Syntax for filtering string expressions-[Winpcap User Guide]

Note: This document is taken from the tcpdump guide. Find the original version www.tcpdump.org.

The filters of wpcap are based on the declared predicate syntax. A filter is an ASCII string that contains a filter expression. Pcap_compile () compiles this expression into a kernel-level package filter.

This expression selects the data packets that will be heap. If the expression is not given, all the packets on the network will be recognized by the kernel filter engine. Otherwise, only packages with the expression 'true' will be recognized.

This expression contains one or more primitives. The primitive usually containsID(Name or sequence). These IDS take precedence over the qualifier. There are three different qualifiers:

type

Specifies what is represented by ID. Possible input is host , net and port . For example, 'host foo', 'net 128.3 ', and 'port 20 '. If no qualifier is entered, it is assumed that host

direction (DIR)

The ID indicates a specific transmission direction. The possible direction is SRC , DST , SRC or DST . For example, 'src foo', 'dst net 128.3 ', 'src or DST port FTP-data '. If not specified, it is assumed that SRC or DST . If there is no link layer (for example, point-to-point protocols like slip), you can use inbound and outbound to specify a direction.

protocol

The qualifier limits the matching protocol. Possible protocols include: ether , FDDI , tr , ip , ip6 , ARP , RARP , decnet , TCP and UDP . For example, 'ether SRC foo', 'Arp net 123456', and 'tcp port 21 '. If no protocol qualifier is specified, it is assumed that all protocols are allowed. For example, 'src foo' is equivalent to '(IP or ARP or RARP) SRC foo' (of course, there cannot be any letters that do not conform to the syntax ), 'Net bar' is equivalent to '(IP or ARP or RARP) Net bar', and 'port53' is equivalent to' (TCP or UDP) Port 53 '.

['Fddi 'is usually the alias of 'ether'. The parser considers them as the data link layer on a specific network interface. The FDDI header contains the source address and destination address that are similar to Ethernet, and usually also contains the data packet type that is similar to Ethernet. Therefore, the use of filters on FDDI domains is basically the same as that on Ethernet. The FDDI header also contains other data, but you cannot represent them in the filter expression.

Similarly, 'tr' is also an alias for 'ether '. It is the first line that was applied to FDDI earlier and also applied to the network header of the ring.]

In addition to the above content, there are some special restrictions that are not the same as the above form. They are:Gateway,Broadcast,Less,GreaterAnd some arithmetic expressions. These contents will be introduced below.

We can useAnd,OrAndNotConnect the primitive to construct a more complex filter expression. For example, 'host Foo and not port FTP-data '. To simplify the input, we can omit the list of ID qualifiers. For example, 'tcp DST port FTP or FTP-data or Domain 'is equivalent to 'tcp DST port FTP or tcp dst port FTP-data or tcp dst port Domain.

The following primitives are available:

DST host Host

When the destination domain (destination field) of an IPv4/v6 packet is HostTrue, HostIt can be an address or a name.

SRC host Host

When the source field of an IPv4/v6 packet is HostTrue.

Host Host

When the source field or destination field of an IPv4/v6 packet is HostTrue. Any of the above host expressions can be IP, ARP, RARPOr Ip6As follows:

IP hostHost

It is equivalent:

Ether proto\ IPAnd hostHost

IfHostIs a multi-IP address, then each address will be matched.

Ether DST Ehost

When the destination address of the Ethernet is EhostTrue. EhostIt can be a name from/etc/ether or a digital code (see Ethers(3N) For numeric format ).

Ether SRC Ehost

When the Ethernet source address is EhostTrue.

Ether host Ehost

When the destination address or source address of the Ethernet is EhostTrue.

Gateway Host

When HostTrue if it is a gateway. That is, the Ethernet source address or destination address is HostBut the source address and destination address are different Host. HostThe host-IP address (host-name-to-IP-address) mechanism must be able to locate (such as host name files, DNS, NIS, etc ), it can also be found by host-name-to-Ethernet-address (for example,/etc/ethers ). For example:

Ether hostEhostAnd not hostHost

Host/ehostYou can use a name or number. This syntax does not work in IPv6.

DST net Net

When the destination address of an IPv4/v6 packet contains NetTrue. NetIt can be a name from/etc/networks or a network number (for more information, see Networks (4)).

SRC net Net

When the network number of the IPv4/v6 packet source address includes NetTrue.

Net Net

When the destination address of an IPv4/v6 packet or the network number of the source address contains NetTrue

Net Net Mask Netmask

When the IP address is Net, Subnet mask match NetmaskTrue. May need SRCOr DST. Note that this syntax cannot be applied to IPv6.

