PCAP-FILTER
## NAME ##
pcap-filter-packet filter syntax
DESCRIPTION
pcap_compile() 將字符串編譯成過濾器程序。 合理的過濾器程序可以定義什么樣的包可以給
pcap_loop(), pcap_dispatch(), pcap_next(), pcap_net_ex().
過濾器表達式通常由一個 id(名字或者數字)還有一個或多個修飾詞(qualifiers)組成。修飾詞分為 3 種:
type
type 修飾詞用來說明 id 是什么類型。可以使用 host net port 和 portrange 。 默認 host 。E.g., host foo, net 128.3, port 20, portrange 6000-6008
dir
dir 修飾詞指定 id 的傳輸方向。可以使用 src, dst, src or dst, src and dst, ra, ta, addr1, addr2, addr3, addr4。 默認為 src or dst 。 ra, ta, addr1, addr2, addr3, addr4 僅在 IEEE 802.11 Wireless LAN link layers 有效。E.g., src foo, dst net 128.3, src or dst port ftp-data
proto
proto 修飾詞限定了匹配的協議。可以使用 ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp , udp。默認是所有。E.g., ether src foo, arp net 128.3, tcp port 21, udp portrange 7000-7009, wlan addr2 0:2:3:4:5:6.
'fddi'通常是'ether'的別名;解析器會認為它們是在特定網絡接口上的數據鏈路層。FDDI的首部包含了和以太網很相似的源地址和目的地址,並且通常也包含了和以太網很相似的數據包類型。所以,在FDDI網域上使用過濾器和在以太網上使用過濾器基本一致。FDDI的首部還包括了其他的數據,不過你不能在過濾器表達式內表示他們。
同樣的,'tr'也是'ether'的一個別名,它是較早被應用於FDDI的首部,也應用在令牌環網絡首部。
此外,除了上述修飾詞,還有一些算數表達式 gateway, broadcast, less, greater ,這些下面都會講到
更復雜的過濾表達式可以用關鍵詞 and ,or ,not 組合。E.g.,host foo and not port ftp and not port ftp-data. 也可以用省略寫法 E.g.,tcp dst port ftp or ftp-data or domain 作用和 tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain一樣。
可以用的修飾詞如下:
dst host host
獲取目的主機(destination field)IPv4/v6 的分組(packet)
src host host
獲取源主機(source field)IPv4/v6 的分組
host host
獲取目的主機或源主機的分組。關鍵詞可以是 ip, arp, rarp, 或者 ip6,例如
ip host host
等同於
ether proto \ip and host host
如果 host 是多個IP地址,每個地址都會被檢查
ether dst ehost
ehost可以是任何以太網目的主機地址,Ehost可能是/etc/ethers中的名字或者一個數字代號(參見 ethers(3N)for numeric format)。
ether src ehost
以太網源主機地址
ether host ehost
以太網源主機或目的主機地址
gateway host
host是網關,可以是以太網源主機和目的主機地址但不是IP地址。host必須是個名字而且可以在機器的域名解析文件種找到(DNS,INS等等),同時也在/etc/ethers中存在。等價表達式為:
ether host ehost and not host host
目前此語法暫不適用ipv6
dst net net
捕獲net目的主機的IPv4/v6分組。net可以是/etc/networks里的網絡數據庫或者網絡數字。 IPv4的地址可以寫成4組,3組,2組,1組。例如192.168.1.0,192.168.1,172.16,10 等。對應掩碼(netmask)為255.255.255.255,255.255.255.0,255.255.0.0,255.0.0.0。對於IPv6,必須是全部寫上,對應掩碼為ff:ff:ff:ff:ff:ff:ff:ff。
src net net
捕獲net源主機IPv4/v6分組。
net net
捕獲net源主機或目的主機IPv4/v6分組。
net net mask netmask
捕獲net和netmask都匹配的源主機或目的主機IPv4/v6分組。
net net/len
捕獲len定義位寬的net的源主機或目的主機IPv4/v6分組。
dst port port
捕獲目的主機端口的分組。
src port port
捕獲源主機端口的分組。
port port
捕獲目的主機或源主機端口的分組。
dst portrange port1-port2
捕獲目的主機端口1到端口2的分組。
前面也可以用tcp或udp修飾:
tcp src port port
less length
捕獲小於等於length的分組,等價於
len <= length.
greater length
捕獲大於等於length的分組,等價於
len >= length
ip proto protocol
捕獲IPv4中protocol協議的分組。protocol可以是 icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp, udp, tcp. 注意 tcp,udp,icmp 也是關鍵字需要加 ** 。注意這個語法不會追蹤協議頭鏈(protocol header chain)。
ip6 proto protocol
捕獲IPv6中protocol協議的分組。注意這個語法不會追蹤協議頭鏈(protocol header chain)。
proto protocol
捕獲IPv6或IPv4中protocol協議的分組。注意這個語法不會追蹤協議頭鏈(protocol header chain)。
tcp, udp, icmp
proto protocol 的省略寫法
ip6 protochain protocol
捕獲IPv6中protocol的分組,並且包括協議頭鏈(protocol header chain)。例如
ip6 protochain 6
注意這個表達式運行的可能會很慢,而且丟包率可能很高。
ip protochain protocol
同上,不過用於IPv4
protochain protocol
捕獲IPv4或IPv6中protocol協議的包,會追蹤協議頭鏈(protocol header chain)。
ether broadcast
捕獲以太網廣播包,ether可省
ip broadcast
捕獲IPv4的廣播包,這條語句會檢測全0和全1的默認廣播地址,並且查詢已經捕獲的接口的subnet掩碼。
如果捕獲的接口的subnet掩碼不可用或者接口沒有掩碼或者在linux下監聽any接口會導致工作不正常。
If the subnet mask of the interface on which the capture is being done is not available, either because the interface on which capture is being done has no netmask or because the capture is being done on the Linux "any" interface, which can capture on more than one interface, this check will not work correctly.
ether multicast
捕獲以太網多目分組(Ethernet multicast)。ether可省,這條是 ether[0] & 1 != 0的縮寫。
ip multicast
捕獲IPv4多目分組。
ip6 multicast
捕獲IPv6多目分組。
ether proto protocol
捕獲 ether 類型的 protocol。 protocol可以是數字或者下面的一個名字:
ip, ip6, arp, rarp, atalk, aarp, decnet, sca, lat, mopdl, moprc, iso, stp, ipx, netbeui .
注意這些是關鍵詞,需要用 ** 。
[In the case of FDDI (e.g.,
fddi proto arp), Token Ring (e.g.,tr proto arp), and IEEE 802.11 wireless LANS (e.g.,wlan proto arp), for most of those protocols, the protocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually layered on top of the FDDI, Token Ring, or 802.11 header.
When filtering for most protocol identifiers on FDDI, Token Ring, or 802.11, the filter checks only the protocol ID field of an LLC header in so-called SNAP format with an Organizational Unit Identifier (OUI) of 0x000000, for encapsulated Ethernet; it doesn`t check whether the packet is in SNAP format with an OUI of 0x000000. The exceptions are:iso
the filter checks the DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) fields of the LLC header;stp and netbeui
the filter checks the DSAP of the LLC header;atalk
the filter checks for a SNAP-format packet with an OUI of 0x080007 and the AppleTalk etype.In the case of Ethernet, the filter checks the Ethernet type field for most of those protocols. The exceptions are:
iso, stp, and netbeui
the filter checks for an 802.3 frame and then checks the LLC header as it does for FDDI, Token Ring, and 802.11;atalk
the filter checks both for the AppleTalk etype in an Ethernet frame and for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11;aarp
the filter checks for the AppleTalk ARP etype in either an Ethernet frame or an 802.2 SNAP frame with an OUI of 0x000000;ipx
the filter checks for the IPX etype in an Ethernet frame, the IPX DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of IPX, and the IPX etype in a SNAP frame.
ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui
ether proto protocol 的縮寫
lat, moprc, mopdl
ether proto protocol 的縮寫
decnet src host
捕獲DECNET源主機分組,host 可以是10.123形式的地址或者一個DECNET主機名。
注意DECNET主機名只支持ULTRIX系統。
decnet dst host
捕獲DECNET目標主機分組。
decnet host host
捕獲DECNET目標主機或源主機分組。
llc
捕獲有802.2LLC報頭的分組。包括:
Ethernet packets with a length field rather than a type field that aren`t raw NetWare-over-802.3 packets;
IEEE 802.11 data packets;
Token Ring packets (no check is done for LLC frames);
FDDI packets (no check is done for LLC frames);
LLC-encapsulated ATM packets, for SunATM on Solaris.
llc Fitype
捕獲有802.2LLC報頭指定類型的分組,包括:
i
Information (I) PDUs
s
Supervisory (S) PDUs
u
Unnumbered (U) PDUs
rr
Receiver Ready (RR) S PDUs
rnr
Receiver Not Ready (RNR) S PDUs
rej
Reject (REJ) S PDUs
ui
Unnumbered Information (UI) U PDUs
ua
Unnumbered Acknowledgment (UA) U PDUs
disc
Disconnect (DISC) U PDUs
sabme
Set Asynchronous Balanced Mode Extended (SABME) U PDUs
test
Test (TEST) U PDUs
xid
Exchange Identification (XID) U PDUs
frmr
Frame Reject (FRMR) U PDUs
ifname interface
捕獲記錄的指定interface的分組。(只適用於OpenBSD或FreeBSD記錄的分組)。
on interface
同上
rnr num
捕獲已經被記錄的匹配的指定的PF規則號的分組。(只適用於OpenBSD或FreeBSD記錄的分組)。
rulenum num
同上
reason code
捕獲已經被記錄的指定的 PF reason code。已知的codes包括:match, bad-offset, fragment, short, normalize, 和 memor。(只適用於OpenBSD或FreeBSD記錄的分組)。
rset name
True if the packet was logged as matching the specified PF ruleset name of an anchored ruleset (applies only to packets logged by OpenBSD
s or FreeBSDs pf(4)).
ruleset name
同上
srnr num
True if the packet was logged as matching the specified PF rule number of an anchored ruleset (applies only to packets logged by OpenBSD
s or FreeBSDs pf(4)).
subrulenum num
同上
action act
True if PF took the specified action when the packet was logged. Known actions are: pass and block and, with later versions of pf(4)), nat, rdr, binat and scrub (applies only to packets logged by OpenBSD
s or FreeBSDs pf(4)).
wlan ra ehost
捕獲 ehost 的 IEEE 802.11 RA 幀。RA除了管理幀(frame)存在所有幀。
wlan ta ehost
捕獲 ehost的 IEEE 802.11 TA 幀。TA除了管理幀(frame), CTS (Clear To Send) 和 ACK (Acknowledgment)控制幀外存在所有幀。
wlan addr1 ehost
捕獲 ehost的 IEEE 802.11 第一地址的幀。
True if the first IEEE 802.11 address is ehost.
wlan addr2 ehost
捕獲 ehost的 IEEE 802.11 第二地址的幀。第二地址區(The second address field)除了 CTS (Clear To Send) 和 ACK (Acknowledgment)控制幀外存在所有幀。
wlan addr3 ehost
捕獲 ehost的 IEEE 802.11 第三地址的幀。第三地址區存在管理幀和數據幀,但是不存在於控制幀。
wlan addr4 ehost
捕獲 ehost的 IEEE 802.11 第四地址的幀。第四地址區僅存在WDS(Wireless Distribution System)幀。
type wlan_type
捕獲指定的 IEEE 802.11 wlan_type 的幀.有效的 wlan_typs 為:mgt, ctl 和 data.
type wlan_type subtype wlan_subtype
捕獲指定的 IEEE 802.11 wlan_type ,subtype 為wlan_subtype的幀。
如果wlan_type是 mgt ,則有效的 wlan_subtypes為:
assoc-req, assoc-resp, reassoc-req, reassoc-resp, probe-req, probe-resp, beacon, atim, disassoc, auth, deauth.
如果wlan_type是 ctl ,則有效的 wlan_subtypes為:
ps-poll, rts, cts, ack, cf-end, cf-end-ack.
如果wlan_type是 data ,則有效的 wlan_subtypes為:
data, data-cf-ack, data-cf-poll, data-cf-ack-poll, null, cf-ack, cf-poll, cf-ack-poll, qos-data, qos-data-cf-ack, qos-data-cf-poll, qos-data-cf-ack-poll, qos, qos-cf-poll, qos-cf-ack-poll
subtype wlan_subtype
捕獲指定 IEEE 802.11 subtype 為 wlan_subtype 或屬於 wlan_subtype 的幀。
dir dir
捕獲匹配 IEEE 802.11 direction dir的幀。有效的 direction 為:
nods, tods, fromds, dstods, 或者數字值(numeric value)。
vlan [vlan_id]
捕獲匹配 IEEE 802.1Q VLAN 的分組。如果[vlan_id]是指定的,只有匹配 vlan_id的會被捕獲。
Note that the first vlan keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a VLAN packet.
vlan [vlan_id] 表達式可以被多次使用,to filter on VLAN hierarchies。每次使用表達式增加過濾器偏移 4.( Each use of that expression increments the filter offsets by 4.)
例如
vlan 100 && vlan 200
filters on VLAN 200 encapsulated within VLAN 100, and
vlan && vlan 300 && ip
filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any higher order VLAN.
mpls [label_num]
捕獲 MPLS 分組。如果指定[label_num],則捕獲匹配[label_num]的分組。
Note that the first mpls keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a MPLS-encapsulated IP packet. The mpls [label_num] expression may be used more than once, to filter on MPLS hierarchies. Each use of that expression increments the filter offsets by 4.
For example:
mpls 100000 && mpls 1024
filters packets with an outer label of 100000 and an inner label of 1024, and
mpls && mpls 1024 && host 192.9.200.1
filters packets to or from 192.9.200.1 with an inner label of 1024 and any outer label
pppoed
True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet type 0x8863).pppoes [session_id]
True if the packet is a PPP-over-Ethernet Session packet (Ethernet type 0x8864). If [session_id] is specified, only true if the packet has the specified session_id. Note that the first pppoes keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a PPPoE session packet.
