In the text form, the PCAP filter is an expression which consists of one or more primitives. Primitives in the expression determine whether the filter can accept the packet. Each primitive defines a specific element of the standard protocol packet and its value, compared by the filter with the corresponding element value of the packet. If the primitive value coincides with the packet element value, the filter marks it as true and proceeds to compare the next primitive. In case all expression values coincide with the checked elements values, the filter decides to accept this packet, otherwise the packet is ignored.
Primitives usually consist of an id (name or number) preceded by one or more qualifiers. There are three different kinds of qualifier:
In addition to the above, there are some special primitive keywords that don't follow the pattern: "broadcast", "less", "greater" and arithmetic expressions. Detailed description is given below.
More complex filter expressions are built up by using the words "and", "or" and "not" to combine primitives. Primitives can be grouped with brackets and logical operations:
Negation has the highest priority. The addition and disjunction have same priority in the expression and are read from left to right.
If there are several identical qualifiers in the filter, it is possible not to write them down to shorten the record. |
Values "ip", "arp", "rarp", "atalk", "aarp", "iso", "stp", "ipx", "netbeui" are abbreviations for "ether proto p", there "p" is one of these protocols. "tcp", "udp", "icmp" are abbreviations for "ip proto p", there "p" - is one of these protocols. "clnp", "esis", "isis" are abbreviations for "iso proto p", there "p" - is one of these protocols.
|
Filtration prohibits the incoming traffic which data belongs to the port 80 ("udp" or "tcp"). In this example, the full "ipfw" command syntax is used, in the following examples, the command parameters will be omitted.
| ||||||
If the filter has several identical repeating classifiers, they can be specified once, to shorten the record.
is equal to:
Discards packets that have "1.1.1.1" and "1.1.1.2" IP-addresses.
is equal to:
should not be confused with:
In this case, packets that do not have the first IP-address and have the second one will be skipped.
In this case, packets with at least one of the specified IP-addresses will be discarded. | ||||||
Traffic filtration, which has the "192.168.0.1" IP-address (source or destination).
| ||||||
Traffic filtration, which has the destination IP-address belongs to "172.16.0.0/16" network (more precisely, is in range from "172.16.0.0" to "172.16.255.255").
| ||||||
Traffic filtration, which belongs to "192.168.0.0/24" network (source or destination), using TCP protocol and port 21.
| ||||||
Multicast traffic filtration.
| ||||||
IPv4 packets filtration.
| ||||||
Catches only unfragmented IPv4 datagrams and discards fragmented IPv4 datagrams. This check is implicitly applied to the tcp and udp index operations. The "tcp[0]" always means the first byte of the TCP header, and never means the intervening fragment first byte.
| ||||||
Filters VLAN 200 encapsulated within Service VLAN 100.
| ||||||
Filters IPv4 protocols encapsulated in VLAN 300.
| ||||||
Filters all packets encapsulated within Service VLAN 100.
| ||||||
Filters packets with an outer label 100000 and an inner label 1024.
| ||||||
Filters packets to or from 192.9.200.1 with an inner label of 1024 and any outer label.
| ||||||
Filters IPv4 protocols encapsulated in PPPoE.
|