Ethereal-users: Re: [Ethereal-users] Using Filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 20 Feb 2002 16:30:25 -0800
On Wed, Feb 20, 2002 at 06:10:33PM -0600, Jeff_Kraus@xxxxxxxx wrote:
> Quick question regarding filtering. I am using ethereal with Tcpdump 3.6
> and Libpcap 0.6

(Well, you're not using Ethereal *with* tcpdump - they're two separate
sniffer programs using the same capture library, and the behavior of
either of them doesn't depend on which version of the other one is
installed - but....)

> I would like to filter on the SAME host, but multiple
> protocols for that host. I have tried a filter string similar to this:
> tcpdump -x -n -s0 -t src host 10.0.0.1 and proto 1 or src host 10.0.0.1 and
> proto 47 or src host 10.0.0.1 and udp port 699
> but unfortunately this does not work, the filter only seems to capture the
> last element of the filter list. Is there a limitation here or am I just
> doing things wrong.

>From the tcpdump man page:

	  Primitives may be combined using:

	       A parenthesized group of	primitives and	operators
	       (parentheses  are special to the	Shell and must be
	       escaped).

	       Negation	(`!' or	`not').

	       Concatenation (`&&' or `and').

	       Alternation (`||' or `or').

	  Negation has highest precedence.  Alternation	and  con-
	  catenation  have equal precedence and	associate left to
	  right.  Note that explicit and tokens,  not  juxtaposi-
	  tion,	are now	required for concatenation.

This means that

	src host 10.0.0.1 and proto 1 or src host 10.0.0.1 and
	    proto 47 or src host 10.0.0.1 and udp port 699

parses as

	(((((src host 10.0.0.1 and proto 1) or src host 10.0.0.1) and
	    proto 47) or src host 10.0.0.1) and udp port 699)

which matches packets that

	go to UDP port 699 and either

		1) come from 10.0.0.1

	or

		2) are GRE (IP protocol 47, but that'll never happen
		   because the topmost IP header, which is all a libpcap
		   filter will check, can't be both UDP and GRE) and
		   either

			1) come from 10.0.0.1

		   or

			2) are ICMP packets coming from 10.0.0.1 (but
			   that'll never happen because the topmost IP
			   header can't be both ICMP and GRE).

So, yes, it'll only capture packets to UDP port 699 from 10.0.0.1.

> What is the proper syntax to capture ONLY the ICMP and GRE and UDP PORT 699
> packets for a host such as 10.0.0.1?

I.e., you want packets from 10.0.0.1 that are either

	ICMP;

	GRE

	to or from UDP port 699?

That'd be

	src host 10.0.0.1 and (icmp or proto 47 or udp port 699)

I think.  ("icmp" is an abbreviation for "ip proto icmp", which is
equivalent to "ip proto 1".)

That will, of course, not show packets *to* 10.0.0.1; if you want
packets in either direction, use "host" rather than "src host".