Package: libpcap0.8 Version: 1.10.0-2 Severity: normal Tags: upstream X-Debbugs-Cc: debbug.libpcap...@sideload.33mail.com
>From the pcap-filter man page: > proto proto qualifiers restrict the match to a particular protocol. > Possible protos are: ether, fddi, tr, wlan, ip, ip6, arp, > rarp, decnet, tcp and udp. E.g., `ether src foo', `arp net > 128.3', `tcp port 21', `udp portrange 7000-7009', `wlan addr2 > 0:2:3:4:5:6'. If there is no proto qualifier, all protocols > consistent with the type are assumed. E.g., `src foo' means > `(ip or arp or rarp) src foo' (except the latter is not legal > syntax), `net bar' means `(ip or arp or rarp) net bar' and > `port 53' means `(tcp or udp) port 53'. > … > > proto protocol > > True if the packet is an IPv4 or IPv6 packet of protocol type > protocol. Note that this primitive does not chase the protocol > header chain. > > tcp, udp, icmp > Abbreviations for: > proto \protocol > where protocol is one of the above protocols. It’s a bit screwy because the “proto” conditional is specified twice in the man page. The first time it presents a mostly different set of possible arguments than the 2nd time. When a user searches the man page for “ICMP” they only see the 2nd syntax spec for “proto”. This 2nd occurance does not supply the BNF for the argument. The very next paragraph is not intented but appears to list the arguments. A speed-reading user sees “tcp, udp, icmp” and stops reading. Not that it matters, because this abbreviation clause seems to suggest “tcp, udp, icmp” are in fact valid parameters for “proto”. Yet this fails: $ tcpdump -Avvv -r session.pcap 'proto icmp' reading from file session.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 Warning: interface names might be incorrect tcpdump: can't parse filter expression: syntax error I was stumped. I could not work out why my usage was syntactically incorrect. I had to get support from someone who suggested simply removing “proto”. That worked. But according to the man page my original attempt should have also worked. -- System Information: Debian Release: 11.5 APT prefers oldstable-updates APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990, 'testing'), (990, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-19-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libpcap0.8 depends on: ii libc6 2.31-13+deb11u5 ii libdbus-1-3 1.12.24-0+deb11u1 libpcap0.8 recommends no packages. libpcap0.8 suggests no packages. -- no debconf information