On Jul 20, 2010, at 8:18 AM, Sake Blok wrote:
> And of course the tcpdump manual page is a great source.
...unless you have tcpdump 4.0 or later, in which case the manual page assumes you also have libpcap 1.0 or later, and refers you to the libpcap pcap-filter man page, to which the description of the capture filter language has been moved (as the filter language is implemented in libpcap/WinPcap, and is thus used by more programs than just tcpdump).
For Windows users, see
http://www.winpcap.org/docs/docs_412/html/group__language.html
> PS If you really want to dig into it, tcpdump -d <filter> will show you what the compiled BPF code will be, which you can use to verify the filter (if you understand the produced "machine-code").
And if you don't understand it but want to, start at
http://www.tcpdump.org/papers/bpf-usenix93.pdf
which briefly describes the pseudo-machine in "3.3 The BPF Pseudo-Machine".