add winpcap 4.0.2 from url http://www.winpcap.org/

[natblaster.git] / winpcap / dox / language.htm

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title></title>
</head>

<body>
<DL COMPACT>
<DT>Note: this document has been drawn from the tcpdump man page. The original version can
  be found at&nbsp; <a href="http://www.tcpdump.org">www.tcpdump.org</a>.
<dd>&nbsp;</dd>
<DT>wpcap filters are based on a declarative predicate syntax. A filter is
  an ASCII string containing a filtering <I>expression</I>.&nbsp;pcap_compile()
  takes the expression and translates it in a program for the kernel-level
  packet filter.
</DL>
<p>The expression selects which packets will be dumped.
If no expression
is given, all packets on the net will be accepted by the kernel-level filtering
engine.
Otherwise,
only packets for which <I>expression</I> is `true' will be accepted.</p>
<P>

The <I>expression</I> consists of one or more
<I>primitives.</I>

Primitives usually consist of an
<I>id</I>

(name or number) preceded by one or more qualifiers.
There are three
different kinds of qualifier:
<DL COMPACT>
<DT><I>type</I><DD>
qualifiers say what kind of thing the id name or number refers to.
Possible types are
<B>host</B>,

<B>net</B>

and
<B>port</B>.

E.g., `host foo', `net 128.3', `port 20'.
If there is no type
qualifier,
<B>host</B>

is assumed.
<DT><I>dir</I><DD>
qualifiers specify a particular transfer direction to and/or from
<I>id</I>.

Possible directions are
<B>src</B>,

<B>dst</B>,

<B>src or dst</B>

and
<B>src and</B>

<B>dst</B>.

E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'.
If
there is no dir qualifier,
<B>src or dst</B>

is assumed.
For `null' link layers (i.e. point to point protocols such as slip) the
<B>inbound</B>

and
<B>outbound</B>

qualifiers can be used to specify a desired direction.
<DT><I>proto</I><DD>
qualifiers restrict the match to a particular protocol.
Possible
protos are:
<B>ether</B>,

<B>fddi</B>,

<B>tr</B>,

<B>ip</B>,

<B>ip6</B>,

<B>arp</B>,

<B>rarp</B>,

<B>decnet</B>,

<B>tcp</B>

and
<B>udp</B>.

E.g., `ether src foo', `arp net 128.3', `tcp port 21'.
If there is
no proto qualifier, all protocols consistent with the type are
assumed.
E.g., `src foo' means `(ip or arp or rarp) src foo'
(except the latter is not legal syntax), `net bar' means `(ip or
arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
</DL>
<P>

[`fddi' is actually an alias for `ether'; the parser treats them
identically as meaning ``the data link level used on the specified
network interface.''  FDDI headers contain Ethernet-like source
and destination addresses, and often contain Ethernet-like packet
types, so you can filter on these FDDI fields just as with the
analogous Ethernet fields.
FDDI headers also contain other fields,
but you cannot name them explicitly in a filter expression.
<P>

Similarly, `tr' is an alias for `ether'; the previous paragraph's
statements about FDDI headers also apply to Token Ring headers.]
<P>

In addition to the above, there are some special `primitive' keywords
that don't follow the pattern:
<B>gateway</B>,

<B>broadcast</B>,

<B>less</B>,

<B>greater</B>

and arithmetic expressions.
All of these are described below.
<P>

More complex filter expressions are built up by using the words
<B>and</B>,

<B>or</B>

and
<B>not</B>

to combine primitives.
E.g., `host foo and not port ftp and not port ftp-data'.
To save typing, identical qualifier lists can be omitted.
E.g.,
`tcp dst port ftp or ftp-data or domain' is exactly the same as
`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
<P>

Allowable primitives are:
<DL COMPACT>
<DT><B>dst host </B><I>host</I><DD>
True if the IPv4/v6 destination field of the packet is <I>host</I>,
which may be either an address or a name.
<DT><B>src host </B><I>host</I><DD>
True if the IPv4/v6 source field of the packet is <I>host</I>.
<DT><B>host </B><I>host</I><DD>
True if either the IPv4/v6 source or destination of the packet is <I>host</I>.
Any of the above host expressions can be prepended with the keywords,
<B>ip</B>, <B>arp</B>, <B>rarp</B>, or <B>ip6</B> as in:
<dl COMPACT>
  <dd>

<PRE><B>ip host </B><I>host</I></PRE>


  </dd>
</dl>


which is equivalent to:
<dl COMPACT>
  <dd>

<PRE><B>ether proto </B><I>\ip</I><B> and host </B><I>host</I></PRE>


  </dd>
</dl>


If <I>host</I> is a name with multiple IP addresses, each address will
be checked for a match.
<DT><B>ether dst </B><I>ehost</I><DD>
True if the ethernet destination address is <I>ehost</I>.
<I>Ehost</I>
may be either a name from /etc/ethers or a number (see
<I>ethers</I>(3N)

for numeric format).
<DT><B>ether src </B><I>ehost</I><DD>
True if the ethernet source address is <I>ehost</I>.
<DT><B>ether host </B><I>ehost</I><DD>
True if either the ethernet source or destination address is <I>ehost</I>.
<DT><B>gateway</B> <I>host</I><DD>
True if the packet used <I>host</I> as a gateway.
I.e., the ethernet
source or destination address was <I>host</I> but neither the IP source
nor the IP destination was <I>host</I>.
<I>Host</I> must be a name and
must be found both by the machine's host-name-to-IP-address resolution
mechanisms (host name file, DNS, NIS, etc.) and by the machine's
host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.).
(An equivalent expression is
<dl COMPACT>
  <dd>

<PRE><B>ether host </B><I>ehost </I><B>and not host </B><I>host</I></PRE>


  </dd>
</dl>


which can be used with either names or numbers for <I>host / ehost</I>.)
This syntax does not work in IPv6-enabled configuration at this moment.
<DT><B>dst net </B><I>net</I><DD>
True if the IPv4/v6 destination address of the packet has a network
number of <I>net</I>.
<I>Net</I> may be either a name from /etc/networks
or a network number (see <I>networks(4)</I> for details).
<DT><B>src net </B><I>net</I><DD>
True if the IPv4/v6 source address of the packet has a network
number of <I>net</I>.
<DT><B>net </B><I>net</I><DD>
True if either the IPv4/v6 source or destination address of the packet has a network
number of <I>net</I>.
<DT><B>net </B><I>net</I> <B>mask </B><I>netmask</I><DD>
True if the IP address matches <I>net</I> with the specific <I>netmask</I>.
May be qualified with <B>src</B> or <B>dst</B>.
Note that this syntax is not valid for IPv6 <I>net</I>.
<DT><B>net </B><I>net</I>/<I>len</I><DD>
True if the IPv4/v6 address matches <I>net</I> with a netmask <I>len</I>
bits wide.
May be qualified with <B>src</B> or <B>dst</B>.
<DT><B>dst port </B><I>port</I><DD>
True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a
destination port value of <I>port</I>.
The <I>port</I> can be a number or a name used in /etc/services (see
<I>tcp</I>(4P)

and
<I>udp</I>(4P)).

If a name is used, both the port
number and protocol are checked.
If a number or ambiguous name is used,
only the port number is checked (e.g., <B>dst port 513</B> will print both
tcp/login traffic and udp/who traffic, and <B>port domain</B> will print
both tcp/domain and udp/domain traffic).
<DT><B>src port </B><I>port</I><DD>
True if the packet has a source port value of <I>port</I>.
<DT><B>port </B><I>port</I><DD>
True if either the source or destination port of the packet is <I>port</I>.
Any of the above port expressions can be prepended with the keywords,
<B>tcp</B> or <B>udp</B>, as in:
<dl COMPACT>
  <dd>

<PRE><B>tcp src port </B><I>port</I></PRE>


  </dd>
</dl>


which matches only tcp packets whose source port is <I>port</I>.
<DT><B>less </B><I>length</I><DD>
True if the packet has a length less than or equal to <I>length</I>.
This is equivalent to:
<dl COMPACT>
  <dd>

