group__language.html

winpcap文档

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1">
<title>WinPcap: Filtering expression syntax</title>
<link href="style.css" rel="stylesheet" type="text/css">
<link href="tabs.css" rel="stylesheet" type="text/css">
</head><body>
<!-- Generated by Doxygen 1.5.1 -->
<div class="tabs">
  <ul>
    <li><a href="main.html"><span>Main&nbsp;Page</span></a></li>
    <li><a href="modules.html"><span>Modules</span></a></li>
    <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
    <li><a href="files.html"><span>Files</span></a></li>
    <li><a href="pages.html"><span>Related&nbsp;Pages</span></a></li>
  </ul></div>
<h1>Filtering expression syntax<br>
<small>
[<a class="el" href="group__wpcap.html">WinPcap user's manual</a>]</small>
</h1><table border="0" cellpadding="0" cellspacing="0">
<tr><td></td></tr>
</table>
<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title></title>
</head>

<body>
<DL COMPACT>
<DT>Note: this document has been drawn from the tcpdump man page. The original version can
  be found at&nbsp; <a href="http://www.tcpdump.org">www.tcpdump.org</a>.
<dd>&nbsp;</dd>
<DT>wpcap filters are based on a declarative predicate syntax. A filter is
  an ASCII string containing a filtering <I>expression</I>.&nbsp;pcap_compile()
  takes the expression and translates it in a program for the kernel-level
  packet filter.
</DL>
<p>The expression selects which packets will be dumped.
If no expression
is given, all packets on the net will be accepted by the kernel-level filtering
engine.
Otherwise,
only packets for which <I>expression</I> is `true' will be accepted.</p>
<P>

The <I>expression</I> consists of one or more
<I>primitives.</I>

Primitives usually consist of an
<I>id</I>

(name or number) preceded by one or more qualifiers.
There are three
different kinds of qualifier:
<DL COMPACT>
<DT><I>type</I><DD>
qualifiers say what kind of thing the id name or number refers to.
Possible types are
<B>host</B>,

<B>net</B>

and
<B>port</B>.

E.g., `host foo', `net 128.3', `port 20'.
If there is no type
qualifier,
<B>host</B>

is assumed.
<DT><I>dir</I><DD>
qualifiers specify a particular transfer direction to and/or from
<I>id</I>.

Possible directions are
<B>src</B>,

<B>dst</B>,

<B>src or dst</B>

and
<B>src and</B>

<B>dst</B>.

E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'.
If
there is no dir qualifier,
<B>src or dst</B>

is assumed.
For `null' link layers (i.e. point to point protocols such as slip) the
<B>inbound</B>

and
<B>outbound</B>

qualifiers can be used to specify a desired direction.
<DT><I>proto</I><DD>
qualifiers restrict the match to a particular protocol.
Possible
protos are:
<B>ether</B>,

<B>fddi</B>,

<B>tr</B>,

<B>ip</B>,

<B>ip6</B>,

<B>arp</B>,

<B>rarp</B>,

<B>decnet</B>,

<B>tcp</B>

and
<B>udp</B>.

E.g., `ether src foo', `arp net 128.3', `tcp port 21'.
If there is
no proto qualifier, all protocols consistent with the type are
assumed.
E.g., `src foo' means `(ip or arp or rarp) src foo'
(except the latter is not legal syntax), `net bar' means `(ip or
arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
</DL>
<P>

[`fddi' is actually an alias for `ether'; the parser treats them
identically as meaning ``the data link level used on the specified
network interface.''  FDDI headers contain Ethernet-like source
and destination addresses, and often contain Ethernet-like packet
types, so you can filter on these FDDI fields just as with the
analogous Ethernet fields.
FDDI headers also contain other fields,
but you cannot name them explicitly in a filter expression.
<P>

Similarly, `tr' is an alias for `ether'; the previous paragraph's
statements about FDDI headers also apply to Token Ring headers.]
<P>

In addition to the above, there are some special `primitive' keywords
that don't follow the pattern:
<B>gateway</B>,

<B>broadcast</B>,

<B>less</B>,

<B>greater</B>

and arithmetic expressions.
All of these are described below.
<P>

More complex filter expressions are built up by using the words
<B>and</B>,

<B>or</B>

and
<B>not</B>

to combine primitives.
E.g., `host foo and not port ftp and not port ftp-data'.
To save typing, identical qualifier lists can be omitted.
E.g.,
`tcp dst port ftp or ftp-data or domain' is exactly the same as
`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
<P>

