group__language.html

winpcap文档

True if the packet has a length greater than or equal to <I>length</I>.
This is equivalent to:
<dl COMPACT>
  <dd>

<PRE><B>len &gt;= </B><I>length</I>.</PRE>


  </dd>
</dl>


<DT><B>ip proto </B><I>protocol</I><DD>
True if the packet is an IP packet (see
<I>ip</I>(4P))

of protocol type <I>protocol</I>.
<I>Protocol</I> can be a number or one of the names
<I>icmp</I>, <I>icmp6</I>, <I>igmp</I>, <I>igrp</I>, <I>pim</I>, <I>ah</I>,
<I>esp</I>, <I>vrrp</I>, <I>udp</I>, or <I>tcp</I>.
Note that the identifiers <I>tcp</I>, <I>udp</I>, and <I>icmp</I> are also
keywords and must be escaped via backslash (\), which is \\ in the C-shell.
Note that this primitive does not chase the protocol header chain.
<DT><B>ip6 proto </B><I>protocol</I><DD>
True if the packet is an IPv6 packet of protocol type <I>protocol</I>.
Note that this primitive does not chase the protocol header chain.
<DT><B>ip6 protochain </B><I>protocol</I><DD>
True if the packet is IPv6 packet,
and contains protocol header with type <I>protocol</I>
in its protocol header chain.
For example,
<dl COMPACT>
  <dd>

<PRE><B>ip6 protochain 6</B></PRE>


  </dd>
</dl>


matches any IPv6 packet with TCP protocol header in the protocol header chain.
The packet may contain, for example,
authentication header, routing header, or hop-by-hop option header,
between IPv6 header and TCP header.
The BPF code emitted by this primitive is complex and
cannot be optimized by BPF optimizer code in <I>tcpdump</I>,
so this can be somewhat slow.
<DT><B>ip protochain </B><I>protocol</I><DD>
Equivalent to <B>ip6 protochain </B><I>protocol</I>, but this is for IPv4.
<DT><B>ether broadcast</B><DD>
True if the packet is an ethernet broadcast packet.
The <I>ether</I>
keyword is optional.
<DT><B>ip broadcast</B><DD>
True if the packet is an IP broadcast packet.
It checks for both
the all-zeroes and all-ones broadcast conventions, and looks up
the local subnet mask.
<DT><B>ether multicast</B><DD>
True if the packet is an ethernet multicast packet.
The <I>ether</I>
keyword is optional.
This is shorthand for `<B>ether[0] &amp; 1 != 0</B>'.
<DT><B>ip multicast</B><DD>
True if the packet is an IP multicast packet.
<DT><B>ip6 multicast</B><DD>
True if the packet is an IPv6 multicast packet.
<DT><B>ether proto </B><I>protocol</I><DD>
True if the packet is of ether type <I>protocol</I>.
<I>Protocol</I> can be a number or one of the names
<I>ip</I>, <I>ip6</I>, <I>arp</I>, <I>rarp</I>, <I>atalk</I>, <I>aarp</I>,
<I>decnet</I>, <I>sca</I>, <I>lat</I>, <I>mopdl</I>, <I>moprc</I>,
<I>iso</I>, <I>stp</I>, <I>ipx</I>, or <I>netbeui</I>.
Note these identifiers are also keywords
and must be escaped via backslash (\).
<DT><DD>
[In the case of FDDI (e.g., `<B>fddi protocol arp</B>') and Token Ring
(e.g., `<B>tr protocol arp</B>'), for most of those protocols, the
protocol identification comes from the 802.2 Logical Link Control (LLC)
header, which is usually layered on top of the FDDI or Token Ring
header.
<DT><DD>
When filtering for most protocol identifiers on FDDI or Token Ring,
<I>tcpdump</I> checks only the protocol ID field of an LLC header in
so-called SNAP format with an Organizational Unit Identifier (OUI) of
0x000000, for encapsulated Ethernet; it doesn't check whether the packet
is in SNAP format with an OUI of 0x000000.
<DT><DD>
The exceptions are <I>iso</I>, for which it checks the DSAP (Destination
Service Access Point) and SSAP (Source Service Access Point) fields of
the LLC header, <I>stp</I> and <I>netbeui</I>, where it checks the DSAP of
the LLC header, and <I>atalk</I>, where it checks for a SNAP-format
packet with an OUI of 0x080007 and the Appletalk etype.
<DT><DD>
In the case of Ethernet, <I>tcpdump</I> checks the Ethernet type field
for most of those protocols; the exceptions are <I>iso</I>, <I>sap</I>,
and <I>netbeui</I>, for which it checks for an 802.3 frame and then
checks the LLC header as it does for FDDI and Token Ring, <I>atalk</I>,
where it checks both for the Appletalk etype in an Ethernet frame and
for a SNAP-format packet as it does for FDDI and Token Ring, <I>aarp</I>,
where it checks for the Appletalk ARP etype in either an Ethernet frame
or an 802.2 SNAP frame with an OUI of 0x000000, and <I>ipx</I>, where it
checks for the IPX etype in an Ethernet frame, the IPX DSAP in the LLC
header, the 802.3 with no LLC header encapsulation of IPX, and the IPX
etype in a SNAP frame.]
<DT><B>decnet src </B><I>host</I><DD>
True if the DECNET source address is
<I>host</I>,