Net Net/ Len

When the IP address is Net, The number of subnet mask consecutive 1 is LenTrue. May need SRCOr DST.

DST Port Port

When the data packet is IP/tcp, IP/udp, ip6/tcp or ip6/udp, And the destination port number is PortTrue. PortIt can be a number or a name used in/etc/services. (See TCP (4 P) and UDP (4 P)). If the name is used, both the port number and protocol are detected. If a number or an ambiguous name is used, only the port number is detected. (For example: DST port 513The TCP/login data streams and UDP/WHO data streams are printed. Port domainPrint the TCP/domain data streams and UDP/domain data streams ).

SRC Port Port

When the source port number is PortTrue.

Port Port

When the source port number or destination port number is PortTrue. Any of the above port expressions can use keywords TCPOr UDPAs follows:

Tcp src PortPort

Only matching source port isPort.

Less Length

When the packet length is less than or equal LengthTrue. That is:

Len <=Length.

Greater Length

When the data packet length is greater than or equal LengthTrue. That is:

Len> =Length.

IP proto Protocol

When the packet is an IP packet, and its protocol type is ProtocolTrue. ProtocolIt can be a number or ICMP, Icmp6, IGMP, IGRP, Pim, Ah, ESP, Vrrp, UDPOr TCP. Note, TCP, UDP, ICMPIs a keyword. Therefore, they must be escaped using a backslash (\), just like \ in C-shell \\. Note that this primitive will not trace the protocol header chain.

Ip6 proto Protocol

When the packet is an IPv6 packet and its protocol type is ProtocolTrue. Note that this primitive will not trace the protocol header chain.

Ip6 protochain Protocol

When a packet is an IPv6 packet, and in its protocol header chain, it contains ProtocolThe value is true when the protocol header is of the type. For example:

Ip6 protochain 6

It can match all IPv6 data packets with the TCP protocol header. The IPv6 Header and TCP Header may contain the Authentication Header, Route Header, and hop count option header. The BPF (BSD Packet Filter, packet filtering mechanism) code generated by this primitive is complex and cannot be optimized by the BPF optimizer. Therefore, to some extent, it is slow.

IP protochain Protocol

Functions and Ip6 protochain ProtocolSame, but this applies to IPv4.

Ether Broadcast

True when the data packet is an Ethernet broadcast data packet. Keywords EtherIs optional.

IP Broadcast

True when the data packet is an IP broadcast data packet. It checks all broadcasts, including the addresses 0 and 1, and then checks the subnet mask.

Ether Multicast

True when the data packet is an Ethernet multicast data packet. The keyword ether is optional. Below is a common phrase' Ether [0] & 1! = 0'

IP Multicast

True when the data packet is an IP multicast data packet.

Ip6 Multicast

True when the packet is an IPv6 multicast packet.

Ether proto Protocol

When the data packet is Ethernet ProtocolTrue. ProtocolIt can be a number or IP, Ip6, ARP, RARP, Atalk, AARP, Decnet, SCA, Lat, Mopdl, Moprc, ISO, STP, IPX, Netbeui. Note that these symbols are also keywords, so they all need to be escaped with a backslash.

[Using FDDI (for example' FDDI protocol ARP') And the starting ring (for example' Tr protocol ARP') And most of the other such protocols, the Protocol is identified according to 802.2 Logical Link Control (LLC), which is usually at the beginning of FDDI or the starting ring.

When you need to identify the identity of most protocols, such as FDDI or a ring, TcpdumpCheck only the ID data domains of the LLC header, which are stored in SNAP format and the organization unit identifier (organizational unit identifier (Oui) is 0x000000 to encapsulate Ethernet. It does not check whether the package is in SNAP format and has Oui in the 0x000000 unit.

However, ISOIt checks the destination Service Access Point DSAP (destination Service Access Point) of the LLC header and the source Service Access Point SSAP (source service access point ), STPAnd NetbeuiChecks DSAP at the beginning of LLC, AtalkThe system checks whether the data packet is in the SNAP format and whether the Oui is 0x080007. The same applies to appletalk.

In the example of Ethernet, TcpdumpCheck the Ethernet fields of most protocols, ISO, SAPAnd NetbeuiExcept because they will check 802.3 frames and then the LLC header, as it does for FDDI and the ring. AtalkIt checks the appletalk etype format of the Ethernet frame and the Ethernet frame in SNAP format, ARRPIt checks the appletalk ARP etype In the Ethernet frame or in the 802.2 snap frame with the Oui 0x000000, and IPX. It checks IPX etype In the Ethernet frame, check ipx dsap at the LLC header. IPX at the LLC header is not encapsulated in 802.3, and IPX etype at the snap frame.]

