libpcap icon indicating copy to clipboard operation
libpcap copied to clipboard

Published 20 hours ago verified publisher icon the-tcpdump-group

pcap-filter man, better libpcap filter expressions intro

Open guyharris opened this issue 12 years ago • 4 comments
trafficstars

Converted from SourceForge issue 2823520, submitted by doru001

For clarity and ease of learning reasons, please change the filter expressions presentation paragraphs to include:

  • rename all qualifiers as modifiers, or otherwise make the manual compatible with error messages. For example, in the expression 'tcpdump tcp host 2', the man says that tcp is a qualifier, while the error message says that tcp is a modifier. Also, the man does not justify the use of both terms, modifier and qualifier, or at least I did not find the justification.
  • the mention that a primitive only operates within one protocol level header, and that one primitive can not completely define one protocol level header, that is, one primitive can not contain all conditions applicable to one protocol level header.
  • the right order of the three different kinds of modifiers/qualifiers, formally: [proto][dir][type][id]. Now they are presented in this order: type, dir, proto.
  • emphasize the statement that [proto][dir][type][id] is only a general structure, not a definition of primitives, and that not any primitive accepts all terms in [proto][dir][type][id].
  • emphasize the statement that the list of allowable primitives actually defines primitives; primitives are not defined by [proto][dir][type][id].
  • complete the list of primitives with 'ip src host [id]' and others, such that it becomes comprehensive.
  • explain when is 'ip' an alias for 'ether proto \ip' and when is it a modifier. Same for other aliases.

guyharris avatar Apr 15 '13 23:04 guyharris

Submitted by doru001

This is a follow up to: https://sourceforge.net/tracker/?func=detail&aid=2813234&group_id=53066&atid=469573 which is going to be closed, as advised by: http://thread.gmane.org/gmane.network.tcpdump.devel/3997/focus=3999

guyharris avatar Apr 15 '13 23:04 guyharris

Submitted by doru001

You may add that tcpdump works "outside" iptables. That is, it sees incoming packets stopped by iptables and it does not see outgoing packets stopped by iptables.

guyharris avatar Apr 15 '13 23:04 guyharris

The original issue was opened on 2009-07-18. The only immediately actionable work item I can tell here is to make the error messages consistent with the man page.

infrastation avatar Nov 29 '21 22:11 infrastation

On the note of Linux BPF placed "outside of" iptables, on FreeBSD this used to be exactly the opposite: tcpdump never sees incoming packets rejected by ipfw.

infrastation avatar Jan 04 '22 15:01 infrastation