Allowable primitives are:
<DL COMPACT>
<DT><B>dst host </B><I>host</I><DD>
True if the IPv4/v6 destination field of the packet is <I>host</I>,
which may be either an address or a name.
<DT><B>src host </B><I>host</I><DD>
True if the IPv4/v6 source field of the packet is <I>host</I>.
<DT><B>host </B><I>host</I><DD>
True if either the IPv4/v6 source or destination of the packet is <I>host</I>.
Any of the above host expressions can be prepended with the keywords,
<B>ip</B>, <B>arp</B>, <B>rarp</B>, or <B>ip6</B> as in:
<dl COMPACT>
  <dd>

<PRE><B>ip host </B><I>host</I></PRE>


  </dd>
</dl>


which is equivalent to:
<dl COMPACT>
  <dd>

<PRE><B>ether proto </B><I>\ip</I><B> and host </B><I>host</I></PRE>


  </dd>
</dl>


If <I>host</I> is a name with multiple IP addresses, each address will
be checked for a match.
<DT><B>ether dst </B><I>ehost</I><DD>
True if the ethernet destination address is <I>ehost</I>.
<I>Ehost</I>
may be either a name from /etc/ethers or a number (see
<I>ethers</I>(3N)

for numeric format).
<DT><B>ether src </B><I>ehost</I><DD>
True if the ethernet source address is <I>ehost</I>.
<DT><B>ether host </B><I>ehost</I><DD>
True if either the ethernet source or destination address is <I>ehost</I>.
<DT><B>gateway</B> <I>host</I><DD>
True if the packet used <I>host</I> as a gateway.
I.e., the ethernet
source or destination address was <I>host</I> but neither the IP source
nor the IP destination was <I>host</I>.
<I>Host</I> must be a name and
must be found both by the machine's host-name-to-IP-address resolution
mechanisms (host name file, DNS, NIS, etc.) and by the machine's
host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.).
(An equivalent expression is
<dl COMPACT>
  <dd>

<PRE><B>ether host </B><I>ehost </I><B>and not host </B><I>host</I></PRE>


  </dd>
</dl>


which can be used with either names or numbers for <I>host / ehost</I>.)
This syntax does not work in IPv6-enabled configuration at this moment.
<DT><B>dst net </B><I>net</I><DD>
True if the IPv4/v6 destination address of the packet has a network
number of <I>net</I>.
<I>Net</I> may be either a name from /etc/networks
or a network number (see <I>networks(4)</I> for details).
<DT><B>src net </B><I>net</I><DD>
True if the IPv4/v6 source address of the packet has a network
number of <I>net</I>.
<DT><B>net </B><I>net</I><DD>
True if either the IPv4/v6 source or destination address of the packet has a network
number of <I>net</I>.
<DT><B>net </B><I>net</I> <B>mask </B><I>netmask</I><DD>
True if the IP address matches <I>net</I> with the specific <I>netmask</I>.
May be qualified with <B>src</B> or <B>dst</B>.
Note that this syntax is not valid for IPv6 <I>net</I>.
<DT><B>net </B><I>net</I>/<I>len</I><DD>
True if the IPv4/v6 address matches <I>net</I> with a netmask <I>len</I>
bits wide.
May be qualified with <B>src</B> or <B>dst</B>.
<DT><B>dst port </B><I>port</I><DD>
True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a
destination port value of <I>port</I>.
The <I>port</I> can be a number or a name used in /etc/services (see
<I>tcp</I>(4P)

and
<I>udp</I>(4P)).

If a name is used, both the port
number and protocol are checked.
If a number or ambiguous name is used,
only the port number is checked (e.g., <B>dst port 513</B> will print both
tcp/login traffic and udp/who traffic, and <B>port domain</B> will print
both tcp/domain and udp/domain traffic).
<DT><B>src port </B><I>port</I><DD>
True if the packet has a source port value of <I>port</I>.
<DT><B>port </B><I>port</I><DD>
True if either the source or destination port of the packet is <I>port</I>.
Any of the above port expressions can be prepended with the keywords,
<B>tcp</B> or <B>udp</B>, as in:
<dl COMPACT>
  <dd>

<PRE><B>tcp src port </B><I>port</I></PRE>


  </dd>
</dl>


which matches only tcp packets whose source port is <I>port</I>.
<DT><B>less </B><I>length</I><DD>
True if the packet has a length less than or equal to <I>length</I>.
This is equivalent to:
<dl COMPACT>
  <dd>

<PRE><B>len &lt;= </B><I>length</I>.</PRE>


  </dd>
</dl>


<DT><B>greater </B><I>length</I><DD>