I was searching for the sampling command of tcpdump but could not find it in the manual. In fact it is missing some primitives compared to pcap-filter manual.
Index: tcpdump.8 =================================================================== RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.8,v retrieving revision 1.111 diff -u -p -r1.111 tcpdump.8 --- tcpdump.8 17 Aug 2020 06:29:29 -0000 1.111 +++ tcpdump.8 1 Sep 2021 16:05:20 -0000 @@ -583,10 +583,26 @@ for details). .It Cm src net Ar net True if the IP source address of the packet has a network number of .Ar net . -.It Cm net Ar net -True if either the IP source or destination address of the packet -has a network number of -.Ar net . +.It Cm net Ar net Ns / Ns Ar len +True if the IPv4/v6 address matches +.Ar net +with a netmask +.Ar len +bits wide. +May be qualified with +.Cm src +or +.Cm dst . +.It Cm net Ar net Cm mask Ar netmask +True if the IPv4 address matches +.Ar net +with the specific +.Ar netmask . +May be qualified with +.Cm src +or +.Cm dst . +Note that this syntax is not valid for IPv6 networks. .It Cm dst port Ar port True if the packet is IP/TCP or IP/UDP and has a destination port value of .Ar port . @@ -634,12 +650,15 @@ True if the packet has a length greater This is equivalent to: .Pp .D1 Cm len >= Ar length -.It Cm ip proto Ar proto -True if the packet is an IP packet (see +.It Cm sample Ar samplerate +True if the packet has been randomly selected or sampled at a rate of 1 per +.Ar samplerate . +.It Cm ip proto Ar protocol +True if the packet is an IPv4 packet (see .Xr ip 4 ) of protocol type -.Ar proto . -.Ar proto +.Ar protocol . +.Ar protocol can be a number or name from .Xr protocols 5 , such as @@ -650,13 +669,18 @@ or These identifiers are also keywords and must be escaped using a backslash character .Pq Sq \e . +Note that this primitive does not chase the protocol header chain. +.It Cm ip6 proto Ar protocol +True if the packet is an IPv6 packet of protocol type +.Ar protocol . +Note that this primitive does not chase the protocol header chain. .It Cm ether broadcast True if the packet is an Ethernet broadcast packet. The .Cm ether keyword is optional. .It Cm ip broadcast -True if the packet is an IP broadcast packet. +True if the packet is an IPv4 broadcast packet. It checks for both the all-zeroes and all-ones broadcast conventions and looks up the local subnet mask. .It Cm ether multicast @@ -670,10 +694,12 @@ This is shorthand for .Dc . .It Cm ip multicast True if the packet is an IP multicast packet. -.It Cm ether proto Ar proto +.It Cm ip6 multicast +True if the packet is an IPv6 multicast packet. +.It Cm ether proto Ar protocol True if the packet is of ether type -.Ar proto . -.Ar proto +.Ar protocol . +.Ar protocol can be a number or one of the names .Cm ip , .Cm ip6 , @@ -835,6 +861,53 @@ Valid directions are: .Ar fromds , .Ar dstods , or a numeric value. +.It Cm vlan Op Ar vlan_id +True if the packet is an IEEE 802.1Q VLAN packet. +If +.Ar vlan_id +is specified, only true if the packet has the specified ID. +Note that the first +.Cm vlan +keyword encountered in +.Ar expression +changes the decoding offsets for the remainder of +.Ar expression +on the assumption that the packet is a VLAN packet. +This expression may be used more than once, to filter on VLAN hierarchies. +Each use of that expression increments the filter offsets by 4. +.Pp +For example, +to filter on VLAN 200 encapsulated within VLAN 100: +.Pp +.Dl vlan 100 && vlan 200 +.Pp +To filter IPv4 protocols encapsulated in VLAN 300 encapsulated within any +higher order VLAN: +.Pp +.Dl vlan && vlan 300 && ip +.It mpls Op Ar label +True if the packet is an MPLS (Multi-Protocol Label Switching) packet. +If +.Ar label +is specified, only true if the packet has the specified label. +Note that the first +.Cm mpls +keyword encountered in +.Ar expression +changes the decoding offsets for the remainder of +.Ar expression +on the assumption that the packet is an MPLS packet. +This expression may be used more than once, to filter on MPLS labels. +Each use of that expression increments the filter offsets by 4. +.Pp +For example, +to filter on MPLS label 42 first and requires the next label to be 12: +.Pp +.Dl mpls 42 && mpls 12 +.Pp +To filter on network 192.0.2.0/24 transported inside packets with label 42: +.Pp +.Dl mpls 42 && net 192.0.2.0/24 .It Xo .Cm atalk , .Cm ip ,
