Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression?

[Bill Fenner <fenner () gmail com>]

On Oct 18, 2012, at 7:00 AM, Ezequiel Garzón <garzon.lucero () gmail com> wrote:

> Thanks for your reply, Bill.
>
> > "ether proto \ip" is: <proto> <type> <id>
>
> In what sense is "proto" here a <type>. <type>s are described as
> "qualifiers say what kind of thing the id name or  number  refers to.
> Possible  types are host, net , port and portrange." Not only is
> "proto" not given as an option, but it seems to me as if it belongs in
> another category entirely.

That part of the documentation is incomplete. "Proto" is just like "port" in the sense that it is saying "look in this 
part of the packet".

> This leads to the more central question of how to match "\ip" with
> <id>. <id>s are defined in passing as "(name or number)". How can one
> match conceptually "\ip" with an address?

\ip is turned into 0x800 via an internal name -> number lookup.

> I'm sorry to insist on this open-ended issue. I know there must be
> something off with my understanding, and would like to fix it if
> possible!

"Ether proto ip" says "look in the Ethernet header, in the proto field, for the value 0x800".

"Host host" says "look up host in /etc/hosts or in DNS, get an IP address for it, and look for that IP address in the 
source or destination headers".

You have to use "and" to join any "look here for this value and look there for that value".

  Bill

> Thanks again.
>
> Best regards,
>
> Ezequiel
>
> On Wed, Oct 17, 2012 at 4:49 PM, Bill Fenner <fenner () gmail com> wrote:
> > On Wed, Oct 17, 2012 at 3:59 AM, Ezequiel Garzón
> > <garzon.lucero () gmail com> wrote:
> > > Greetings! I'm trying to understand tcpdump expressions a bit more,
> > > and I'm confused about a basic example given in the pcap-filter man
> > > pages. They first state:
> > >
> > > | The filter expression consists of one or more primitives. Primitives
> > > usually consist of an id (name or number) preceded by one or more
> > > qualifiers.
> > >
> > > In turn, these qualifiers are type, dir and proto. So far so good, but
> > > further down we find this:
> > >
> > > |      ip host host
> > > | which is equivalent to:
> > > |      ether proto \ip and host host
> > >
> > > If I'm not mistaken, in the first case, ip and host are, respectively,
> > > proto and type. What pattern does 'ether proto \ip' follow? Isn't
> > > that, as a whole, a proto qualifier? If so, why isn't (a properly
> > > escaped) 'ether proto \ip host host' legal (without the keyboard
> > > 'and')?
> >
> > They're two separate primitives:
> >
> > "ether proto \ip" is: <proto> <type> <id>
> >
> > "host host" is <type> <id>
> >
> > Concatenating two primitives requires "and".
> >
> > (Don't get confused between "ether" being a <proto> and "proto" being
> > a <type>: that doesn't make "proto" a <proto>.)
> >
> >  Bill
> _______________________________________________
> tcpdump-workers mailing list
> tcpdump-workers () lists tcpdump org
> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers