Primitive | Description |
---|
dst host HOST | True if the IPv4 packet destination field is "HOST" (may be either an address or a host name). |
src host HOST | True if the IPv4 packet source field is "HOST". |
host HOST | True if either the IPv4 source or destination of the packet is "HOST". |
Note |
---|
| Any of the above host expressions can be prefixed with the keywords "ip", "ip6", "arp", "rarp". |
|
ether dst EHOST | True if the ethernet destination MAC address is "EHOST". "EHOST" must be in numeric format: XX:XX:XX:XX:XX:XX. |
ether src EHOST | True if the ethernet source MAC address is "EHOST". |
ether host EHOST | True if either the ethernet source or destination MAC address is "EHOST". |
dst net NET | True if the IPv4 packet destination address has a network number of "NET". |
src net NET | True if the IPv4 packet source address has a network number of "NET". |
net NET | True if either the IPv4 source or destination address of the packet has a network number of "NET". |
net NET mask NETMASK | True if the IPv4 address matches "NET" with the specific "NETMASK". May be qualified with "src" and "dst". |
net NET/LEN | True if the IPv4 address matches "NET" with a netmask "LEN" bits wide. May be qualified with "src" and "dst". |
dst port PORT | True if the packet is UDP or TCP and has a destination port value "PORT". |
src port PORT | True if the packet has a source port value "PORT". |
port PORT | True if either the source or destination port of the packet is "PORT". |
dst portrange PORT1-PORT2 | True if the packet is UDP or TCP and has a destination port value is in range "PORT1-PORT2". |
src portrange PORT1-PORT2 | True if the packet has a source port value is in range "PORT1-PORT2". |
portrange PORT1-PORT2 | True if either the source or destination port of the packet is in range "PORT1-PORT2". |
Note |
---|
| Any of the above "port" or "port range" expressions can be prefixed with the keywords "tcp" or "udp", in this case, the filtration will be performed also according to the protocol value. |
|
less LENGTH | True if the packet has a length less than or equal to "LENGTH". This is equivalent to: "len <= length". |
greater LENGTH | True if the packet has a length greater than or equal to "LENGTH". This is equivalent to: "len >= length". |
ip proto PROTOCOL | True if the packet is IPv4 packet, and contains protocol header with type "PROTOCOL". "PROTOCOL" - can be a number or one of the names: "icmp", "icmp6", "igmp", "igrp", "pim", "ah", "esp", "vrrp", "udp" or "tcp". Note that the identifiers "tcp", "udp" and "icmp" are also keywords and must be escaped via backslash (\). Note that this primitive does not chase the protocol header chain. |
ip protochain PROTOCOL | True if the packet is IPv4 packet, and contains protocol header with type "PROTOCOL" in its protocol header chain. |
ether broadcast | True if the packet is an Ethernet broadcast packet. The "ether" is optional. |
ether multicast | True if the packet is an Ethernet multicast (or broadcast) packet. The "ether" is optional. This is shorthand for "ether[0] & 1 != 0". |
ip multicast | True if the packet is an IPv4 multicast (or broadcast) packet. |
ether proto PROTOCOL | True if the packet has ether type "PROTOCOL". "PROTOCOL" can be a number or one of the names: "icmp", "icmp6", "igmp", "igrp", "pim", "ah", "esp", "vrrp", "udp" or "tcp". Note these identifiers are also keywords and must be escaped via backslash (\). |
svlan [vlan_id] | True if the packet is an IEEE 802.1Q Service VLAN packet (ether proto 0x88a8). In the case of Ethernet, WANFleX checks the Ethernet type field for most of those protocols. The exceptions are: - "iso", "stp" and "netbeui" - WANFLeX checks for an 802.3 frame and then checks the LLC header as it does for FDDI, Token Ring, and 802.11.
- "atalk" - WANFLeX checks both for the AppleTalk etype in an Ethernet frame and for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11.
- "aarp" - WANFLeX checks for the AppleTalk ARP etype in either an Ethernet frame or an 802.2 SNAP frame with an OUI of 0x000000.
- "ipx" - WANFLeX checks for the IPX etype in an Ethernet frame, the IPX DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of IPX, and the IPX etype in a SNAP frame.
|
vlan [vlan_id] | True if the packet is an IEEE 802.1Q VLAN packet (ether proto 0x8100). If "[vlan_id]", is specified, only true if the packet has the specified "vlan_id". Note |
---|
| The "vlan [vlan_id]" expression may be used more than once, to filter on VLAN hierarchies. Each use of that expression increments the filter offsets by 4. |
|
mpls [label_num] | True if the packet is an MPLS packet. If "[label_num]", is specified, only true is the packet has the specified "label_num". Note |
---|
| The "mpls [label_num]" expression may be used more than once, to filter on MPLS hierarchies. Each use of that expression increments the filter offsets by 4. |
|
pppoed | True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet type 0x8863). |
pppoes | True if the packet is a PPP-over-Ethernet Session packet (Ethernet type 0x8864). |
iso proto PROTOCOL | True if the packet is an OSI packet of protocol type "PROTOCOL". Protocol can be a number or one of the names: "clnp", "esis", "isis". |
expr relop expr | True if the relation holds, where "relop" is one of ">", "<", ">=", "<=", "=", "!=", and "expr" is an arithmetic expression composed of integer constants "+", "-", "*", "/", "&", "|", "<<", ">>". Note |
---|
| Note that all comparisons are unsigned, so that, for example, 0x80000000 and 0xffffffff are > 0. |
To access data inside the packet, use the following syntax: "proto [ expr : size ]". - "proto" is one of "ether", "fddi", "tr", "wlan", "ppp", "slip", "link", "ip", "arp", "rarp", "tcp", "udp", "icmp" and indicates the protocol layer for the index operation. Values "ether", "fddi", "tr", "wlan", "ppp", "slip", "link" refer to the link layer. Note that "tcp", "udp" and other upper-layer protocol types only apply to IPv4.
- "size" is optional and indicates the number of bytes in the field of interest; it can be either 1, 2 or 4, by default is 1.
The length operator, indicated by the keyword "len". Some offsets and field values may be expressed as names rather than as numeric values. The following protocol header field offsets are available: "icmptype" (ICMP type field), "icmpcode" (ICMP code field) and "tcpflags" (TCP flags field): - The following ICMP type field values are available: "icmp-echoreply", "icmp-unreach", "icmp-sourcequench", "icmp-redirect", "icmp-echo", "icmp-routeradvert", "icmp-routersolicit", "icmp-timxceed", "icmp-paramprob", "icmp-tstamp", "icmp-tstampreply", "icmp-ireq", "icmp-ireqreply", "icmp-maskreq", "icmp-maskreply".
- The following TCP flags field values are available: "tcp-fin", "tcp-syn", "tcp-rst", "tcp-push", "tcp-ack", "tcp-urg".
|