PCAP过滤器

PCAP-FILTER

---

NAME

pcap-filter-packet filter syntax

DESCRIPTION

pcap_compile() 将字符串编译成过滤器程序。 合理的过滤器程序可以定义什么样的包可以给
pcap_loop()， pcap_dispatch(), pcap_next(), pcap_net_ex().

过滤器表达式通常由一个 id（名字或者数字）还有一个或多个修饰词（qualifiers）组成。修饰词分为 3 种：

type

　　type 修饰词用来说明 id 是什么类型。可以使用 host net port 和 portrange 。 默认 host 。E.g., host foo, net 128.3, port 20, portrange 6000-6008

dir

　　dir 修饰词指定 id 的传输方向。可以使用 src, dst, src or dst, src and dst, ra, ta, addr1, addr2, addr3, addr4。 默认为 src or dst 。 ra, ta, addr1, addr2, addr3, addr4 仅在 IEEE 802.11 Wireless LAN link layers 有效。E.g., src foo, dst net 128.3, src or dst port ftp-data

proto

　　proto 修饰词限定了匹配的协议。可以使用 ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp , udp。默认是所有。E.g., ether src foo, arp net 128.3, tcp port 21, udp portrange 7000-7009, wlan addr2 0:2:3:4:5:6.

'fddi'通常是'ether'的别名；解析器会认为它们是在特定网络接口上的数据链路层。FDDI的首部包含了和以太网很相似的源地址和目的地址，并且通常也包含了和以太网很相似的数据包类型。所以，在FDDI网域上使用过滤器和在以太网上使用过滤器基本一致。FDDI的首部还包括了其他的数据，不过你不能在过滤器表达式内表示他们。

同样的，'tr'也是'ether'的一个别名，它是较早被应用于FDDI的首部，也应用在令牌环网络首部。

此外，除了上述修饰词，还有一些算数表达式 gateway, broadcast, less, greater ，这些下面都会讲到

更复杂的过滤表达式可以用关键词 and ，or ，not 组合。E.g.,host foo and not port ftp and not port ftp-data. 也可以用省略写法 E.g.,tcp dst port ftp or ftp-data or domain 作用和 tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain一样。

可以用的修饰词如下：

dst host host

　　获取目的主机（destination field）IPv4/v6 的分组（packet）

src host host

　　获取源主机（source field）IPv4/v6 的分组

host host

　　获取目的主机或源主机的分组。关键词可以是 ip, arp, rarp, 或者 ip6，例如

　　ip host host

　　等同于

　　ether proto \ip and host host

　　如果 host 是多个IP地址，每个地址都会被检查

　　ether dst ehost

　　ehost可以是任何以太网目的主机地址，Ehost可能是/etc/ethers中的名字或者一个数字代号(参见 ethers(3N)for numeric format)。

ether src ehost

　　以太网源主机地址

ether host ehost

　　以太网源主机或目的主机地址

gateway host

　　host是网关，可以是以太网源主机和目的主机地址但不是IP地址。host必须是个名字而且可以在机器的域名解析文件种找到（DNS，INS等等），同时也在/etc/ethers中存在。等价表达式为：

　　ether host ehost and not host host

　　目前此语法暂不适用ipv6

dst net net

　　捕获net目的主机的IPv4/v6分组。net可以是/etc/networks里的网络数据库或者网络数字。 IPv4的地址可以写成4组，3组，2组，1组。例如192.168.1.0，192.168.1，172.16，10 等。对应掩码（netmask）为255.255.255.255，255.255.255.0，255.255.0.0，255.0.0.0。对于IPv6，必须是全部写上，对应掩码为ff:ff:ff:ff:ff:ff:ff:ff。

src net net

　　捕获net源主机IPv4/v6分组。

net net

　　捕获net源主机或目的主机IPv4/v6分组。

net net mask netmask

　　捕获net和netmask都匹配的源主机或目的主机IPv4/v6分组。

net net/len

　　捕获len定义位宽的net的源主机或目的主机IPv4/v6分组。

dst port port

　　捕获目的主机端口的分组。

src port port

　　捕获源主机端口的分组。

port port

　　捕获目的主机或源主机端口的分组。

dst portrange port1-port2

　　捕获目的主机端口1到端口2的分组。

　　前面也可以用tcp或udp修饰:

　　tcp src port port

less length

　　捕获小于等于length的分组，等价于

　　len <= length.

greater length

　　捕获大于等于length的分组，等价于

　　len >= length

ip proto protocol

　　捕获IPv4中protocol协议的分组。protocol可以是 icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp, udp, tcp. 注意 tcp，udp，icmp 也是关键字需要加 **** 。注意这个语法不会追踪协议头链（protocol header chain）。

ip6 proto protocol

　　捕获IPv6中protocol协议的分组。注意这个语法不会追踪协议头链（protocol header chain）。

proto protocol

　　捕获IPv6或IPv4中protocol协议的分组。注意这个语法不会追踪协议头链（protocol header chain）。

tcp, udp, icmp

　　proto protocol 的省略写法

ip6 protochain protocol

　　捕获IPv6中protocol的分组，并且包括协议头链（protocol header chain）。例如

　　ip6 protochain 6

　　注意这个表达式运行的可能会很慢，而且丢包率可能很高。

ip protochain protocol

　　同上，不过用于IPv4

protochain protocol

　　捕获IPv4或IPv6中protocol协议的包，会追踪协议头链（protocol header chain）。

ether broadcast

　　捕获以太网广播包，ether可省

ip broadcast

　　捕获IPv4的广播包，这条语句会检测全0和全1的默认广播地址，并且查询已经捕获的接口的subnet掩码。
如果捕获的接口的subnet掩码不可用或者接口没有掩码或者在linux下监听any接口会导致工作不正常。

If the subnet mask of the interface on which the capture is being done is not available, either because the interface on which capture is being done has no netmask or because the capture is being done on the Linux "any" interface, which can capture on more than one interface, this check will not work correctly.

ether multicast

　　捕获以太网多目分组（Ethernet multicast）。ether可省，这条是 ether[0] & 1 != 0的缩写。

ip multicast

　　捕获IPv4多目分组。

ip6 multicast

　　捕获IPv6多目分组。

ether proto protocol

　　捕获 ether 类型的 protocol。 protocol可以是数字或者下面的一个名字：
ip, ip6, arp, rarp, atalk, aarp, decnet, sca, lat, mopdl, moprc, iso, stp, ipx, netbeui .
注意这些是关键词，需要用 **** 。

[In the case of FDDI (e.g., fddi proto arp), Token Ring (e.g., tr proto arp), and IEEE 802.11 wireless LANS (e.g., wlan proto arp), for most of those protocols, the protocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually layered on top of the FDDI, Token Ring, or 802.11 header.
When filtering for most protocol identifiers on FDDI, Token Ring, or 802.11, the filter checks only the protocol ID field of an LLC header in so-called SNAP format with an Organizational Unit Identifier (OUI) of 0x000000, for encapsulated Ethernet; it doesn`t check whether the packet is in SNAP format with an OUI of 0x000000. The exceptions are:

iso
the filter checks the DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) fields of the LLC header;

stp and netbeui
the filter checks the DSAP of the LLC header;

atalk
the filter checks for a SNAP-format packet with an OUI of 0x080007 and the AppleTalk etype.

In the case of Ethernet, the filter checks the Ethernet type field for most of those protocols. The exceptions are:
iso, stp, and netbeui
the filter checks for an 802.3 frame and then checks the LLC header as it does for FDDI, Token Ring, and 802.11;

atalk
the filter checks both for the AppleTalk etype in an Ethernet frame and for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11;

aarp
the filter checks for the AppleTalk ARP etype in either an Ethernet frame or an 802.2 SNAP frame with an OUI of 0x000000;

ipx
the filter checks for the IPX etype in an Ethernet frame, the IPX DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of IPX, and the IPX etype in a SNAP frame.

ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui

　　ether proto protocol 的缩写

lat, moprc, mopdl

　　ether proto protocol 的缩写

decnet src host

　　捕获DECNET源主机分组，host 可以是10.123形式的地址或者一个DECNET主机名。
注意DECNET主机名只支持ULTRIX系统。

decnet dst host

　　捕获DECNET目标主机分组。

decnet host host

　　捕获DECNET目标主机或源主机分组。

llc

　　捕获有802.2LLC报头的分组。包括：

Ethernet packets with a length field rather than a type field that aren`t raw NetWare-over-802.3 packets;
IEEE 802.11 data packets;
Token Ring packets (no check is done for LLC frames);
FDDI packets (no check is done for LLC frames);
LLC-encapsulated ATM packets, for SunATM on Solaris.

llc Fitype

　　捕获有802.2LLC报头指定类型的分组，包括：

i
Information (I) PDUs
s
Supervisory (S) PDUs
u
Unnumbered (U) PDUs
rr
Receiver Ready (RR) S PDUs
rnr
Receiver Not Ready (RNR) S PDUs
rej
Reject (REJ) S PDUs
ui
Unnumbered Information (UI) U PDUs
ua
Unnumbered Acknowledgment (UA) U PDUs
disc
Disconnect (DISC) U PDUs
sabme
Set Asynchronous Balanced Mode Extended (SABME) U PDUs
test
Test (TEST) U PDUs
xid
Exchange Identification (XID) U PDUs
frmr
Frame Reject (FRMR) U PDUs

ifname interface

　　捕获记录的指定interface的分组。（只适用于OpenBSD或FreeBSD记录的分组）。

on interface

　　同上

rnr num

　　捕获已经被记录的匹配的指定的PF规则号的分组。（只适用于OpenBSD或FreeBSD记录的分组）。

rulenum num

　　同上

reason code

　　捕获已经被记录的指定的 PF reason code。已知的codes包括：match, bad-offset, fragment, short, normalize, 和 memor。（只适用于OpenBSD或FreeBSD记录的分组）。

rset name

True if the packet was logged as matching the specified PF ruleset name of an anchored ruleset (applies only to packets logged by OpenBSDs or FreeBSDs pf(4)).

ruleset name

　　同上

srnr num

True if the packet was logged as matching the specified PF rule number of an anchored ruleset (applies only to packets logged by OpenBSDs or FreeBSDs pf(4)).

subrulenum num

　　同上

action act

True if PF took the specified action when the packet was logged. Known actions are: pass and block and, with later versions of pf(4)), nat, rdr, binat and scrub (applies only to packets logged by OpenBSDs or FreeBSDs pf(4)).

wlan ra ehost

　　捕获 ehost 的 IEEE 802.11 RA 帧。RA除了管理帧（frame）存在所有帧。

wlan ta ehost

　　捕获 ehost的 IEEE 802.11 TA 帧。TA除了管理帧（frame）， CTS (Clear To Send) 和 ACK (Acknowledgment)控制帧外存在所有帧。

wlan addr1 ehost

　　捕获 ehost的 IEEE 802.11 第一地址的帧。

True if the first IEEE 802.11 address is ehost.

wlan addr2 ehost

　　捕获 ehost的 IEEE 802.11 第二地址的帧。第二地址区（The second address field）除了 CTS (Clear To Send) 和 ACK (Acknowledgment)控制帧外存在所有帧。

wlan addr3 ehost

　　捕获 ehost的 IEEE 802.11 第三地址的帧。第三地址区存在管理帧和数据帧，但是不存在于控制帧。

wlan addr4 ehost

　　捕获 ehost的 IEEE 802.11 第四地址的帧。第四地址区仅存在WDS(Wireless Distribution System)帧。

type wlan_type

　　捕获指定的 IEEE 802.11 wlan_type 的帧.有效的 wlan_typs 为：mgt, ctl 和 data.

type wlan_type subtype wlan_subtype

　　捕获指定的 IEEE 802.11 wlan_type ，subtype 为wlan_subtype的帧。
如果wlan_type是 mgt ，则有效的 wlan_subtypes为：

　　assoc-req, assoc-resp, reassoc-req, reassoc-resp, probe-req, probe-resp, beacon, atim, disassoc, auth, deauth.

　　如果wlan_type是 ctl ，则有效的 wlan_subtypes为：

　　ps-poll, rts, cts, ack, cf-end, cf-end-ack.

　　如果wlan_type是 data ，则有效的 wlan_subtypes为：

　　data, data-cf-ack, data-cf-poll, data-cf-ack-poll, null, cf-ack, cf-poll, cf-ack-poll, qos-data, qos-data-cf-ack, qos-data-cf-poll, qos-data-cf-ack-poll, qos, qos-cf-poll, qos-cf-ack-poll

subtype wlan_subtype

　　捕获指定 IEEE 802.11 subtype 为 wlan_subtype 或属于 wlan_subtype 的帧。

dir dir

　　捕获匹配 IEEE 802.11 direction dir的帧。有效的 direction 为：
nods, tods, fromds, dstods, 或者数字值（numeric value）。

vlan [vlan_id]

　　捕获匹配 IEEE 802.1Q VLAN 的分组。如果[vlan_id]是指定的，只有匹配 vlan_id的会被捕获。

Note that the first vlan keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a VLAN packet.

　　vlan [vlan_id] 表达式可以被多次使用，to filter on VLAN hierarchies。每次使用表达式增加过滤器偏移 4.（ Each use of that expression increments the filter offsets by 4.）

　　例如

vlan 100 && vlan 200

filters on VLAN 200 encapsulated within VLAN 100, and

vlan && vlan 300 && ip

filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any higher order VLAN.

mpls [label_num]

　　捕获 MPLS 分组。如果指定[label_num]，则捕获匹配[label_num]的分组。

Note that the first mpls keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a MPLS-encapsulated IP packet. The mpls [label_num] expression may be used more than once, to filter on MPLS hierarchies. Each use of that expression increments the filter offsets by 4.
For example:
mpls 100000 && mpls 1024
filters packets with an outer label of 100000 and an inner label of 1024, and
mpls && mpls 1024 && host 192.9.200.1
filters packets to or from 192.9.200.1 with an inner label of 1024 and any outer label

pppoed
True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet type 0x8863).

