📄 tcpdump.man
字号:
True if either the IP source or destination of the packet is _h_o_s_t. Any of the above host expressions can be prepended with the keywords, iipp, aarrpp, or rraarrpp as in: iipp hhoosstt _h_o_s_t which is equivalent to: eetthheerr pprroottoo _\_i_p aanndd hhoosstt _h_o_s_t 30 June 1997 4TCPDUMP(1) TCPDUMP(1) If _h_o_s_t is a name with multiple IP addresses, each address will be checked for a match. eetthheerr ddsstt _e_h_o_s_t True if the ethernet destination address is _e_h_o_s_t. _E_h_o_s_t may be either a name from /etc/ethers or a number (see _e_t_h_e_r_s(3N) for numeric format). eetthheerr ssrrcc _e_h_o_s_t True if the ethernet source address is _e_h_o_s_t. eetthheerr hhoosstt _e_h_o_s_t True if either the ethernet source or desti- nation address is _e_h_o_s_t. ggaatteewwaayy _h_o_s_t True if the packet used _h_o_s_t as a gateway. I.e., the ethernet source or destination address was _h_o_s_t but neither the IP source nor the IP destination was _h_o_s_t. _H_o_s_t must be a name and must be found in both /etc/hosts and /etc/ethers. (An equivalent expression is eetthheerr hhoosstt _e_h_o_s_t aanndd nnoott hhoosstt _h_o_s_t which can be used with either names or num- bers for _h_o_s_t _/ _e_h_o_s_t.) ddsstt nneett _n_e_t True if the IP destination address of the packet has a network number of _n_e_t. _N_e_t may be either a name from /etc/networks or a network number (see _n_e_t_w_o_r_k_s_(_4_) for details). ssrrcc nneett _n_e_t True if the IP source address of the packet has a network number of _n_e_t. nneett _n_e_t True if either the IP source or destination address of the packet has a network number of _n_e_t. nneett _n_e_t mmaasskk _m_a_s_k True if the IP address matches _n_e_t with the specific netmask. May be qualified with ssrrcc or ddsstt. nneett _n_e_t/_l_e_n True if the IP address matches _n_e_t a netmask _l_e_n bits wide. May be qualified with ssrrcc or 30 June 1997 5TCPDUMP(1) TCPDUMP(1) ddsstt. ddsstt ppoorrtt _p_o_r_t True if the packet is ip/tcp or ip/udp and has a destination port value of _p_o_r_t. The _p_o_r_t can be a number or a name used in /etc/services (see _t_c_p(4P) and _u_d_p(4P)). If a name is used, both the port number and protocol are checked. If a number or ambiguous name is used, only the port number is checked (e.g., ddsstt ppoorrtt 551133 will print both tcp/login traffic and udp/who traffic, and ppoorrtt ddoommaaiinn will print both tcp/domain and udp/domain traffic). ssrrcc ppoorrtt _p_o_r_t True if the packet has a source port value of _p_o_r_t. ppoorrtt _p_o_r_t True if either the source or destination port of the packet is _p_o_r_t. Any of the above port expressions can be prepended with the keywords, ttccpp or uuddpp, as in: ttccpp ssrrcc ppoorrtt _p_o_r_t which matches only tcp packets whose source port is _p_o_r_t. lleessss _l_e_n_g_t_h True if the packet has a length less than or equal to _l_e_n_g_t_h. This is equivalent to: lleenn <<== _l_e_n_g_t_h.. ggrreeaatteerr _l_e_n_g_t_h True if the packet has a length greater than or equal to _l_e_n_g_t_h. This is equivalent to: lleenn >>== _l_e_n_g_t_h.. iipp pprroottoo _p_r_o_t_o_c_o_l True if the packet is an ip packet (see _i_p(4P)) of protocol type _p_r_o_t_o_c_o_l. _P_r_o_t_o_c_o_l can be a number or one of the names _i_c_m_p, _i_g_r_p, _u_d_p, _n_d, or _t_c_p. Note that the iden- tifiers _t_c_p, _u_d_p, and _i_c_m_p are also keywords and must be escaped via backslash (\), which is \\ in the C-shell. eetthheerr bbrrooaaddccaasstt True if the packet is an ethernet broadcast packet. The _e_t_h_e_r keyword is optional. iipp bbrrooaaddccaasstt True if the packet is an IP broadcast packet. It checks for both the all-zeroes 30 June 1997 6TCPDUMP(1) TCPDUMP(1) and all-ones broadcast conventions, and looks up the local subnet mask. eetthheerr mmuullttiiccaasstt True if the packet is an ethernet multicast packet. The _e_t_h_e_r keyword is optional. This is shorthand for `eetthheerr[[00]] && 11 !!== 00'. iipp mmuullttiiccaasstt True if the packet is an IP multicast packet. eetthheerr pprroottoo _p_r_o_t_o_c_o_l True if the packet is of ether type _p_r_o_t_o_- _c_o_l. _P_r_o_t_o_c_o_l can be a number or a name like _i_p, _a_r_p, or _r_a_r_p. Note these identi- fiers are also keywords and must be escaped via backslash (\). [In the case of FDDI (e.g., `ffddddii pprroottooccooll aarrpp'), the protocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually layered on top of the FDDI header. _T_c_p_d_u_m_p assumes, when filtering on the protocol identifier, that all FDDI packets include an LLC header, and that the LLC header is in so-called SNAP format.] ddeeccnneett ssrrcc _h_o_s_t True if the DECNET source address is _h_o_s_t, which may be an address of the form ``10.123'', or a DECNET host name. [DECNET host name support is only available on Ultrix systems that are configured to run DECNET.] ddeeccnneett ddsstt _h_o_s_t True if the DECNET destination address is _h_o_s_t. ddeeccnneett hhoosstt _h_o_s_t True if either the DECNET source or destina- tion address is _h_o_s_t. iipp, aarrpp, rraarrpp, ddeeccnneett Abbreviations for: eetthheerr pprroottoo _p where _p is one of the above protocols. llaatt, mmoopprrcc, mmooppddll Abbreviations for: eetthheerr pprroottoo _p where _p is one of the above protocols. Note that _t_c_p_d_u_m_p does not currently know how to parse these protocols. 30 June 1997 7TCPDUMP(1) TCPDUMP(1) ttccpp, uuddpp, iiccmmpp Abbreviations for: iipp pprroottoo _p where _p is one of the above protocols. _e_x_p_r _r_e_l_o_p _e_x_p_r True if the relation holds, where _r_e_l_o_p is one of >, <, >=, <=, =, !=, and _e_x_p_r is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |], a length operator, and special packet data accessors. To access data inside the packet, use the following syntax: _p_r_o_t_o [[ _e_x_p_r :: _s_i_z_e ]] _P_r_o_t_o is one of eetthheerr,, ffddddii,, iipp,, aarrpp,, rraarrpp,, ttccpp,, uuddpp,, or iiccmmpp, and indicates the proto- col layer for the index operation. The byte offset, relative to the indicated protocol layer, is given by _e_x_p_r. _S_i_z_e is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword lleenn, gives the length of the packet. For example, `eetthheerr[[00]] && 11 !!== 00' catches all multicast traffic. The expression `iipp[[00]] && 00xxff !!== 55' catches all IP packets with options. The expression `iipp[[66::22]] && 00xx11ffffff == 00' catches only unfragmented datagrams and frag zero of fragmented datagrams. This check is implicitly applied to the ttccpp and uuddpp index operations. For instance, ttccpp[[00]]⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -