JP Abgrall | 511eca3 | 2014-02-12 13:46:45 -0800 | [diff] [blame] | 1 | .\" @(#) $Header: /tcpdump/master/libpcap/pcap-filter.manmisc.in,v 1.1 2008-10-21 07:33:01 guy Exp $ (LBL) |
| 2 | .\" |
| 3 | .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 |
| 4 | .\" The Regents of the University of California. All rights reserved. |
| 5 | .\" All rights reserved. |
| 6 | .\" |
| 7 | .\" Redistribution and use in source and binary forms, with or without |
| 8 | .\" modification, are permitted provided that: (1) source code distributions |
| 9 | .\" retain the above copyright notice and this paragraph in its entirety, (2) |
| 10 | .\" distributions including binary code include the above copyright notice and |
| 11 | .\" this paragraph in its entirety in the documentation or other materials |
| 12 | .\" provided with the distribution, and (3) all advertising materials mentioning |
| 13 | .\" features or use of this software display the following acknowledgement: |
| 14 | .\" ``This product includes software developed by the University of California, |
| 15 | .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of |
| 16 | .\" the University nor the names of its contributors may be used to endorse |
| 17 | .\" or promote products derived from this software without specific prior |
| 18 | .\" written permission. |
| 19 | .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED |
| 20 | .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF |
| 21 | .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. |
| 22 | .\" |
| 23 | .TH PCAP-FILTER @MAN_MISC_INFO@ "6 January 2008" |
| 24 | .SH NAME |
| 25 | pcap-filter \- packet filter syntax |
| 26 | .br |
| 27 | .ad |
| 28 | .SH DESCRIPTION |
| 29 | .LP |
| 30 | .B pcap_compile() |
| 31 | is used to compile a string into a filter program. |
| 32 | The resulting filter program can then be applied to |
| 33 | some stream of packets to determine which packets will be supplied to |
| 34 | .BR pcap_loop() , |
| 35 | .BR pcap_dispatch() , |
| 36 | .BR pcap_next() , |
| 37 | or |
| 38 | .BR pcap_next_ex() . |
| 39 | .LP |
| 40 | The \fIfilter expression\fP consists of one or more |
| 41 | .IR primitives . |
| 42 | Primitives usually consist of an |
| 43 | .I id |
| 44 | (name or number) preceded by one or more qualifiers. |
| 45 | There are three |
| 46 | different kinds of qualifier: |
| 47 | .IP \fItype\fP |
| 48 | .I type |
| 49 | qualifiers say what kind of thing the id name or number refers to. |
| 50 | Possible types are |
| 51 | .BR host , |
| 52 | .B net , |
| 53 | .B port |
| 54 | and |
| 55 | .BR portrange . |
| 56 | E.g., `host foo', `net 128.3', `port 20', `portrange 6000-6008'. |
| 57 | If there is no type |
| 58 | qualifier, |
| 59 | .B host |
| 60 | is assumed. |
| 61 | .IP \fIdir\fP |
| 62 | .I dir |
| 63 | qualifiers specify a particular transfer direction to and/or from |
| 64 | .IR id . |
| 65 | Possible directions are |
| 66 | .BR src , |
| 67 | .BR dst , |
| 68 | .BR "src or dst" , |
| 69 | .BR "src and dst" , |
| 70 | .BR ra , |
| 71 | .BR ta , |
| 72 | .BR addr1 , |
| 73 | .BR addr2 , |
| 74 | .BR addr3 , |
| 75 | and |
| 76 | .BR addr4 . |
| 77 | E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. |
| 78 | If |
| 79 | there is no dir qualifier, |
| 80 | .B "src or dst" |
| 81 | is assumed. |
| 82 | The |
| 83 | .BR ra , |
| 84 | .BR ta , |
| 85 | .BR addr1 , |
| 86 | .BR addr2 , |
| 87 | .BR addr3 , |
| 88 | and |
| 89 | .B addr4 |
| 90 | qualifiers are only valid for IEEE 802.11 Wireless LAN link layers. |
| 91 | For some link layers, such as SLIP and the ``cooked'' Linux capture mode |
| 92 | used for the ``any'' device and for some other device types, the |
| 93 | .B inbound |
| 94 | and |
| 95 | .B outbound |
| 96 | qualifiers can be used to specify a desired direction. |
| 97 | .IP \fIproto\fP |
| 98 | .I proto |
| 99 | qualifiers restrict the match to a particular protocol. |
| 100 | Possible |
| 101 | protos are: |
| 102 | .BR ether , |
| 103 | .BR fddi , |
| 104 | .BR tr , |
| 105 | .BR wlan , |
| 106 | .BR ip , |
| 107 | .BR ip6 , |
| 108 | .BR arp , |
| 109 | .BR rarp , |
| 110 | .BR decnet , |
| 111 | .B tcp |
| 112 | and |
| 113 | .BR udp . |
| 114 | E.g., `ether src foo', `arp net 128.3', `tcp port 21', `udp portrange |
| 115 | 7000-7009', `wlan addr2 0:2:3:4:5:6'. |
| 116 | If there is |
| 117 | no proto qualifier, all protocols consistent with the type are |
| 118 | assumed. |
| 119 | E.g., `src foo' means `(ip or arp or rarp) src foo' |
| 120 | (except the latter is not legal syntax), `net bar' means `(ip or |
| 121 | arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'. |
| 122 | .LP |
| 123 | [`fddi' is actually an alias for `ether'; the parser treats them |
| 124 | identically as meaning ``the data link level used on the specified |
| 125 | network interface.'' FDDI headers contain Ethernet-like source |
| 126 | and destination addresses, and often contain Ethernet-like packet |
| 127 | types, so you can filter on these FDDI fields just as with the |
| 128 | analogous Ethernet fields. |
| 129 | FDDI headers also contain other fields, |
| 130 | but you cannot name them explicitly in a filter expression. |
| 131 | .LP |
| 132 | Similarly, `tr' and `wlan' are aliases for `ether'; the previous |
| 133 | paragraph's statements about FDDI headers also apply to Token Ring |
| 134 | and 802.11 wireless LAN headers. For 802.11 headers, the destination |
| 135 | address is the DA field and the source address is the SA field; the |
| 136 | BSSID, RA, and TA fields aren't tested.] |
| 137 | .LP |
| 138 | In addition to the above, there are some special `primitive' keywords |
| 139 | that don't follow the pattern: |
| 140 | .BR gateway , |
| 141 | .BR broadcast , |
| 142 | .BR less , |
| 143 | .B greater |
| 144 | and arithmetic expressions. |
| 145 | All of these are described below. |
| 146 | .LP |
| 147 | More complex filter expressions are built up by using the words |
| 148 | .BR and , |
| 149 | .B or |
| 150 | and |
| 151 | .B not |
| 152 | to combine primitives. |
| 153 | E.g., `host foo and not port ftp and not port ftp-data'. |
| 154 | To save typing, identical qualifier lists can be omitted. |
| 155 | E.g., |
| 156 | `tcp dst port ftp or ftp-data or domain' is exactly the same as |
| 157 | `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'. |
| 158 | .LP |
| 159 | Allowable primitives are: |
| 160 | .IP "\fBdst host \fIhost\fR" |
| 161 | True if the IPv4/v6 destination field of the packet is \fIhost\fP, |
| 162 | which may be either an address or a name. |
| 163 | .IP "\fBsrc host \fIhost\fR" |
| 164 | True if the IPv4/v6 source field of the packet is \fIhost\fP. |
| 165 | .IP "\fBhost \fIhost\fP" |
| 166 | True if either the IPv4/v6 source or destination of the packet is \fIhost\fP. |
| 167 | .IP |
| 168 | Any of the above host expressions can be prepended with the keywords, |
| 169 | \fBip\fP, \fBarp\fP, \fBrarp\fP, or \fBip6\fP as in: |
| 170 | .in +.5i |
| 171 | .nf |
| 172 | \fBip host \fIhost\fR |
| 173 | .fi |
| 174 | .in -.5i |
| 175 | which is equivalent to: |
| 176 | .in +.5i |
| 177 | .nf |
| 178 | \fBether proto \fI\\ip\fB and host \fIhost\fR |
| 179 | .fi |
| 180 | .in -.5i |
| 181 | If \fIhost\fR is a name with multiple IP addresses, each address will |
| 182 | be checked for a match. |
| 183 | .IP "\fBether dst \fIehost\fP" |
| 184 | True if the Ethernet destination address is \fIehost\fP. |
| 185 | \fIEhost\fP |
| 186 | may be either a name from /etc/ethers or a number (see |
| 187 | .IR ethers (3N) |
| 188 | for numeric format). |
| 189 | .IP "\fBether src \fIehost\fP" |
| 190 | True if the Ethernet source address is \fIehost\fP. |
| 191 | .IP "\fBether host \fIehost\fP" |
| 192 | True if either the Ethernet source or destination address is \fIehost\fP. |
| 193 | .IP "\fBgateway\fP \fIhost\fP" |
| 194 | True if the packet used \fIhost\fP as a gateway. |
| 195 | I.e., the Ethernet |
| 196 | source or destination address was \fIhost\fP but neither the IP source |
| 197 | nor the IP destination was \fIhost\fP. |
| 198 | \fIHost\fP must be a name and |
| 199 | must be found both by the machine's host-name-to-IP-address resolution |
| 200 | mechanisms (host name file, DNS, NIS, etc.) and by the machine's |
| 201 | host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.). |
| 202 | (An equivalent expression is |
| 203 | .in +.5i |
| 204 | .nf |
| 205 | \fBether host \fIehost \fBand not host \fIhost\fR |
| 206 | .fi |
| 207 | .in -.5i |
| 208 | which can be used with either names or numbers for \fIhost / ehost\fP.) |
| 209 | This syntax does not work in IPv6-enabled configuration at this moment. |
| 210 | .IP "\fBdst net \fInet\fR" |
| 211 | True if the IPv4/v6 destination address of the packet has a network |
| 212 | number of \fInet\fP. |
| 213 | \fINet\fP may be either a name from the networks database |
| 214 | (/etc/networks, etc.) or a network number. |
| 215 | An IPv4 network number can be written as a dotted quad (e.g., 192.168.1.0), |
| 216 | dotted triple (e.g., 192.168.1), dotted pair (e.g, 172.16), or single |
| 217 | number (e.g., 10); the netmask is 255.255.255.255 for a dotted quad |
| 218 | (which means that it's really a host match), 255.255.255.0 for a dotted |
| 219 | triple, 255.255.0.0 for a dotted pair, or 255.0.0.0 for a single number. |
| 220 | An IPv6 network number must be written out fully; the netmask is |
| 221 | ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 "network" matches are really always |
| 222 | host matches, and a network match requires a netmask length. |
| 223 | .IP "\fBsrc net \fInet\fR" |
| 224 | True if the IPv4/v6 source address of the packet has a network |
| 225 | number of \fInet\fP. |
| 226 | .IP "\fBnet \fInet\fR" |
| 227 | True if either the IPv4/v6 source or destination address of the packet has a network |
| 228 | number of \fInet\fP. |
| 229 | .IP "\fBnet \fInet\fR \fBmask \fInetmask\fR" |
| 230 | True if the IPv4 address matches \fInet\fR with the specific \fInetmask\fR. |
| 231 | May be qualified with \fBsrc\fR or \fBdst\fR. |
| 232 | Note that this syntax is not valid for IPv6 \fInet\fR. |
| 233 | .IP "\fBnet \fInet\fR/\fIlen\fR" |
| 234 | True if the IPv4/v6 address matches \fInet\fR with a netmask \fIlen\fR |
| 235 | bits wide. |
| 236 | May be qualified with \fBsrc\fR or \fBdst\fR. |
| 237 | .IP "\fBdst port \fIport\fR" |
| 238 | True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a |
| 239 | destination port value of \fIport\fP. |
| 240 | The \fIport\fP can be a number or a name used in /etc/services (see |
| 241 | .IR tcp (4P) |
| 242 | and |
| 243 | .IR udp (4P)). |
| 244 | If a name is used, both the port |
| 245 | number and protocol are checked. |
| 246 | If a number or ambiguous name is used, |
| 247 | only the port number is checked (e.g., \fBdst port 513\fR will print both |
| 248 | tcp/login traffic and udp/who traffic, and \fBport domain\fR will print |
| 249 | both tcp/domain and udp/domain traffic). |
| 250 | .IP "\fBsrc port \fIport\fR" |
| 251 | True if the packet has a source port value of \fIport\fP. |
| 252 | .IP "\fBport \fIport\fR" |
| 253 | True if either the source or destination port of the packet is \fIport\fP. |
| 254 | .IP "\fBdst portrange \fIport1\fB-\fIport2\fR" |
| 255 | True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a |
| 256 | destination port value between \fIport1\fP and \fIport2\fP. |
| 257 | .I port1 |
| 258 | and |
| 259 | .I port2 |
| 260 | are interpreted in the same fashion as the |
| 261 | .I port |
| 262 | parameter for |
| 263 | .BR port . |
| 264 | .IP "\fBsrc portrange \fIport1\fB-\fIport2\fR" |
| 265 | True if the packet has a source port value between \fIport1\fP and |
| 266 | \fIport2\fP. |
| 267 | .IP "\fBportrange \fIport1\fB-\fIport2\fR" |
| 268 | True if either the source or destination port of the packet is between |
| 269 | \fIport1\fP and \fIport2\fP. |
| 270 | .IP |
| 271 | Any of the above port or port range expressions can be prepended with |
| 272 | the keywords, \fBtcp\fP or \fBudp\fP, as in: |
| 273 | .in +.5i |
| 274 | .nf |
| 275 | \fBtcp src port \fIport\fR |
| 276 | .fi |
| 277 | .in -.5i |
| 278 | which matches only tcp packets whose source port is \fIport\fP. |
| 279 | .IP "\fBless \fIlength\fR" |
| 280 | True if the packet has a length less than or equal to \fIlength\fP. |
| 281 | This is equivalent to: |
| 282 | .in +.5i |
| 283 | .nf |
| 284 | \fBlen <= \fIlength\fP. |
| 285 | .fi |
| 286 | .in -.5i |
| 287 | .IP "\fBgreater \fIlength\fR" |
| 288 | True if the packet has a length greater than or equal to \fIlength\fP. |
| 289 | This is equivalent to: |
| 290 | .in +.5i |
| 291 | .nf |
| 292 | \fBlen >= \fIlength\fP. |
| 293 | .fi |
| 294 | .in -.5i |
| 295 | .IP "\fBip proto \fIprotocol\fR" |
| 296 | True if the packet is an IPv4 packet (see |
| 297 | .IR ip (4P)) |
| 298 | of protocol type \fIprotocol\fP. |
| 299 | \fIProtocol\fP can be a number or one of the names |
| 300 | \fBicmp\fP, \fBicmp6\fP, \fBigmp\fP, \fBigrp\fP, \fBpim\fP, \fBah\fP, |
| 301 | \fBesp\fP, \fBvrrp\fP, \fBudp\fP, or \fBtcp\fP. |
| 302 | Note that the identifiers \fBtcp\fP, \fBudp\fP, and \fBicmp\fP are also |
| 303 | keywords and must be escaped via backslash (\\), which is \\\\ in the C-shell. |
| 304 | Note that this primitive does not chase the protocol header chain. |
| 305 | .IP "\fBip6 proto \fIprotocol\fR" |
| 306 | True if the packet is an IPv6 packet of protocol type \fIprotocol\fP. |
| 307 | Note that this primitive does not chase the protocol header chain. |
| 308 | .IP "\fBproto \fIprotocol\fR" |
| 309 | True if the packet is an IPv4 or IPv6 packet of protocol type |
| 310 | \fIprotocol\fP. Note that this primitive does not chase the protocol |
| 311 | header chain. |
| 312 | .IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR" |
| 313 | Abbreviations for: |
| 314 | .in +.5i |
| 315 | .nf |
| 316 | \fBproto \fIp\fR\fB |
| 317 | .fi |
| 318 | .in -.5i |
| 319 | where \fIp\fR is one of the above protocols. |
| 320 | .IP "\fBip6 protochain \fIprotocol\fR" |
| 321 | True if the packet is IPv6 packet, |
| 322 | and contains protocol header with type \fIprotocol\fR |
| 323 | in its protocol header chain. |
| 324 | For example, |
| 325 | .in +.5i |
| 326 | .nf |
| 327 | \fBip6 protochain 6\fR |
| 328 | .fi |
| 329 | .in -.5i |
| 330 | matches any IPv6 packet with TCP protocol header in the protocol header chain. |
| 331 | The packet may contain, for example, |
| 332 | authentication header, routing header, or hop-by-hop option header, |
| 333 | between IPv6 header and TCP header. |
| 334 | The BPF code emitted by this primitive is complex and |
| 335 | cannot be optimized by the BPF optimizer code, so this can be somewhat |
| 336 | slow. |
| 337 | .IP "\fBip protochain \fIprotocol\fR" |
| 338 | Equivalent to \fBip6 protochain \fIprotocol\fR, but this is for IPv4. |
| 339 | .IP "\fBprotochain \fIprotocol\fR" |
| 340 | True if the packet is an IPv4 or IPv6 packet of protocol type |
| 341 | \fIprotocol\fP. Note that this primitive chases the protocol |
| 342 | header chain. |
| 343 | .IP "\fBether broadcast\fR" |
| 344 | True if the packet is an Ethernet broadcast packet. |
| 345 | The \fIether\fP |
| 346 | keyword is optional. |
| 347 | .IP "\fBip broadcast\fR" |
| 348 | True if the packet is an IPv4 broadcast packet. |
| 349 | It checks for both the all-zeroes and all-ones broadcast conventions, |
| 350 | and looks up the subnet mask on the interface on which the capture is |
| 351 | being done. |
| 352 | .IP |
| 353 | If the subnet mask of the interface on which the capture is being done |
| 354 | is not available, either because the interface on which capture is being |
| 355 | done has no netmask or because the capture is being done on the Linux |
| 356 | "any" interface, which can capture on more than one interface, this |
| 357 | check will not work correctly. |
| 358 | .IP "\fBether multicast\fR" |
| 359 | True if the packet is an Ethernet multicast packet. |
| 360 | The \fBether\fP |
| 361 | keyword is optional. |
| 362 | This is shorthand for `\fBether[0] & 1 != 0\fP'. |
| 363 | .IP "\fBip multicast\fR" |
| 364 | True if the packet is an IPv4 multicast packet. |
| 365 | .IP "\fBip6 multicast\fR" |
| 366 | True if the packet is an IPv6 multicast packet. |
| 367 | .IP "\fBether proto \fIprotocol\fR" |
| 368 | True if the packet is of ether type \fIprotocol\fR. |
| 369 | \fIProtocol\fP can be a number or one of the names |
| 370 | \fBip\fP, \fBip6\fP, \fBarp\fP, \fBrarp\fP, \fBatalk\fP, \fBaarp\fP, |
| 371 | \fBdecnet\fP, \fBsca\fP, \fBlat\fP, \fBmopdl\fP, \fBmoprc\fP, |
| 372 | \fBiso\fP, \fBstp\fP, \fBipx\fP, or \fBnetbeui\fP. |
| 373 | Note these identifiers are also keywords |
| 374 | and must be escaped via backslash (\\). |
| 375 | .IP |
| 376 | [In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), Token Ring |
| 377 | (e.g., `\fBtr protocol arp\fR'), and IEEE 802.11 wireless LANS (e.g., |
| 378 | `\fBwlan protocol arp\fR'), for most of those protocols, the |
| 379 | protocol identification comes from the 802.2 Logical Link Control (LLC) |
| 380 | header, which is usually layered on top of the FDDI, Token Ring, or |
| 381 | 802.11 header. |
| 382 | .IP |
| 383 | When filtering for most protocol identifiers on FDDI, Token Ring, or |
| 384 | 802.11, the filter checks only the protocol ID field of an LLC header |
| 385 | in so-called SNAP format with an Organizational Unit Identifier (OUI) of |
| 386 | 0x000000, for encapsulated Ethernet; it doesn't check whether the packet |
| 387 | is in SNAP format with an OUI of 0x000000. |
| 388 | The exceptions are: |
| 389 | .RS |
| 390 | .TP |
| 391 | \fBiso\fP |
| 392 | the filter checks the DSAP (Destination Service Access Point) and |
| 393 | SSAP (Source Service Access Point) fields of the LLC header; |
| 394 | .TP |
| 395 | \fBstp\fP and \fBnetbeui\fP |
| 396 | the filter checks the DSAP of the LLC header; |
| 397 | .TP |
| 398 | \fBatalk\fP |
| 399 | the filter checks for a SNAP-format packet with an OUI of 0x080007 |
| 400 | and the AppleTalk etype. |
| 401 | .RE |
| 402 | .IP |
| 403 | In the case of Ethernet, the filter checks the Ethernet type field |
| 404 | for most of those protocols. The exceptions are: |
| 405 | .RS |
| 406 | .TP |
| 407 | \fBiso\fP, \fBstp\fP, and \fBnetbeui\fP |
| 408 | the filter checks for an 802.3 frame and then checks the LLC header as |
| 409 | it does for FDDI, Token Ring, and 802.11; |
| 410 | .TP |
| 411 | \fBatalk\fP |
| 412 | the filter checks both for the AppleTalk etype in an Ethernet frame and |
| 413 | for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11; |
| 414 | .TP |
| 415 | \fBaarp\fP |
| 416 | the filter checks for the AppleTalk ARP etype in either an Ethernet |
| 417 | frame or an 802.2 SNAP frame with an OUI of 0x000000; |
| 418 | .TP |
| 419 | \fBipx\fP |
| 420 | the filter checks for the IPX etype in an Ethernet frame, the IPX |
| 421 | DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of |
| 422 | IPX, and the IPX etype in a SNAP frame. |
| 423 | .RE |
| 424 | .IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR, \fBipx\fR, \fBnetbeui\fP" |
| 425 | Abbreviations for: |
| 426 | .in +.5i |
| 427 | .nf |
| 428 | \fBether proto \fIp\fR |
| 429 | .fi |
| 430 | .in -.5i |
| 431 | where \fIp\fR is one of the above protocols. |
| 432 | .IP "\fBlat\fR, \fBmoprc\fR, \fBmopdl\fR" |
| 433 | Abbreviations for: |
| 434 | .in +.5i |
| 435 | .nf |
| 436 | \fBether proto \fIp\fR |
| 437 | .fi |
| 438 | .in -.5i |
| 439 | where \fIp\fR is one of the above protocols. |
| 440 | Note that not all applications using |
| 441 | .BR pcap (3PCAP) |
| 442 | currently know how to parse these protocols. |
| 443 | .IP "\fBdecnet src \fIhost\fR" |
| 444 | True if the DECNET source address is |
| 445 | .IR host , |
| 446 | which may be an address of the form ``10.123'', or a DECNET host |
| 447 | name. |
| 448 | [DECNET host name support is only available on ULTRIX systems |
| 449 | that are configured to run DECNET.] |
| 450 | .IP "\fBdecnet dst \fIhost\fR" |
| 451 | True if the DECNET destination address is |
| 452 | .IR host . |
| 453 | .IP "\fBdecnet host \fIhost\fR" |
| 454 | True if either the DECNET source or destination address is |
| 455 | .IR host . |
| 456 | .IP "\fBifname \fIinterface\fR" |
| 457 | True if the packet was logged as coming from the specified interface (applies |
| 458 | only to packets logged by OpenBSD's or FreeBSD's |
| 459 | .BR pf (4)). |
| 460 | .IP "\fBon \fIinterface\fR" |
| 461 | Synonymous with the |
| 462 | .B ifname |
| 463 | modifier. |
| 464 | .IP "\fBrnr \fInum\fR" |
| 465 | True if the packet was logged as matching the specified PF rule number |
| 466 | (applies only to packets logged by OpenBSD's or FreeBSD's |
| 467 | .BR pf (4)). |
| 468 | .IP "\fBrulenum \fInum\fR" |
| 469 | Synonymous with the |
| 470 | .B rnr |
| 471 | modifier. |
| 472 | .IP "\fBreason \fIcode\fR" |
| 473 | True if the packet was logged with the specified PF reason code. The known |
| 474 | codes are: |
| 475 | .BR match , |
| 476 | .BR bad-offset , |
| 477 | .BR fragment , |
| 478 | .BR short , |
| 479 | .BR normalize , |
| 480 | and |
| 481 | .B memory |
| 482 | (applies only to packets logged by OpenBSD's or FreeBSD's |
| 483 | .BR pf (4)). |
| 484 | .IP "\fBrset \fIname\fR" |
| 485 | True if the packet was logged as matching the specified PF ruleset |
| 486 | name of an anchored ruleset (applies only to packets logged by OpenBSD's |
| 487 | or FreeBSD's |
| 488 | .BR pf (4)). |
| 489 | .IP "\fBruleset \fIname\fR" |
| 490 | Synonomous with the |
| 491 | .B rset |
| 492 | modifier. |
| 493 | .IP "\fBsrnr \fInum\fR" |
| 494 | True if the packet was logged as matching the specified PF rule number |
| 495 | of an anchored ruleset (applies only to packets logged by OpenBSD's or |
| 496 | FreeBSD's |
| 497 | .BR pf (4)). |
| 498 | .IP "\fBsubrulenum \fInum\fR" |
| 499 | Synonomous with the |
| 500 | .B srnr |
| 501 | modifier. |
| 502 | .IP "\fBaction \fIact\fR" |
| 503 | True if PF took the specified action when the packet was logged. Known actions |
| 504 | are: |
| 505 | .B pass |
| 506 | and |
| 507 | .B block |
| 508 | and, with later versions of |
| 509 | .BR pf (4)), |
| 510 | .BR nat , |
| 511 | .BR rdr , |
| 512 | .B binat |
| 513 | and |
| 514 | .B scrub |
| 515 | (applies only to packets logged by OpenBSD's or FreeBSD's |
| 516 | .BR pf (4)). |
| 517 | .IP "\fBwlan ra \fIehost\fR" |
| 518 | True if the IEEE 802.11 RA is |
| 519 | .IR ehost . |
| 520 | The RA field is used in all frames except for management frames. |
| 521 | .IP "\fBwlan ta \fIehost\fR" |
| 522 | True if the IEEE 802.11 TA is |
| 523 | .IR ehost . |
| 524 | The TA field is used in all frames except for management frames and |
| 525 | CTS (Clear To Send) and ACK (Acknowledgment) control frames. |
| 526 | .IP "\fBwlan addr1 \fIehost\fR" |
| 527 | True if the first IEEE 802.11 address is |
| 528 | .IR ehost . |
| 529 | .IP "\fBwlan addr2 \fIehost\fR" |
| 530 | True if the second IEEE 802.11 address, if present, is |
| 531 | .IR ehost . |
| 532 | The second address field is used in all frames except for CTS (Clear To |
| 533 | Send) and ACK (Acknowledgment) control frames. |
| 534 | .IP "\fBwlan addr3 \fIehost\fR" |
| 535 | True if the third IEEE 802.11 address, if present, is |
| 536 | .IR ehost . |
| 537 | The third address field is used in management and data frames, but not |
| 538 | in control frames. |
| 539 | .IP "\fBwlan addr4 \fIehost\fR" |
| 540 | True if the fourth IEEE 802.11 address, if present, is |
| 541 | .IR ehost . |
| 542 | The fourth address field is only used for |
| 543 | WDS (Wireless Distribution System) frames. |
| 544 | .IP "\fBtype \fIwlan_type\fR" |
| 545 | True if the IEEE 802.11 frame type matches the specified \fIwlan_type\fR. |
| 546 | Valid \fIwlan_type\fRs are: |
| 547 | \fBmgt\fP, |
| 548 | \fBctl\fP |
| 549 | and \fBdata\fP. |
| 550 | .IP "\fBtype \fIwlan_type \fBsubtype \fIwlan_subtype\fR" |
| 551 | True if the IEEE 802.11 frame type matches the specified \fIwlan_type\fR |
| 552 | and frame subtype matches the specified \fIwlan_subtype\fR. |
| 553 | .IP |
| 554 | If the specified \fIwlan_type\fR is \fBmgt\fP, |
| 555 | then valid \fIwlan_subtype\fRs are: |
| 556 | \fBassoc-req\fP, |
| 557 | \fBassoc-resp\fP, |
| 558 | \fBreassoc-req\fP, |
| 559 | \fBreassoc-resp\fP, |
| 560 | \fBprobe-req\fP, |
| 561 | \fBprobe-resp\fP, |
| 562 | \fBbeacon\fP, |
| 563 | \fBatim\fP, |
| 564 | \fBdisassoc\fP, |
| 565 | \fBauth\fP and |
| 566 | \fBdeauth\fP. |
| 567 | .IP |
| 568 | If the specified \fIwlan_type\fR is \fBctl\fP, |
| 569 | then valid \fIwlan_subtype\fRs are: |
| 570 | \fBps-poll\fP, |
| 571 | \fBrts\fP, |
| 572 | \fBcts\fP, |
| 573 | \fBack\fP, |
| 574 | \fBcf-end\fP and |
| 575 | \fBcf-end-ack\fP. |
| 576 | .IP |
| 577 | If the specified \fIwlan_type\fR is \fBdata\fP, |
| 578 | then valid \fIwlan_subtype\fRs are: |
| 579 | \fBdata\fP, |
| 580 | \fBdata-cf-ack\fP, |
| 581 | \fBdata-cf-poll\fP, |
| 582 | \fBdata-cf-ack-poll\fP, |
| 583 | \fBnull\fP, |
| 584 | \fBcf-ack\fP, |
| 585 | \fBcf-poll\fP, |
| 586 | \fBcf-ack-poll\fP, |
| 587 | \fBqos-data\fP, |
| 588 | \fBqos-data-cf-ack\fP, |
| 589 | \fBqos-data-cf-poll\fP, |
| 590 | \fBqos-data-cf-ack-poll\fP, |
| 591 | \fBqos\fP, |
| 592 | \fBqos-cf-poll\fP and |
| 593 | \fBqos-cf-ack-poll\fP. |
| 594 | .IP "\fBsubtype \fIwlan_subtype\fR" |
| 595 | True if the IEEE 802.11 frame subtype matches the specified \fIwlan_subtype\fR |
| 596 | and frame has the type to which the specified \fIwlan_subtype\fR belongs. |
| 597 | .IP "\fBdir \fIdir\fR" |
| 598 | True if the IEEE 802.11 frame direction matches the specified |
| 599 | .IR dir . |
| 600 | Valid directions are: |
| 601 | .BR nods , |
| 602 | .BR tods , |
| 603 | .BR fromds , |
| 604 | .BR dstods , |
| 605 | or a numeric value. |
| 606 | .IP "\fBvlan \fI[vlan_id]\fR" |
| 607 | True if the packet is an IEEE 802.1Q VLAN packet. |
| 608 | If \fI[vlan_id]\fR is specified, only true if the packet has the specified |
| 609 | \fIvlan_id\fR. |
| 610 | Note that the first \fBvlan\fR keyword encountered in \fIexpression\fR |
| 611 | changes the decoding offsets for the remainder of \fIexpression\fR on |
| 612 | the assumption that the packet is a VLAN packet. The \fBvlan |
| 613 | \fI[vlan_id]\fR expression may be used more than once, to filter on VLAN |
| 614 | hierarchies. Each use of that expression increments the filter offsets |
| 615 | by 4. |
| 616 | .IP |
| 617 | For example: |
| 618 | .in +.5i |
| 619 | .nf |
| 620 | \fBvlan 100 && vlan 200\fR |
| 621 | .fi |
| 622 | .in -.5i |
| 623 | filters on VLAN 200 encapsulated within VLAN 100, and |
| 624 | .in +.5i |
| 625 | .nf |
| 626 | \fBvlan && vlan 300 && ip\fR |
| 627 | .fi |
| 628 | .in -.5i |
| 629 | filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any |
| 630 | higher order VLAN. |
| 631 | .IP "\fBmpls \fI[label_num]\fR" |
| 632 | True if the packet is an MPLS packet. |
| 633 | If \fI[label_num]\fR is specified, only true is the packet has the specified |
| 634 | \fIlabel_num\fR. |
| 635 | Note that the first \fBmpls\fR keyword encountered in \fIexpression\fR |
| 636 | changes the decoding offsets for the remainder of \fIexpression\fR on |
| 637 | the assumption that the packet is a MPLS-encapsulated IP packet. The |
| 638 | \fBmpls \fI[label_num]\fR expression may be used more than once, to |
| 639 | filter on MPLS hierarchies. Each use of that expression increments the |
| 640 | filter offsets by 4. |
| 641 | .IP |
| 642 | For example: |
| 643 | .in +.5i |
| 644 | .nf |
| 645 | \fBmpls 100000 && mpls 1024\fR |
| 646 | .fi |
| 647 | .in -.5i |
| 648 | filters packets with an outer label of 100000 and an inner label of |
| 649 | 1024, and |
| 650 | .in +.5i |
| 651 | .nf |
| 652 | \fBmpls && mpls 1024 && host 192.9.200.1\fR |
| 653 | .fi |
| 654 | .in -.5i |
| 655 | filters packets to or from 192.9.200.1 with an inner label of 1024 and |
| 656 | any outer label. |
| 657 | .IP \fBpppoed\fP |
| 658 | True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet |
| 659 | type 0x8863). |
| 660 | .IP "\fBpppoes \fI[session_id]\fR" |
| 661 | True if the packet is a PPP-over-Ethernet Session packet (Ethernet |
| 662 | type 0x8864). |
| 663 | If \fI[session_id]\fR is specified, only true if the packet has the specified |
| 664 | \fIsession_id\fR. |
| 665 | Note that the first \fBpppoes\fR keyword encountered in \fIexpression\fR |
| 666 | changes the decoding offsets for the remainder of \fIexpression\fR on |
| 667 | the assumption that the packet is a PPPoE session packet. |
| 668 | .IP |
| 669 | For example: |
| 670 | .in +.5i |
| 671 | .nf |
| 672 | \fBpppoes 0x27 && ip\fR |
| 673 | .fi |
| 674 | .in -.5i |
| 675 | filters IPv4 protocols encapsulated in PPPoE session id 0x27. |
| 676 | .IP "\fBiso proto \fIprotocol\fR" |
| 677 | True if the packet is an OSI packet of protocol type \fIprotocol\fP. |
| 678 | \fIProtocol\fP can be a number or one of the names |
| 679 | \fBclnp\fP, \fBesis\fP, or \fBisis\fP. |
| 680 | .IP "\fBclnp\fR, \fBesis\fR, \fBisis\fR" |
| 681 | Abbreviations for: |
| 682 | .in +.5i |
| 683 | .nf |
| 684 | \fBiso proto \fIp\fR |
| 685 | .fi |
| 686 | .in -.5i |
| 687 | where \fIp\fR is one of the above protocols. |
| 688 | .IP "\fBl1\fR, \fBl2\fR, \fBiih\fR, \fBlsp\fR, \fBsnp\fR, \fBcsnp\fR, \fBpsnp\fR" |
| 689 | Abbreviations for IS-IS PDU types. |
| 690 | .IP "\fBvpi\fP \fIn\fR" |
| 691 | True if the packet is an ATM packet, for SunATM on Solaris, with a |
| 692 | virtual path identifier of |
| 693 | .IR n . |
| 694 | .IP "\fBvci\fP \fIn\fR" |
| 695 | True if the packet is an ATM packet, for SunATM on Solaris, with a |
| 696 | virtual channel identifier of |
| 697 | .IR n . |
| 698 | .IP \fBlane\fP |
| 699 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 700 | an ATM LANE packet. |
| 701 | Note that the first \fBlane\fR keyword encountered in \fIexpression\fR |
| 702 | changes the tests done in the remainder of \fIexpression\fR |
| 703 | on the assumption that the packet is either a LANE emulated Ethernet |
| 704 | packet or a LANE LE Control packet. If \fBlane\fR isn't specified, the |
| 705 | tests are done under the assumption that the packet is an |
| 706 | LLC-encapsulated packet. |
| 707 | .IP \fBllc\fP |
| 708 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 709 | an LLC-encapsulated packet. |
| 710 | .IP \fBoamf4s\fP |
| 711 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 712 | a segment OAM F4 flow cell (VPI=0 & VCI=3). |
| 713 | .IP \fBoamf4e\fP |
| 714 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 715 | an end-to-end OAM F4 flow cell (VPI=0 & VCI=4). |
| 716 | .IP \fBoamf4\fP |
| 717 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 718 | a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)). |
| 719 | .IP \fBoam\fP |
| 720 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 721 | a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)). |
| 722 | .IP \fBmetac\fP |
| 723 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 724 | on a meta signaling circuit (VPI=0 & VCI=1). |
| 725 | .IP \fBbcc\fP |
| 726 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 727 | on a broadcast signaling circuit (VPI=0 & VCI=2). |
| 728 | .IP \fBsc\fP |
| 729 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 730 | on a signaling circuit (VPI=0 & VCI=5). |
| 731 | .IP \fBilmic\fP |
| 732 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 733 | on an ILMI circuit (VPI=0 & VCI=16). |
| 734 | .IP \fBconnectmsg\fP |
| 735 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 736 | on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, |
| 737 | Connect Ack, Release, or Release Done message. |
| 738 | .IP \fBmetaconnect\fP |
| 739 | True if the packet is an ATM packet, for SunATM on Solaris, and is |
| 740 | on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, |
| 741 | Release, or Release Done message. |
| 742 | .IP "\fIexpr relop expr\fR" |
| 743 | True if the relation holds, where \fIrelop\fR is one of >, <, >=, <=, =, |
| 744 | !=, and \fIexpr\fR is an arithmetic expression composed of integer |
| 745 | constants (expressed in standard C syntax), the normal binary operators |
| 746 | [+, -, *, /, &, |, <<, >>], a length operator, and special packet data |
| 747 | accessors. Note that all comparisons are unsigned, so that, for example, |
| 748 | 0x80000000 and 0xffffffff are > 0. |
| 749 | To access |
| 750 | data inside the packet, use the following syntax: |
| 751 | .in +.5i |
| 752 | .nf |
| 753 | \fIproto\fB [ \fIexpr\fB : \fIsize\fB ]\fR |
| 754 | .fi |
| 755 | .in -.5i |
| 756 | \fIProto\fR is one of \fBether, fddi, tr, wlan, ppp, slip, link, |
| 757 | ip, arp, rarp, tcp, udp, icmp, ip6\fR or \fBradio\fR, and |
| 758 | indicates the protocol layer for the index operation. |
| 759 | (\fBether, fddi, wlan, tr, ppp, slip\fR and \fBlink\fR all refer to the |
| 760 | link layer. \fBradio\fR refers to the "radio header" added to some |
| 761 | 802.11 captures.) |
| 762 | Note that \fItcp, udp\fR and other upper-layer protocol types only |
| 763 | apply to IPv4, not IPv6 (this will be fixed in the future). |
| 764 | The byte offset, relative to the indicated protocol layer, is |
| 765 | given by \fIexpr\fR. |
| 766 | \fISize\fR is optional and indicates the number of bytes in the |
| 767 | field of interest; it can be either one, two, or four, and defaults to one. |
| 768 | The length operator, indicated by the keyword \fBlen\fP, gives the |
| 769 | length of the packet. |
| 770 | |
| 771 | For example, `\fBether[0] & 1 != 0\fP' catches all multicast traffic. |
| 772 | The expression `\fBip[0] & 0xf != 5\fP' |
| 773 | catches all IPv4 packets with options. |
| 774 | The expression |
| 775 | `\fBip[6:2] & 0x1fff = 0\fP' |
| 776 | catches only unfragmented IPv4 datagrams and frag zero of fragmented |
| 777 | IPv4 datagrams. |
| 778 | This check is implicitly applied to the \fBtcp\fP and \fBudp\fP |
| 779 | index operations. |
| 780 | For instance, \fBtcp[0]\fP always means the first |
| 781 | byte of the TCP \fIheader\fP, and never means the first byte of an |
| 782 | intervening fragment. |
| 783 | |
| 784 | Some offsets and field values may be expressed as names rather than |
| 785 | as numeric values. |
| 786 | The following protocol header field offsets are |
| 787 | available: \fBicmptype\fP (ICMP type field), \fBicmpcode\fP (ICMP |
| 788 | code field), and \fBtcpflags\fP (TCP flags field). |
| 789 | |
| 790 | The following ICMP type field values are available: \fBicmp-echoreply\fP, |
| 791 | \fBicmp-unreach\fP, \fBicmp-sourcequench\fP, \fBicmp-redirect\fP, |
| 792 | \fBicmp-echo\fP, \fBicmp-routeradvert\fP, \fBicmp-routersolicit\fP, |
| 793 | \fBicmp-timxceed\fP, \fBicmp-paramprob\fP, \fBicmp-tstamp\fP, |
| 794 | \fBicmp-tstampreply\fP, \fBicmp-ireq\fP, \fBicmp-ireqreply\fP, |
| 795 | \fBicmp-maskreq\fP, \fBicmp-maskreply\fP. |
| 796 | |
| 797 | The following TCP flags field values are available: \fBtcp-fin\fP, |
| 798 | \fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP, |
| 799 | \fBtcp-ack\fP, \fBtcp-urg\fP. |
| 800 | .LP |
| 801 | Primitives may be combined using: |
| 802 | .IP |
| 803 | A parenthesized group of primitives and operators |
| 804 | (parentheses are special to the Shell and must be escaped). |
| 805 | .IP |
| 806 | Negation (`\fB!\fP' or `\fBnot\fP'). |
| 807 | .IP |
| 808 | Concatenation (`\fB&&\fP' or `\fBand\fP'). |
| 809 | .IP |
| 810 | Alternation (`\fB||\fP' or `\fBor\fP'). |
| 811 | .LP |
| 812 | Negation has highest precedence. |
| 813 | Alternation and concatenation have equal precedence and associate |
| 814 | left to right. |
| 815 | Note that explicit \fBand\fR tokens, not juxtaposition, |
| 816 | are now required for concatenation. |
| 817 | .LP |
| 818 | If an identifier is given without a keyword, the most recent keyword |
| 819 | is assumed. |
| 820 | For example, |
| 821 | .in +.5i |
| 822 | .nf |
| 823 | \fBnot host vs and ace\fR |
| 824 | .fi |
| 825 | .in -.5i |
| 826 | is short for |
| 827 | .in +.5i |
| 828 | .nf |
| 829 | \fBnot host vs and host ace\fR |
| 830 | .fi |
| 831 | .in -.5i |
| 832 | which should not be confused with |
| 833 | .in +.5i |
| 834 | .nf |
| 835 | \fBnot ( host vs or ace )\fR |
| 836 | .fi |
| 837 | .in -.5i |
| 838 | .SH EXAMPLES |
| 839 | .LP |
| 840 | To select all packets arriving at or departing from \fIsundown\fP: |
| 841 | .RS |
| 842 | .nf |
| 843 | \fBhost sundown\fP |
| 844 | .fi |
| 845 | .RE |
| 846 | .LP |
| 847 | To select traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR: |
| 848 | .RS |
| 849 | .nf |
| 850 | \fBhost helios and \\( hot or ace \\)\fP |
| 851 | .fi |
| 852 | .RE |
| 853 | .LP |
| 854 | To select all IP packets between \fIace\fR and any host except \fIhelios\fR: |
| 855 | .RS |
| 856 | .nf |
| 857 | \fBip host ace and not helios\fP |
| 858 | .fi |
| 859 | .RE |
| 860 | .LP |
| 861 | To select all traffic between local hosts and hosts at Berkeley: |
| 862 | .RS |
| 863 | .nf |
| 864 | .B |
| 865 | net ucb-ether |
| 866 | .fi |
| 867 | .RE |
| 868 | .LP |
| 869 | To select all ftp traffic through internet gateway \fIsnup\fP: |
| 870 | .RS |
| 871 | .nf |
| 872 | .B |
| 873 | gateway snup and (port ftp or ftp-data) |
| 874 | .fi |
| 875 | .RE |
| 876 | .LP |
| 877 | To select traffic neither sourced from nor destined for local hosts |
| 878 | (if you gateway to one other net, this stuff should never make it |
| 879 | onto your local net). |
| 880 | .RS |
| 881 | .nf |
| 882 | .B |
| 883 | ip and not net \fIlocalnet\fP |
| 884 | .fi |
| 885 | .RE |
| 886 | .LP |
| 887 | To select the start and end packets (the SYN and FIN packets) of each |
| 888 | TCP conversation that involves a non-local host. |
| 889 | .RS |
| 890 | .nf |
| 891 | .B |
| 892 | tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP |
| 893 | .fi |
| 894 | .RE |
| 895 | .LP |
| 896 | To select all IPv4 HTTP packets to and from port 80, i.e. print only |
| 897 | packets that contain data, not, for example, SYN and FIN packets and |
| 898 | ACK-only packets. (IPv6 is left as an exercise for the reader.) |
| 899 | .RS |
| 900 | .nf |
| 901 | .B |
| 902 | tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) |
| 903 | .fi |
| 904 | .RE |
| 905 | .LP |
| 906 | To select IP packets longer than 576 bytes sent through gateway \fIsnup\fP: |
| 907 | .RS |
| 908 | .nf |
| 909 | .B |
| 910 | gateway snup and ip[2:2] > 576 |
| 911 | .fi |
| 912 | .RE |
| 913 | .LP |
| 914 | To select IP broadcast or multicast packets that were |
| 915 | .I not |
| 916 | sent via Ethernet broadcast or multicast: |
| 917 | .RS |
| 918 | .nf |
| 919 | .B |
| 920 | ether[0] & 1 = 0 and ip[16] >= 224 |
| 921 | .fi |
| 922 | .RE |
| 923 | .LP |
| 924 | To select all ICMP packets that are not echo requests/replies (i.e., not |
| 925 | ping packets): |
| 926 | .RS |
| 927 | .nf |
| 928 | .B |
| 929 | icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply |
| 930 | .fi |
| 931 | .RE |
| 932 | .SH "SEE ALSO" |
| 933 | pcap(3PCAP) |
| 934 | .SH BUGS |
| 935 | Please send problems, bugs, questions, desirable enhancements, etc. to: |
| 936 | .LP |
| 937 | .RS |
| 938 | tcpdump-workers@lists.tcpdump.org |
| 939 | .RE |
| 940 | .LP |
| 941 | Filter expressions on fields other than those in Token Ring headers will |
| 942 | not correctly handle source-routed Token Ring packets. |
| 943 | .LP |
| 944 | Filter expressions on fields other than those in 802.11 headers will not |
| 945 | correctly handle 802.11 data packets with both To DS and From DS set. |
| 946 | .LP |
| 947 | .BR "ip6 proto" |
| 948 | should chase header chain, but at this moment it does not. |
| 949 | .BR "ip6 protochain" |
| 950 | is supplied for this behavior. |
| 951 | .LP |
| 952 | Arithmetic expression against transport layer headers, like \fBtcp[0]\fP, |
| 953 | does not work against IPv6 packets. |
| 954 | It only looks at IPv4 packets. |