pppoes [session_id]
True if the packet is a PPP-over-Ethernet Session packet (Ethernet type 0x8864). If [session_id] is specified, only true if the packet has the specified session_id. Note that the first pppoes keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a PPPoE session packet.
For example:
pppoes 0x27 && ip
filters IPv4 protocols encapsulated in PPPoE session id 0x27.
geneve [vni]
True if the packet is a Geneve packet (UDP port 6081). If [vni] is specified, only true if the packet has the specified vni. Note that when the geneve keyword is encountered in expression, it changes the decoding offsets for the remainder of expression on the assumption that the packet is a Geneve packet.
For example:
geneve 0xb && ip
filters IPv4 protocols encapsulated in Geneve with VNI 0xb. This will match both IP directly encapsulated in Geneve as well as IP contained inside an Ethernet frame.
iso proto protocol
True if the packet is an OSI packet of protocol type protocol. Protocol can be a number or one of the names clnp, esis, or isis.
clnp, esis, isis
Abbreviations for:
iso proto p
where p is one of the above protocols.
l1, l2, iih, lsp, snp, csnp, psnp
Abbreviations for IS-IS PDU types.
vpi n
True if the packet is an ATM packet, for SunATM on Solaris, with a virtual path identifier of n.
vci n
True if the packet is an ATM packet, for SunATM on Solaris, with a virtual channel identifier of n.
lane
True if the packet is an ATM packet, for SunATM on Solaris, and is an ATM LANE packet. Note that the first lane keyword encountered in expression changes the tests done in the remainder of expression on the assumption that the packet is either a LANE emulated Ethernet packet or a LANE LE Control packet. If lane isn`t specified, the tests are done under the assumption that the packet is an LLC-encapsulated packet.
oamf4s
True if the packet is an ATM packet, for SunATM on Solaris, and is a segment OAM F4 flow cell (VPI=0 & VCI=3).
oamf4e
True if the packet is an ATM packet, for SunATM on Solaris, and is an end-to-end OAM F4 flow cell (VPI=0 & VCI=4).
oamf4
True if the packet is an ATM packet, for SunATM on Solaris, and is a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
oam
True if the packet is an ATM packet, for SunATM on Solaris, and is a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
metac
True if the packet is an ATM packet, for SunATM on Solaris, and is on a meta signaling circuit (VPI=0 & VCI=1).
bcc
True if the packet is an ATM packet, for SunATM on Solaris, and is on a broadcast signaling circuit (VPI=0 & VCI=2).
sc
True if the packet is an ATM packet, for SunATM on Solaris, and is on a signaling circuit (VPI=0 & VCI=5).
ilmic
True if the packet is an ATM packet, for SunATM on Solaris, and is on an ILMI circuit (VPI=0 & VCI=16).
connectmsg
True if the packet is an ATM packet, for SunATM on Solaris, and is on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, Connect Ack, Release, or Release Done message.
metaconnect
True if the packet is an ATM packet, for SunATM on Solaris, and is on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, Release, or Release Done message.

expr relop expr

　　relop 为： >, <, >=, <=, =, !=

　　expr 为一个算数式整数，

　　一般二进制操作符（binary operators）[+, -, *, /, %, &, |, ^, <<, >>]

　　一个长度操作符（length operator），

　　and special packet data accessors.

　　注意都是无符号数，因此， 0x80000000 和 0xffffffff 都 > 0.

The % and ^ operators are currently only supported for filtering in the kernel on Linux with 3.7 and later kernels; on all other systems, if those operators are used, filtering will be done in user mode, which will increase the overhead of capturing packets and may cause more packets to be dropped.
To access data inside the packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indicates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the "radio header" added to some 802.11 captures.) Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword len, gives the length of the packet.
For example, ether[0] & 1 != 0 catches all multicast traffic. The expression ip[0] & 0xf != 5 catches all IPv4 packets with options. The expression ip[6:2] & 0x1fff = 0 catches only unfragmented IPv4 datagrams and frag zero of fragmented IPv4 datagrams. This check is implicitly applied to the tcp and udp index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment.

Some offsets and field values may be expressed as names rather than as numeric values. The following protocol header field offsets are available: icmptype (ICMP type field), icmpcode (ICMP code field), and tcpflags (TCP flags field).

The following ICMP type field values are available: icmp-echoreply, icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo, icmp-routeradvert, icmp-routersolicit, icmp-timxceed, icmp-paramprob, icmp-tstamp, icmp-tstampreply, icmp-ireq, icmp-ireqreply, icmp-maskreq, icmp-maskreply.

The following TCP flags field values are available: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.

　　同时表达式可以组合使用：

• 逻辑非 (! or not).
• 并列 (&& or and).
• 变换 (|| or or).

　　not 的优先级最高 ， and 和 or 同级 按从左到右的顺序执行。

Note that explicit and tokens, not juxtaposition, are now required for concatenation.

　　如果分辨器（identifier）没有给关键词，则服从就近原则，例如:

　　not host vs and ace

　　等同于

　　not host vs and host ace

　　而不是

　　not ( host vs or ace )

Reference

---

• http://www.tcpdump.org/manpages/pcap-filter.7.html