 701.Pp 702.Ar proto 703is one of 704.Cm ether , 705.Cm fddi , 706.Cm tr , 707.Cm wlan , 708.Cm ppp , 709.Cm slip , 710.Cm link , 711.Cm ip , 712.Cm arp , 713.Cm rarp , 714.Cm tcp , 715.Cm udp , 716.Cm icmp , 717.Cm ip6 , 718or 719.Cm radio , 720and indicates the protocol layer for the index operation 721.Pf ( Cm ether , 722.Cm fddi , 723.Cm wlan , 724.Cm tr , 725.Cm ppp , 726.Cm slip , 727and 728.Cm link 729all refer to the link layer; 730.Cm radio 731refers to the "radio header" added to some 802.11 captures). 732Note that 733.Cm tcp , 734.Cm udp , 735and other upper-layer protocol types only apply to IPv4, not IPv6 736(this will be fixed in the future). 737The byte offset, relative to the indicated protocol layer, is given by 738.Ar expr . 739.Ar size 740is optional and indicates the number of bytes in the field of interest; 741it can be either one, two, or four, and defaults to one. 742The length operator, indicated by the keyword 743.Ar len , 744gives the length of the packet. 745.Pp 746For example, 747.Dq ether[0] & 1 != 0 748catches all multicast traffic. 749The expression 750.Dq ip[0] & 0xf != 5 751catches all IPv4 packets with options. 752The expression 753.Dq ip[6:2] & 0x1fff = 0 754catches only unfragmented IPv4 datagrams and frag zero of fragmented 755IPv4 datagrams. 756This check is implicitly applied to the 757.Cm tcp 758and 759.Cm udp 760index operations. 761For instance, 762.Dq tcp[0] 763always means the first byte of the TCP 764.Ar header , 765and never means the first byte of an intervening fragment. 766.Pp 767Some offsets and field values may be expressed as names rather than 768as numeric values. 769The following protocol header field offsets are available: 770.Cm icmptype 771(ICMP type field), 772.Cm icmpcode 773(ICMP code field), and 774.Cm tcpflags 775(TCP flags field). 776.Pp 777The following ICMP type field values are available: 778.Cm icmp-echoreply , 779.Cm icmp-unreach , 780.Cm icmp-sourcequench , 781.Cm icmp-redirect , 782.Cm icmp-echo , 783.Cm icmp-routeradvert , 784.Cm icmp-routersolicit , 785.Cm icmp-timxceed , 786.Cm icmp-paramprob , 787.Cm icmp-tstamp , 788.Cm icmp-tstampreply , 789.Cm icmp-ireq , 790.Cm icmp-ireqreply , 791.Cm icmp-maskreq , 792.Cm and 793.Cm icmp-maskreply . 794.Pp 795The following TCP flags field values are available: 796.Cm tcp-fin , 797.Cm tcp-syn , 798.Cm tcp-rst , 799.Cm tcp-push , 800.Cm tcp-ack , 801.Cm tcp-urg . 802.El 803.Pp 804Primitives may be combined using 805a parenthesized group of primitives and operators. 806Parentheses are special to the shell and must be escaped. 807.Bd -ragged -offset indent 808Negation 809.Po 810.Dq Cm \&! 811or 812.Dq Cm not 813.Pc 814.Pp 815Concatenation 816.Po 817.Dq Cm && 818or 819.Dq Cm and 820.Pc 821.Pp 822Alternation 823.Po 824.Dq Cm || 825or 826.Dq Cm or 827.Pc 828.Ed 829.Pp 830Negation has highest precedence. 831Alternation and concatenation have equal precedence and associate 832left to right. 833Note that explicit 834.Cm and 835tokens, not juxtaposition, 836are now required for concatenation. 837.Pp 838If an identifier is given without a keyword, the most recent keyword 839is assumed. 840For example, 841.Dq not host vs and ace 842is short for 843.Dq not host vs and host ace , 844which shouldn't be confused with 845.Dq not (\& host vs or ace )\& . 846.Sh EXAMPLES 847To select all packets arriving at or departing from 848.Dq sundown : 849.Pp 850.Dl host sundown 851.Pp 852To select traffic between 853.Dq helios 854and either 855.Dq hot 856or 857.Dq ace : 858.Pp 859.Dl host helios and \e( hot or ace \e) 860.Pp 861To select all IP packets between 862.Dq ace 863and any host except 864.Dq helios : 865.Pp 866.Dl ip host ace and not helios 867.Pp 868To select all traffic between local hosts and hosts at Berkeley: 869.Pp 870.Dl net ucb-ether 871.Pp 872To select all FTP traffic through internet gateway 873.Dq snup : 874.Pp 875.Dl gateway snup and (port ftp or ftp-data) 876.Pp 877To select traffic neither sourced from nor destined for local network 878192.168.7.0/24 879(if you gateway to one other net, this stuff should never make it 880onto your local net): 881.Pp 882.Dl ip and not net 192.168.7.0/24 883.Pp 884To select the start and end packets (the SYN and FIN packets) of each 885TCP connection that involves a host not in local network 192.168.7.0/24: 886.Bd -literal -offset indent 887tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst \e 888 net 192.168.7.0/24 889.Ed 890.Pp 891To select all IPv4 HTTP packets to and from port 80, i.e. print only 892packets that contain data and not, for example, SYN and FIN packets and 893ACK-only packets 894(IPv6 is left as an exercise for the reader): 895.Bd -literal -offset indent 896tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) \e 897 - ((tcp[12]&0xf0)>>2)) != 0) 898.Ed 899.Pp 900To select IP packets longer than 576 bytes sent through gateway 901.Dq snup : 902.Pp 903.Dl gateway snup and ip[2:2] > 576 904.Pp 905To select IP broadcast or multicast packets 906that were not sent via Ethernet broadcast or multicast: 907.Pp 908.Dl ether[0] & 1 = 0 and ip[16] >= 224 909.Pp 910To select all ICMP packets that are not echo requests/replies (i.e. not ping packets): 911.Pp 912.Dl icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply 913.Sh SEE ALSO 914.Xr pcap_open_live 3 , 915.Xr tcpdump 8 916.Sh AUTHORS 917.An -nosplit 918The original authors are 919.An Van Jacobson , 920.An Craig Leres , 921and 922.An Steven McCanne , 923all of the 924Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. 925.\" Fixes should be submitted to http://sourceforge.net/tracker/?group_id=53067 926