For example:
pppoes 0x27 && ip
filters IPv4 protocols encapsulated in PPPoE session id 0x27.
geneve [vni]
True if the packet is a Geneve packet (UDP port 6081). If [vni] is specified, only true if the packet has the specified vni. Note that when the geneve keyword is encountered in expression, it changes the decoding offsets for the remainder of expression on the assumption that the packet is a Geneve packet.
For example:
geneve 0xb && ip
filters IPv4 protocols encapsulated in Geneve with VNI 0xb. This will match both IP directly encapsulated in Geneve as well as IP contained inside an Ethernet frame.
iso proto protocol
True if the packet is an OSI packet of protocol type protocol. Protocol can be a number or one of the names clnp, esis, or isis.
clnp, esis, isis
Abbreviations for:
iso proto p
where p is one of the above protocols.
l1, l2, iih, lsp, snp, csnp, psnp
Abbreviations for IS-IS PDU types.
vpi n
True if the packet is an ATM packet, for SunATM on Solaris, with a virtual path identifier of n.
vci n
True if the packet is an ATM packet, for SunATM on Solaris, with a virtual channel identifier of n.
lane
True if the packet is an ATM packet, for SunATM on Solaris, and is an ATM LANE packet. Note that the first lane keyword encountered in expression changes the tests done in the remainder of expression on the assumption that the packet is either a LANE emulated Ethernet packet or a LANE LE Control packet. If lane isn`t specified, the tests are done under the assumption that the packet is an LLC-encapsulated packet.
oamf4s
True if the packet is an ATM packet, for SunATM on Solaris, and is a segment OAM F4 flow cell (VPI=0 & VCI=3).
oamf4e
True if the packet is an ATM packet, for SunATM on Solaris, and is an end-to-end OAM F4 flow cell (VPI=0 & VCI=4).
oamf4
True if the packet is an ATM packet, for SunATM on Solaris, and is a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
oam
True if the packet is an ATM packet, for SunATM on Solaris, and is a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
metac
True if the packet is an ATM packet, for SunATM on Solaris, and is on a meta signaling circuit (VPI=0 & VCI=1).
bcc
True if the packet is an ATM packet, for SunATM on Solaris, and is on a broadcast signaling circuit (VPI=0 & VCI=2).
sc
True if the packet is an ATM packet, for SunATM on Solaris, and is on a signaling circuit (VPI=0 & VCI=5).
ilmic
True if the packet is an ATM packet, for SunATM on Solaris, and is on an ILMI circuit (VPI=0 & VCI=16).
connectmsg
True if the packet is an ATM packet, for SunATM on Solaris, and is on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, Connect Ack, Release, or Release Done message.
metaconnect
True if the packet is an ATM packet, for SunATM on Solaris, and is on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, Release, or Release Done message.
expr relop expr
relop 為: >, <, >=, <=, =, !=
expr 為一個算數式整數,
一般二進制操作符(binary operators)[+, -, *, /, %, &, |, ^, <<, >>]
一個長度操作符(length operator),
and special packet data accessors.
注意都是無符號數,因此, 0x80000000 和 0xffffffff 都 > 0.
The % and ^ operators are currently only supported for filtering in the kernel on Linux with 3.7 and later kernels; on all other systems, if those operators are used, filtering will be done in user mode, which will increase the overhead of capturing packets and may cause more packets to be dropped.
To access data inside the packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indicates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the "radio header" added to some 802.11 captures.) Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword len, gives the length of the packet.
For example,ether[0] & 1 != 0catches all multicast traffic. The expressionip[0] & 0xf != 5catches all IPv4 packets with options. The expressionip[6:2] & 0x1fff = 0catches only unfragmented IPv4 datagrams and frag zero of fragmented IPv4 datagrams. This check is implicitly applied to the tcp and udp index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment.Some offsets and field values may be expressed as names rather than as numeric values. The following protocol header field offsets are available: icmptype (ICMP type field), icmpcode (ICMP code field), and tcpflags (TCP flags field).
The following ICMP type field values are available: icmp-echoreply, icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo, icmp-routeradvert, icmp-routersolicit, icmp-timxceed, icmp-paramprob, icmp-tstamp, icmp-tstampreply, icmp-ireq, icmp-ireqreply, icmp-maskreq, icmp-maskreply.
The following TCP flags field values are available: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.
同時表達式可以組合使用:
- 邏輯非 (
!ornot). - 並列 (
&&orand). - 變換 (
||oror).
not 的優先級最高 , and 和 or 同級 按從左到右的順序執行。
Note that explicit and tokens, not juxtaposition, are now required for concatenation.
如果分辨器(identifier)沒有給關鍵詞,則服從就近原則,例如:
not host vs and ace
等同於
not host vs and host ace
而不是
not ( host vs or ace )