548.htm

unix高级编程原吗

?                     fier,  all  protocols  consistent with the type are assume <br>
d. <br>
                     E.g., `src foo' means `(ip or arp or rarp) src foo'  (excep <br>
t <br>
                     the latter is not legal syntax), `net bar' means `(ip or ar <br>
p <br>
                     or rarp) net bar' and `port 53' means  `(tcp  or  udp)  por <br>
t <br>
                     53'. <br>
  <br>
              In  addition  to the above, there are some special `primitive' key <br>
?              words that don't follow  the  pattern:  gateway,  broadcast,  les <br>

s, <br>
              greater  and  arithmetic  expressions.   All of these are describe <br>
d <br>
              below. <br>
  <br>
              More complex filter expressions are built up  by  using  the  word <br>
s <br>
              and,  or  and  not  to combine primitives.  E.g., `host foo and no <br>
t <br>
              port ftp and not port ftp-data'.  To save typing, identical  quali <br>
?              fier  lists can be omitted.  E.g., `tcp dst port ftp or ftp-data <br>
or <br>
              domain' is exactly the same as `tcp dst port ftp or  tcp  dst  por <br>
t <br>
              ftp-data or tcp dst port domain'. <br>
  <br>
              Allowable primitives are: <br>
  <br>
              dst host host <br>
                     True  if  the  IP  destination  field of the packet is host <br>
, <br>
                     which may be either an address or a name. <br>

  <br>
              src host host <br>
                     True if the IP source field of the packet is host. <br>
  <br>
              host host <br>
                     True if either the IP source or destination of the packet i <br>
s <br>
                     host.   Any  of  the above host expressions can be prepende <br>
d <br>
                     with the keywords, ip, arp, or rarp as in: <br>
                          ip host host <br>
                     which is equivalent to: <br>
                          ether proto \ip and host host <br>
                     If host is a name with multiple IP addresses,  each  addres <br>
s <br>
                     will be checked for a match. <br>
  <br>
              ether dst ehost <br>
                     True  if  the  ethernet destination address is ehost.  Ehos <br>
t <br>
                     may be either a name  from  /etc/ethers  or  a  number  (se <br>
e <br>
e <br>
                     ethers(3N) for numeric format). <br>
  <br>
              ether src ehost <br>
                     True if the ethernet source address is ehost. <br>
  <br>
              ether host ehost <br>
                     True if either the ethernet source or destination address i <br>
s <br>
                     ehost. <br>
  <br>
              gateway host <br>
                     True if the packet used host as a gateway.  I.e., the ether <br>
?                     net  source  or destination address was host but neither t <br>
he <br>
                     IP source nor the IP destination was host.  Host must  be <br>
a <br>
                     name  and  must be found in both /etc/hosts and /etc/ethers <br>
. <br>
                     (An equivalent expression is <br>
                          ether host ehost and not host host <br>
                     which can be used with either names or numbers  for  host <br>
/ <br>
/ <br>
                     ehost.) <br>
  <br>
              dst net net <br>
                     True  if the IP destination address of the packet has a net <br>
?                     work number of net. Net may be either a name from  /etc/ne <br>
t?                     works or a network number (see networks(4) for details). <br>
  <br>
              src net net <br>
                     True  if  the  IP source address of the packet has a networ <br>
k <br>
                     number of net. <br>
  <br>
              net net <br>
                     True if either the IP source or destination address  of  th <br>
e <br>
                     packet has a network number of net. <br>
  <br>
              net net mask mask <br>
                     True  if  the  IP address matches net with the specific net <br>
?                     mask.  May be qualified with src or dst. <br>
  <br>
              net net/len <br>

                     True if the IP address matches net a netmask len bits  wide <br>
. <br>
                     May be qualified with src or dst. <br>
  <br>
              dst port port <br>
                     True if the packet is ip/tcp or ip/udp and has a destinatio <br>
n <br>
                     port value of port.  The port can be a number or a name use <br>
d <br>
                     in  /etc/services  (see  tcp(4P) and udp(4P)).  If a name i <br>
s <br>
                     used, both the port number and protocol are checked.   If <br>
a <br>
                     number  or  ambiguous  name is used, only the port number i <br>
s <br>
                     checked (e.g., dst port 513 will print both tcp/login  traf <br>
?                     fic  and  udp/who  traffic,  and port domain will print bo <br>
th <br>
                     tcp/domain and udp/domain traffic). <br>
  <br>
              src port port <br>
                     True if the packet has a source port value of port. <br>

  <br>
              port port <br>
                     True if either the source or destination port of the  packe <br>
t <br>
                     is port.  Any of the above port expressions can be prepende <br>
d <br>
                     with the keywords, tcp or udp, as in: <br>
                          tcp src port port <br>
                     which matches only tcp packets whose source port is port. <br>
  <br>
              less length <br>
                     True if the packet has  a  length  less  than  or  equal  t <br>
o <br>
                     length.  This is equivalent to: <br>
                          len <= length. <br>
  <br>
              greater length <br>
                     True  if  the  packet  has a length greater than or equal t <br>
o <br>
                     length.  This is equivalent to: <br>
                          len >= length. <br>
  <br>
  <br>
              ip proto protocol <br>
                     True if the packet is an ip packet (see ip(4P)) of  protoco <br>
l <br>
                     type protocol.  Protocol can be a number or one of the name <br>
s <br>
                     icmp, igrp, udp, nd, or tcp.  Note that the identifiers tcp <br>
, <br>
                     udp,  and  icmp  are  also  keywords and must be escaped vi <br>
a <br>
                     backslash (\), which is \\ in the C-shell. <br>
  <br>
              ether broadcast <br>
                     True if the packet is an  ethernet  broadcast  packet.   Th <br>
e <br>
                     ether keyword is optional. <br>
  <br>
              ip broadcast <br>
                     True if the packet is an IP broadcast packet.  It checks fo <br>
r <br>
                     both the all-zeroes and all-ones broadcast conventions,  an <br>
d <br>
                     looks up the local subnet mask. <br>

  <br>
              ether multicast <br>
                     True  if  the  packet  is an ethernet multicast packet.  Th <br>
e <br>
                     ether keyword is optional.  This is shorthand for  `ether[0 <br>
] <br>
                     & 1 != 0'. <br>
  <br>
              ip multicast <br>
                     True if the packet is an IP multicast packet. <br>
  <br>
              ether proto protocol <br>
                     True  if the packet is of ether type protocol.  Protocol ca <br>
n <br>
                     be a number or a name like ip, arp,  or  rarp.   Note  thes <br>
e <br>
                     identifiers  are also keywords and must be escaped via back <br>
?                     slash (\).  [In the  case  of  FDDI  (e.g.,  `fddi  protoc <br>
ol <br>
                     arp'), the protocol identification comes from the 802.2 Log <br>
?                     ical Link Control (LLC) header, which is usually layered <br>
on <br>
on <br>
                     top  of the FDDI header.  Tcpdump assumes, when filtering o <br>
n <br>
                     the protocol identifier, that all FDDI  packets  include  a <br>
n <br>
                     LLC  header,  and  that  the LLC header is in so-called SNA <br>
P <br>
                     format.] <br>
  <br>
              ip, arp, rarp, decnet <br>
                     Abbreviations for: <br>
                          ether proto p where p is one of the above protocols. <br>
  <br>
              tcp, udp, icmp <br>
                     Abbreviations for: <br>
                          ip proto p <br>
                     where p is one of the above protocols. <br>
  <br>
              expr relop expr <br>
                     True  if the relation holds, where relop is one of >, <br>
                     <, >=, <=, =, !=, and expr is an arithmetic <br>
                     expression composed  of integer constants (expressed in <br>
                     standard C syntax), the nor?mal binary operators [+, -, <br>

                     *, /, &, |], a length  operator, and  special  packet <br>
                     data accessors.  To access data inside the packet, use the <br>
                     following syntax: proto [ expr : size ] Proto is one of <br>
                     ether, fddi, ip, arp,  rarp,  tcp,  udp,  or icmp,  and <br>
                     indicates the protocol layer for the index opera?tion. <br>
                     The byte offset, relative to the  indicated  protocol <br>
                     layer, is given by expr.  Size is optional and indicates <br>
                     the number of bytes in the field of interest; it can  be <br>
                     either one,  two,  or four, and defaults to one.  The <br>
                     length opera?tor, indicated by the keyword len, gives the <br>
                     length  of  the packet. <br>
  <br>