beby@xxxxxxxxxxxx wrote:
Looks like I've answered my own question...
The udp abbreviation "udp" works while the long form "ip proto udp"
generally doesn't work.
so:
"host foo and udp" works great, but "host foo and ip proto udp" causes a
parse error.
Guy Harris answered a similar question from me on 2/23, so I pass on..
subject: capture filters - whats wrong with 'not ether proto arp'
'not ether proto arp' -> unable to parse filter string (parse error)
'not ether proto ARP' -> " " " " "
(unknown ether proto ARP)
'not ip proto ARP' -> " (unknown ip proto ARP)
'not ip proto GRE' -> works.
'not ip proto 0x0806' -> works
so I conclude :
filtering IP protocols by name works (ex. GRE), but not for Ethernet
protocols.
or am I missing something ?
Yes, you're missing a backslash. :-)
To quote the tcpdump man page (which is the man page that documents the
filter expression syntax supported by libpcap; libpcap is the library
used by tcpdump, Ethereal, and a number of other programs to do packet
capture, and that includes doing filtering when capturing):
expression
selects which packets will be dumped. If no
expression is given, all packets on the net will be
dumped. Otherwise, only packets for which expres-
sion is `true' will be dumped.
...
ether proto protocol
True if the packet is of ether type proto-
col. Protocol can be a number or a name
like ip, arp, or rarp. Note these identi-
^^^^^^^^^^^^^^^^^^
fiers are also keywords and must be escaped
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
via backslash (\). [In the case of FDDI
^^^^^^^^^^^^^^^^^^^
(e.g., `fddi protocol arp'), the protocol
identification comes from the 802.2 Logical
Link Control (LLC) header, which is usually
layered on top of the FDDI header. Tcpdump
assumes, when filtering on the protocol
identifier, that all FDDI packets include an
LLC header, and that the LLC header is in
so-called SNAP format.]
so:
% tcpdump 'not ether proto arp'
tcpdump: syntax error
but
% tcpdump 'not ether proto \arp'
tcpdump: listening on fxp0
So if you use a filter expresion of
not ether proto \arp
rather than
not ether proto arp
that'll work.
Then again, as they note, "arp" is a keyword; to quote the man page
again:
ip, arp, rarp, decnet, iso
Abbreviations for:
ether proto p
where p is one of the above protocols.
so just
not arp
will do the same thing as
not ether proto \arp
"gre" is not a keyword in the libpcap grammar, so it doesn't have to be
escaped with a backslash, unlike "arp".
.