<PRE><B>len &lt;= </B><I>length</I>.</PRE>


  </dd>
</dl>


<DT><B>greater </B><I>length</I><DD>
True if the packet has a length greater than or equal to <I>length</I>.
This is equivalent to:
<dl COMPACT>
  <dd>

<PRE><B>len &gt;= </B><I>length</I>.</PRE>


  </dd>
</dl>


<DT><B>ip proto </B><I>protocol</I><DD>
True if the packet is an IP packet (see
<I>ip</I>(4P))

of protocol type <I>protocol</I>.
<I>Protocol</I> can be a number or one of the names
<I>icmp</I>, <I>icmp6</I>, <I>igmp</I>, <I>igrp</I>, <I>pim</I>, <I>ah</I>,
<I>esp</I>, <I>vrrp</I>, <I>udp</I>, or <I>tcp</I>.
Note that the identifiers <I>tcp</I>, <I>udp</I>, and <I>icmp</I> are also
keywords and must be escaped via backslash (\), which is \\ in the C-shell.
Note that this primitive does not chase the protocol header chain.
<DT><B>ip6 proto </B><I>protocol</I><DD>
True if the packet is an IPv6 packet of protocol type <I>protocol</I>.
Note that this primitive does not chase the protocol header chain.
<DT><B>ip6 protochain </B><I>protocol</I><DD>
True if the packet is IPv6 packet,
and contains protocol header with type <I>protocol</I>
in its protocol header chain.
For example,
<dl COMPACT>
  <dd>

<PRE><B>ip6 protochain 6</B></PRE>


  </dd>
</dl>


matches any IPv6 packet with TCP protocol header in the protocol header chain.
The packet may contain, for example,
authentication header, routing header, or hop-by-hop option header,
between IPv6 header and TCP header.
The BPF code emitted by this primitive is complex and
cannot be optimized by BPF optimizer code in <I>tcpdump</I>,
so this can be somewhat slow.
<DT><B>ip protochain </B><I>protocol</I><DD>
Equivalent to <B>ip6 protochain </B><I>protocol</I>, but this is for IPv4.
<DT><B>ether broadcast</B><DD>
True if the packet is an ethernet broadcast packet.
The <I>ether</I>
keyword is optional.
<DT><B>ip broadcast</B><DD>
True if the packet is an IP broadcast packet.
It checks for both
the all-zeroes and all-ones broadcast conventions, and looks up
the local subnet mask.
<DT><B>ether multicast</B><DD>
True if the packet is an ethernet multicast packet.
The <I>ether</I>
keyword is optional.
This is shorthand for `<B>ether[0] &amp; 1 != 0</B>'.
<DT><B>ip multicast</B><DD>
True if the packet is an IP multicast packet.
<DT><B>ip6 multicast</B><DD>
True if the packet is an IPv6 multicast packet.
<DT><B>ether proto </B><I>protocol</I><DD>
True if the packet is of ether type <I>protocol</I>.
<I>Protocol</I> can be a number or one of the names
<I>ip</I>, <I>ip6</I>, <I>arp</I>, <I>rarp</I>, <I>atalk</I>, <I>aarp</I>,
<I>decnet</I>, <I>sca</I>, <I>lat</I>, <I>mopdl</I>, <I>moprc</I>,
<I>iso</I>, <I>stp</I>, <I>ipx</I>, or <I>netbeui</I>.
Note these identifiers are also keywords
and must be escaped via backslash (\).
<DT><DD>
[In the case of FDDI (e.g., `<B>fddi protocol arp</B>') and Token Ring
(e.g., `<B>tr protocol arp</B>'), for most of those protocols, the
protocol identification comes from the 802.2 Logical Link Control (LLC)
header, which is usually layered on top of the FDDI or Token Ring
header.
<DT><DD>
When filtering for most protocol identifiers on FDDI or Token Ring,
<I>tcpdump</I> checks only the protocol ID field of an LLC header in
so-called SNAP format with an Organizational Unit Identifier (OUI) of
0x000000, for encapsulated Ethernet; it doesn't check whether the packet
is in SNAP format with an OUI of 0x000000.
<DT><DD>
The exceptions are <I>iso</I>, for which it checks the DSAP (Destination
Service Access Point) and SSAP (Source Service Access Point) fields of
the LLC header, <I>stp</I> and <I>netbeui</I>, where it checks the DSAP of
the LLC header, and <I>atalk</I>, where it checks for a SNAP-format
packet with an OUI of 0x080007 and the Appletalk etype.
<DT><DD>
In the case of Ethernet, <I>tcpdump</I> checks the Ethernet type field
for most of those protocols; the exceptions are <I>iso</I>, <I>sap</I>,
and <I>netbeui</I>, for which it checks for an 802.3 frame and then
checks the LLC header as it does for FDDI and Token Ring, <I>atalk</I>,
where it checks both for the Appletalk etype in an Ethernet frame and
for a SNAP-format packet as it does for FDDI and Token Ring, <I>aarp</I>,
where it checks for the Appletalk ARP etype in either an Ethernet frame
or an 802.2 SNAP frame with an OUI of 0x000000, and <I>ipx</I>, where it
checks for the IPX etype in an Ethernet frame, the IPX DSAP in the LLC
header, the 802.3 with no LLC header encapsulation of IPX, and the IPX
etype in a SNAP frame.]
<DT><B>decnet src </B><I>host</I><DD>
True if the DECNET source address is
<I>host</I>,

which may be an address of the form ``10.123'', or a DECNET host
name.
[DECNET host name support is only available on Ultrix systems
that are configured to run DECNET.]
<DT><B>decnet dst </B><I>host</I><DD>
True if the DECNET destination address is
<I>host</I>.

<DT><B>decnet host </B><I>host</I><DD>
True if either the DECNET source or destination address is
<I>host</I>.

<DT><B>ip</B>, <B>ip6</B>, <B>arp</B>, <B>rarp</B>, <B>atalk</B>, <B>aarp</B>, <B>decnet</B>, <B>iso</B>, <B>stp</B>, <B>ipx</B>, <I>netbeui</I><DD>
Abbreviations for:
<dl COMPACT>
  <dd>

<PRE><B>ether proto </B><I>p</I></PRE>


  </dd>
</dl>


where <I>p</I> is one of the above protocols.
<DT><B>lat</B>, <B>moprc</B>, <B>mopdl</B><DD>
Abbreviations for:
<dl COMPACT>
  <dd>

<PRE><B>ether proto </B><I>p</I></PRE>


  </dd>
</dl>


where <I>p</I> is one of the above protocols.
Note that
<I>tcpdump</I> does not currently know how to parse these protocols.
<DT><B>vlan </B><I>[vlan_id]</I><DD>
True if the packet is an IEEE 802.1Q VLAN packet.
If <I>[vlan_id]</I> is specified, only true is the packet has the specified
<I>vlan_id</I>.
Note that the first <B>vlan</B> keyword encountered in <I>expression</I>
changes the decoding offsets for the remainder of <I>expression</I>
on the assumption that the packet is a VLAN packet.
<DT><B>tcp</B>, <B>udp</B>, <B>icmp</B><DD>
Abbreviations for:
<dl COMPACT>
  <dd>

<PRE><B>ip proto </B><I>p</I><B> or ip6 proto </B><I>p</I></PRE>


  </dd>
</dl>


where <I>p</I> is one of the above protocols.
<DT><B>iso proto </B><I>protocol</I><DD>
True if the packet is an OSI packet of protocol type <I>protocol</I>.
<I>Protocol</I> can be a number or one of the names
<I>clnp</I>, <I>esis</I>, or <I>isis</I>.
<DT><B>clnp</B>, <B>esis</B>, <B>isis</B><DD>
Abbreviations for:
<dl COMPACT>
  <dd>