which may be an address of the form ``10.123'', or a DECNET host
name.
[DECNET host name support is only available on Ultrix systems
that are configured to run DECNET.]
<DT><B>decnet dst </B><I>host</I><DD>
True if the DECNET destination address is
<I>host</I>.

<DT><B>decnet host </B><I>host</I><DD>
True if either the DECNET source or destination address is
<I>host</I>.

<DT><B>ip</B>, <B>ip6</B>, <B>arp</B>, <B>rarp</B>, <B>atalk</B>, <B>aarp</B>, <B>decnet</B>, <B>iso</B>, <B>stp</B>, <B>ipx</B>, <I>netbeui</I><DD>
Abbreviations for:
<dl COMPACT>
  <dd>

<PRE><B>ether proto </B><I>p</I></PRE>


  </dd>
</dl>


where <I>p</I> is one of the above protocols.
<DT><B>lat</B>, <B>moprc</B>, <B>mopdl</B><DD>
Abbreviations for:
<dl COMPACT>
  <dd>

<PRE><B>ether proto </B><I>p</I></PRE>


  </dd>
</dl>


where <I>p</I> is one of the above protocols.
Note that
<I>tcpdump</I> does not currently know how to parse these protocols.
<DT><B>vlan </B><I>[vlan_id]</I><DD>
True if the packet is an IEEE 802.1Q VLAN packet.
If <I>[vlan_id]</I> is specified, only true is the packet has the specified
<I>vlan_id</I>.
Note that the first <B>vlan</B> keyword encountered in <I>expression</I>
changes the decoding offsets for the remainder of <I>expression</I>
on the assumption that the packet is a VLAN packet.
<DT><B>tcp</B>, <B>udp</B>, <B>icmp</B><DD>
Abbreviations for:
<dl COMPACT>
  <dd>

<PRE><B>ip proto </B><I>p</I><B> or ip6 proto </B><I>p</I></PRE>


  </dd>
</dl>


where <I>p</I> is one of the above protocols.
<DT><B>iso proto </B><I>protocol</I><DD>
True if the packet is an OSI packet of protocol type <I>protocol</I>.
<I>Protocol</I> can be a number or one of the names
<I>clnp</I>, <I>esis</I>, or <I>isis</I>.
<DT><B>clnp</B>, <B>esis</B>, <B>isis</B><DD>
Abbreviations for:
<dl COMPACT>
  <dd>

<PRE><B>iso proto </B><I>p</I></PRE>


  </dd>
</dl>


where <I>p</I> is one of the above protocols.
Note that <I>tcpdump</I> does an incomplete job of parsing these protocols.
<DT><I>expr relop expr</I><DD>
True if the relation holds, where <I>relop</I> is one of &gt;, &lt;, &gt;=, &lt;=, =, !=,
and <I>expr</I> is an arithmetic expression composed of integer constants
(expressed in standard C syntax), the normal binary operators
[+, -, *, /, &amp;, |], a length operator, and special packet data accessors.
To access
data inside the packet, use the following syntax:

<PRE>
<I>proto</I><B> [ </B><I>expr</I><B> : </B><I>size</I><B> ]</B>
</PRE>


<I>Proto</I> is one of <B>ether, fddi, tr,
ip, arp, rarp, tcp, udp, icmp</B> or <B>ip6</B>, and
indicates the protocol layer for the index operation.
Note that <I>tcp, udp</I> and other upper-layer protocol types only
apply to IPv4, not IPv6 (this will be fixed in the future).
The byte offset, relative to the indicated protocol layer, is
given by <I>expr</I>.
<I>Size</I> is optional and indicates the number of bytes in the
field of interest; it can be either one, two, or four, and defaults to one.
The length operator, indicated by the keyword <B>len</B>, gives the
length of the packet.
<P>
For example, `<B>ether[0] &amp; 1 != 0</B>' catches all multicast traffic.
The expression `<B>ip[0] &amp; 0xf != 5</B>'
catches all IP packets with options.
The expression
`<B>ip[6:2] &amp; 0x1fff = 0</B>'
catches only unfragmented datagrams and frag zero of fragmented datagrams.
This check is implicitly applied to the <B>tcp</B> and <B>udp</B>
index operations.
For instance, <B>tcp[0]</B> always means the first
byte of the TCP <I>header</I>, and never means the first byte of an
intervening fragment.
<P>
Some offsets and field values may be expressed as names rather than
as numeric values.
The following protocol header field offsets are
available: <B>icmptype</B> (ICMP type field), <B>icmpcode</B> (ICMP
code field), and <B>tcpflags</B> (TCP flags field).
<P>
The following ICMP type field values are available: <B>icmp-echoreply</B>,
<B>icmp-unreach</B>, <B>icmp-sourcequench</B>, <B>icmp-redirect</B>,
<B>icmp-echo</B>, <B>icmp-routeradvert</B>, <B>icmp-routersolicit</B>,
<B>icmp-timxceed</B>, <B>icmp-paramprob</B>, <B>icmp-tstamp</B>,
<B>icmp-tstampreply</B>, <B>icmp-ireq</B>, <B>icmp-ireqreply</B>,
<B>icmp-maskreq</B>, <B>icmp-maskreply</B>.
<P>
The following TCP flags field values are available: <B>tcp-fin</B>,
<B>tcp-syn</B>, <B>tcp-rst</B>, <B>tcp-push</B>, <B>tcp-push</B>,
<B>tcp-ack</B>, <B>tcp-urg</B>.
</DL>
<P>

Primitives may be combined using:
<DL COMPACT>
<DT><DD>
A parenthesized group of primitives and operators
(parentheses are special to the Shell and must be escaped).
<DT><DD>
Negation (`<B>!</B>' or `<B>not</B>').
<DT><DD>
Concatenation (`<B>&amp;&amp;</B>' or `<B>and</B>').
<DT><DD>
Alternation (`<B>||</B>' or `<B>or</B>').
</DL>
<P>

Negation has highest precedence.
Alternation and concatenation have equal precedence and associate
left to right.
Note that explicit <B>and</B> tokens, not juxtaposition,
are now required for concatenation.
<P>

If an identifier is given without a keyword, the most recent keyword
is assumed.
For example,

<blockquote>

<PRE><B>not host vs and ace</B></PRE>


</blockquote>


is short for
<blockquote>

<PRE><B>not host vs and host ace</B></PRE>


</blockquote>


which should not be confused with
<blockquote>

<PRE><B>not ( host vs or ace )</B></PRE>


</blockquote>


<P>

Expression arguments can be passed to <I>tcpdump</I> as either a single
argument or as multiple arguments, whichever is more convenient.
Generally, if the expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces before being parsed.
<p>

</body>

</html>
 
<hr>
<p align="right"><img border="0" src="winpcap_small.gif" align="absbottom" width="91" height="27">
documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005-2007 
CACE Technologies. All rights reserved.</p>