Decnet SRC Host

When the source address of decnet is HostIs true. It may be an address in the format of '10. 123 'or a decnet host name. [The decnet host name is only supported in the Ultrix system configured to run decnet.]

Decnet DST Host

When decnet's destination address is HostTrue.

Decnet host Host

When the source or destination address of decnet is HostTrue.

IP, Ip6, ARP, RARP, Atalk, AARP, Decnet, ISO, STP, IPX, Netbeui

Abbreviation:

Ether protoP

PIs one of the above protocols.

Lat, Moprc, Mopdl

Abbreviation:

Ether protoP

PIs one of the above protocols. Note:TcpdumpI do not know how to parse these protocols.

VLAN [Vlan_id]

True when the packet is an IEEE 802.1Q VLAN packet. If [ Vlan_id] Is specified, the value is true only when the data packet is the specified vlan_id. Note: If the packet is a VLAN packet, the first keyword in the expression is VLANThe decoding offset of the remaining expression is changed.

TCP, UDP, ICMP

Abbreviation:

IP protoPOr ip6 protoP

PIs one of the above protocols.

ISO proto Protocol

When the protocol type of the data packet is ProtocolThe OSI data packet value of is true. ProtocolIt can be a number or one of the following names: Clnp, ESISOr Isis.

Clnp, ESIS, Isis

Abbreviation:

ISO protoP

PIs one of the above protocols. Note,TcpdumpThe parsing of these protocols cannot be completed.

Expr relop expr

If the relationship is as follows: Relop Yes>, <, >=, <=, = ,! =, And Expr Is a positive integer constant (expressed in the Standard C language syntax), a standard binary operator [+,-, *,/, &, |], the length of the operator, and the specified data packet access, the value is true. To access data in a data packet, you can use the following syntax:

 
PROTO[Expr:Size]
 

PROTOYesEther, FDDI, TR, IP, ARP, RARP, TCP, UDP, ICMPOrIp6It specifies the protocol layer for index operations. Note,TCP, UDPAnd other higher-level protocol types can only be applied to IPv4, but not IPv6 (this problem may be solved in the future ). The Byte offset of the specified protocol layer isExpr.SizeIt specifies the number of bytes in the data field that we are interested in. It can be 1, 2, or 4. The default value is 1. The length of the operator, by the keywordLenIndicates the length of the data packet.

For example ,'Ether [0] & 1! = 0'Captures all multicast data streams. Expression'IP [0] & 0xf! = 5'Can capture all IP data packets with optional domains. Expression'IP [6: 2] & 0x1fff = 0'Only capture unsegmented data packets and data packets whose segment offset is 0. This check is implied inTCPAndUDP. For example, TCP [0] usually refers to the TCP Header of the first byte, rather than the segment of the first byte.

Some offsets and field values can be expressed by names rather than numerical values. The offset of the following protocol header domain is correct:Icmptype(ICMP Type domain ),Icmpcode(ICMPCodeDomain), andTcpflags(TCP flag domain ).

ICMP Fields have the following types:ICMP-ECHOREPLY,ICMP-unreach,ICMP-sourcequench,ICMP-Redirect,ICMP-echo,ICMP-routeradvert,ICMP-routersolicit,ICMP-timxceed,ICMP-paramprob,ICMP-tstamp,ICMP-tstampreply,ICMP-ireq,ICMP-ireqreply,ICMP-maskreq,ICMP-maskreply.

The TCP flag includes the following:TCP-fin,TCP-Syn,TCP-rst,TCP-push,TCP-push,TCP-ack,TCP-URG.

The primitive can be combined with the following content:

Primitive and operator enclosed in parentheses (parentheses are special characters in shell, so they must be escaped ).

Reverse operation (' !'Or' Not').

Connection operation (' &&'Or' And').

Select Operation (' |'Or' Or').

The reverse operation has the highest priority. The connection operation has the same priority as the selected operation, and their combination direction is from left to right. Note: The connection must be displayed.AndOperator, rather than writing together the things to be connected.

If an identifier is provided without a keyword, it is assumed that the recently used keyword is used. For example:

Not host vs and ACE

Equivalent

Not host vs and host ace

Cannot be confused with the following

Not (host vs or ace)

Expression parameters can be either a single parameter or multiple parameters.TcpdumpThe latter is more convenient. Generally, if the expression contains a shell metacharacter, it is easier to pass it with one parameter. It is best to include it. Multiple parameters are connected with spaces before being passed.