9/28/2016 BPFsyntax
http://biot.com/capstats/bpf.html 1/10
BerkeleyPacketFilter(BPF)syntax
The expression consists of one or more primitives. Primitives usually consist of an id (name or number)
precededbyoneormorequalifiers.Therearethreedifferentkindsofqualifier:
type
qualifierssaywhatkindofthingtheidnameornumberrefersto.Possibletypesarehost,net, port
and portrange. E.g., `host foo', `net 128.3', `port 20', `portrange 60006008'. If there is no type
qualifier,hostisassumed.
dir
qualifiersspecifyaparticulartransferdirectiontoand/orfromid.Possibledirectionsaresrc, dst,src
ordstandsrcand dst. E.g., `src foo', `dst net 128.3', `src or dst port ftpdata'. If there is no dir
qualifier,srcordstisassumed.Forsomelinklayers,suchasSLIPandthe``cooked''Linuxcapture
mode used for the ``any'' device and for some other device types, the inbound and outbound
qualifierscanbeusedtospecifyadesireddirection.
proto
qualifiersrestrictthematchtoaparticularprotocol.Possibleprotosare:ether,fddi,tr,wlan, ip,ip6,
arp,rarp,decnet, tcp and udp. E.g., `ether src foo', `arp net 128.3', `tcp port 21', `udp portrange
70007009'.Ifthereisnoprotoqualifier,allprotocolsconsistentwiththetypeareassumed.E.g.,`src
foo'means`(iporarporrarp)srcfoo'(exceptthelatterisnotlegalsyntax),`netbar'means`(iporarp
orrarp)netbar'and`port53'means`(tcporudp)port53'.
`fddi'isactuallyanaliasfor`ether';theparsertreatsthemidenticallyasmeaning``thedatalinklevelusedon
thespecifiednetworkinterface.''FDDIheaderscontainEthernetlikesourceanddestinationaddresses,and
oftencontainEthernetlikepackettypes, soyoucanfilteronthese FDDI fields justaswiththeanalogous
Ethernet fields. FDDI headers also contain other fields, but you cannot name them explicitly in a filter
expression.
Similarly,`tr'and`wlan'arealiasesfor`ether';thepreviousparagraph'sstatementsaboutFDDIheadersalso
apply to TokenRingand802.11 wirelessLAN headers. For802.11 headers,the destination address is the
DAfieldandthesourceaddressistheSAfield;theBSSID,RA,andTAfieldsaren'ttested.
Inadditiontotheabove,therearesomespecial`primitive'keywordsthatdon'tfollowthepattern:gateway,
broadcast,less,greaterandarithmeticexpressions.Allofthesearedescribedbelow.
Morecomplexfilterexpressionsarebuiltupbyusingthewordsand,orandnottocombineprimitives.E.g.,
`hostfooandnotportftpandnotportftpdata'.Tosavetyping,identicalqualifierlistscanbeomitted.E.g.,
`tcpdstportftporftpdataordomain'isexactlythesameas`tcpdstportftportcpdstportftpdataortcp
dstportdomain'.
Allowableprimitivesare:
dsthosthost
TrueiftheIPv4/v6destinationfieldofthepacketishost,whichmaybeeitheranaddressoraname.
srchosthost
TrueiftheIPv4/v6sourcefieldofthepacketishost.
hosthost
TrueifeithertheIPv4/v6sourceordestinationofthepacketishost.
Anyoftheabovehostexpressionscanbeprependedwiththekeywords,ip,arp,rarp,orip6asin:
评论1