tcpdump mailing list archives
Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression?
From: Ezequiel Garzón <garzon.lucero () gmail com>
Date: Thu, 18 Oct 2012 13:00:26 +0200
Thanks for your reply, Bill.
"ether proto \ip" is: <proto> <type> <id>
In what sense is "proto" here a <type>. <type>s are described as "qualifiers say what kind of thing the id name or number refers to. Possible types are host, net , port and portrange." Not only is "proto" not given as an option, but it seems to me as if it belongs in another category entirely. This leads to the more central question of how to match "\ip" with <id>. <id>s are defined in passing as "(name or number)". How can one match conceptually "\ip" with an address? I'm sorry to insist on this open-ended issue. I know there must be something off with my understanding, and would like to fix it if possible! Thanks again. Best regards, Ezequiel On Wed, Oct 17, 2012 at 4:49 PM, Bill Fenner <fenner () gmail com> wrote:
On Wed, Oct 17, 2012 at 3:59 AM, Ezequiel Garzón <garzon.lucero () gmail com> wrote:Greetings! I'm trying to understand tcpdump expressions a bit more, and I'm confused about a basic example given in the pcap-filter man pages. They first state: | The filter expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers. In turn, these qualifiers are type, dir and proto. So far so good, but further down we find this: | ip host host | which is equivalent to: | ether proto \ip and host host If I'm not mistaken, in the first case, ip and host are, respectively, proto and type. What pattern does 'ether proto \ip' follow? Isn't that, as a whole, a proto qualifier? If so, why isn't (a properly escaped) 'ether proto \ip host host' legal (without the keyboard 'and')?They're two separate primitives: "ether proto \ip" is: <proto> <type> <id> "host host" is <type> <id> Concatenating two primitives requires "and". (Don't get confused between "ether" being a <proto> and "proto" being a <type>: that doesn't make "proto" a <proto>.) Bill
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Why isn't 'ether proto \ip host host' a legal tcpdump expression? Ezequiel Garzón (Oct 17)
- Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression? Bill Fenner (Oct 17)
- Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression? Ezequiel Garzón (Oct 18)
- Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression? Bill Fenner (Oct 18)
- Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression? Ezequiel Garzón (Oct 18)
- Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression? Ezequiel Garzón (Oct 18)
- Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression? Bill Fenner (Oct 17)