<PRE><B>iso proto </B><I>p</I></PRE>


  </dd>
</dl>


where <I>p</I> is one of the above protocols.
Note that <I>tcpdump</I> does an incomplete job of parsing these protocols.
<DT><I>expr relop expr</I><DD>
True if the relation holds, where <I>relop</I> is one of &gt;, &lt;, &gt;=, &lt;=, =, !=,
and <I>expr</I> is an arithmetic expression composed of integer constants
(expressed in standard C syntax), the normal binary operators
[+, -, *, /, &amp;, |], a length operator, and special packet data accessors.
To access
data inside the packet, use the following syntax:

<PRE>
<I>proto</I><B> [ </B><I>expr</I><B> : </B><I>size</I><B> ]</B>
</PRE>


<I>Proto</I> is one of <B>ether, fddi, tr,
ip, arp, rarp, tcp, udp, icmp</B> or <B>ip6</B>, and
indicates the protocol layer for the index operation.
Note that <I>tcp, udp</I> and other upper-layer protocol types only
apply to IPv4, not IPv6 (this will be fixed in the future).
The byte offset, relative to the indicated protocol layer, is
given by <I>expr</I>.
<I>Size</I> is optional and indicates the number of bytes in the
field of interest; it can be either one, two, or four, and defaults to one.
The length operator, indicated by the keyword <B>len</B>, gives the
length of the packet.
<P>
For example, `<B>ether[0] &amp; 1 != 0</B>' catches all multicast traffic.
The expression `<B>ip[0] &amp; 0xf != 5</B>'
catches all IP packets with options.
The expression
`<B>ip[6:2] &amp; 0x1fff = 0</B>'
catches only unfragmented datagrams and frag zero of fragmented datagrams.
This check is implicitly applied to the <B>tcp</B> and <B>udp</B>
index operations.
For instance, <B>tcp[0]</B> always means the first
byte of the TCP <I>header</I>, and never means the first byte of an
intervening fragment.
<P>
Some offsets and field values may be expressed as names rather than
as numeric values.
The following protocol header field offsets are
available: <B>icmptype</B> (ICMP type field), <B>icmpcode</B> (ICMP
code field), and <B>tcpflags</B> (TCP flags field).
<P>
The following ICMP type field values are available: <B>icmp-echoreply</B>,
<B>icmp-unreach</B>, <B>icmp-sourcequench</B>, <B>icmp-redirect</B>,
<B>icmp-echo</B>, <B>icmp-routeradvert</B>, <B>icmp-routersolicit</B>,
<B>icmp-timxceed</B>, <B>icmp-paramprob</B>, <B>icmp-tstamp</B>,
<B>icmp-tstampreply</B>, <B>icmp-ireq</B>, <B>icmp-ireqreply</B>,
<B>icmp-maskreq</B>, <B>icmp-maskreply</B>.
<P>
The following TCP flags field values are available: <B>tcp-fin</B>,
<B>tcp-syn</B>, <B>tcp-rst</B>, <B>tcp-push</B>, <B>tcp-push</B>,
<B>tcp-ack</B>, <B>tcp-urg</B>.
</DL>
<P>

Primitives may be combined using:
<DL COMPACT>
<DT><DD>
A parenthesized group of primitives and operators
(parentheses are special to the Shell and must be escaped).
<DT><DD>
Negation (`<B>!</B>' or `<B>not</B>').
<DT><DD>
Concatenation (`<B>&amp;&amp;</B>' or `<B>and</B>').
<DT><DD>
Alternation (`<B>||</B>' or `<B>or</B>').
</DL>
<P>

Negation has highest precedence.
Alternation and concatenation have equal precedence and associate
left to right.
Note that explicit <B>and</B> tokens, not juxtaposition,
are now required for concatenation.
<P>

If an identifier is given without a keyword, the most recent keyword
is assumed.
For example,

<blockquote>

<PRE><B>not host vs and ace</B></PRE>


</blockquote>


is short for
<blockquote>

<PRE><B>not host vs and host ace</B></PRE>


</blockquote>


which should not be confused with
<blockquote>

<PRE><B>not ( host vs or ace )</B></PRE>


</blockquote>


<P>

Expression arguments can be passed to <I>tcpdump</I> as either a single
argument or as multiple arguments, whichever is more convenient.
Generally, if the expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces before being parsed.
<p>

</body>

</html>