tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How does one filter on multiple parameters?

From: Guy Harris <guy () netapp com>
Date: Thu, 27 Feb 2003 16:34:32 -0800
On Thu, Feb 27, 2003 at 04:22:37PM -0800, Jeff Wong wrote:

If I wanted to filter on port 21 and port 22, how could this be done?
I want to filter on the ip packets on port 21 and port 22
char *filter "ip port 21 port 22"?


There are no ports in IP, so you cannot filter on IP packets on port 21
and port 22, and you can't say "ip port 21".

There are ports in TCP and in UDP; do you want to filter on TCP ports 21
and 22, UDP ports 21 and 22, or both TCP and UDP ports 21 and 22?

I shall assume TCP for now (as those are the FTP control and data
ports); for UDP, replace "tcp" with "udp", and, for both, do more
"or"ing.


From the tcpdump man page (which is, for better or worse, the place

where libpcap filter syntax is documented):

      expression
          selects which packets will be dumped.  If no expression
          is  given, all packets on the net will be dumped.  Oth-
          erwise, only packets for  which  expression  is  `true'
          will be dumped.

          The expression consists  of  one  or  more  primitives.

                ...

          Primitives may be combined using:

               A parenthesized group of primitives and  operators
               (parentheses  are special to the Shell and must be
               escaped).

               Negation (`!' or `not').

               Concatenation (`&&' or `and').

               Alternation (`||' or `or').

          Negation has highest precedence.  Alternation and  con-
          catenation  have equal precedence and associate left to
          right.  Note that explicit and tokens,  not  juxtaposi-
          tion, are now required for concatenation.

          If an identifier is given without a keyword,  the  most
          recent keyword is assumed.  For example,
               not host vs and ace
          is short for
               not host vs and host ace
          which should not be confused with
               not ( host vs or ace )

so it's be

        tcp port 21 or tcp port 22

or just

        tcp port 21 or 22
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: