Filter
Top Products
Examples are: “fddi src myHost”, “ip net 122.43”, and “udp port 44”.
fddi is an alias for ether; they are treated identically as meaning “the data link level used on the
specified network interface.” FDDI headers contain Ethernet-like source and destination addresses,
and often contain Ethernet-like packet types, so you can filter on these FDDI fields just as with the
analogous Ethernet fields. (FDDI headers also contain other fields, but you cannot name them
explicitly in a filter expression.)
Similarly, tr is also an alias for ether; the previous paragraph's statements about FDDI headers also
apply to Token Ring headers.
• In addition to the above, there are some special primitives: gateway,
broadcast, multicast, vlan,
less, greater and arithmetic expressions. All of these are described in Table B-1.
Primitives can be combined to create more complex filter expressions. Primitives can be combined using:
• A parenthesized group of primitives and operators.
• Negation (“
!” or “not”).
• Intersection or logical AND (“
&&” or “and”).
• Union or logical OR (“
||” or “or”).
Negation has highest precedence. Intersection and union have equal precedence and associate left to
right. There is no implicit logical AND’ing by concatenation; you must explicitly use
and operators.
Examples are:
“not host foo”, or “not port ftp or not port ftp-data”, or
“
!(port ftp || port ftp-data)”
To save typing, identical qualifier lists can be omitted. If an identifier is given without a qualifier, the most
recent qualifier is assumed.
For example: “
not host foo and bar” is the same as “not host foo and host bar”. Both are true
if the packet includes host bar and does not include host foo (as either source or destination). This should
not be confused with: “
not (host foo or ace)” which is true if either host foo or host ace are the
source or destination of the packet.
For example: “
tcp dst port ftp or ftp-data or domain” is the same as “tcp dst port ftp or
tcp dst port ftp-data or tcp dst port domain
”.
Tcpdump Primitives
Allowable primitives are shown in Table B-1. For more details refer to the UNIX man page tcpdump, and
other related man pages noted in the explanation text in Table B-1.
Note: Tcpdump syntax is case sensitive. All keywords must be in lower-case to be recognized.
Table B-1. Allowable Primitives
Primitive Explanation
dst host host True if the destination field of the packet is host, which can be either an address or a
name.
src host host True if the source field of the packet is host.
B-2 HP ProCurve Secure Access 700wl Series Management and Configuration Guide