On Wed, Sep 01, 2021 at 06:15:04PM +0200, Denis Fondras wrote: > I was searching for the sampling command of tcpdump but could not find it in > the > manual. In fact it is missing some primitives compared to pcap-filter manual. >
hi. it looks like there's a whole heap of duplication going on here. does tcpdump support just a subset of the syntax in pcap-filter(3), or are they exactly the same? i wonder if we can whack all the tcpdump text, or just inline the exact text of pcap-filter.3 if it really needs to be there (or vice-versa if tcpdump.8 is more authorative). or do they differ? jmc > Index: tcpdump.8 > =================================================================== > RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.8,v > retrieving revision 1.111 > diff -u -p -r1.111 tcpdump.8 > --- tcpdump.8 17 Aug 2020 06:29:29 -0000 1.111 > +++ tcpdump.8 1 Sep 2021 16:05:20 -0000 > @@ -583,10 +583,26 @@ for details). > .It Cm src net Ar net > True if the IP source address of the packet has a network number of > .Ar net . > -.It Cm net Ar net > -True if either the IP source or destination address of the packet > -has a network number of > -.Ar net . > +.It Cm net Ar net Ns / Ns Ar len > +True if the IPv4/v6 address matches > +.Ar net > +with a netmask > +.Ar len > +bits wide. > +May be qualified with > +.Cm src > +or > +.Cm dst . > +.It Cm net Ar net Cm mask Ar netmask > +True if the IPv4 address matches > +.Ar net > +with the specific > +.Ar netmask . > +May be qualified with > +.Cm src > +or > +.Cm dst . > +Note that this syntax is not valid for IPv6 networks. > .It Cm dst port Ar port > True if the packet is IP/TCP or IP/UDP and has a destination port value of > .Ar port . > @@ -634,12 +650,15 @@ True if the packet has a length greater > This is equivalent to: > .Pp > .D1 Cm len >= Ar length > -.It Cm ip proto Ar proto > -True if the packet is an IP packet (see > +.It Cm sample Ar samplerate > +True if the packet has been randomly selected or sampled at a rate of 1 per > +.Ar samplerate . > +.It Cm ip proto Ar protocol > +True if the packet is an IPv4 packet (see > .Xr ip 4 ) > of protocol type > -.Ar proto . > -.Ar proto > +.Ar protocol . > +.Ar protocol > can be a number or name from > .Xr protocols 5 , > such as > @@ -650,13 +669,18 @@ or > These identifiers are also keywords and must be escaped > using a backslash character > .Pq Sq \e . > +Note that this primitive does not chase the protocol header chain. > +.It Cm ip6 proto Ar protocol > +True if the packet is an IPv6 packet of protocol type > +.Ar protocol . > +Note that this primitive does not chase the protocol header chain. > .It Cm ether broadcast > True if the packet is an Ethernet broadcast packet. > The > .Cm ether > keyword is optional. > .It Cm ip broadcast > -True if the packet is an IP broadcast packet. > +True if the packet is an IPv4 broadcast packet. > It checks for both the all-zeroes and all-ones broadcast conventions > and looks up the local subnet mask. > .It Cm ether multicast > @@ -670,10 +694,12 @@ This is shorthand for > .Dc . > .It Cm ip multicast > True if the packet is an IP multicast packet. > -.It Cm ether proto Ar proto > +.It Cm ip6 multicast > +True if the packet is an IPv6 multicast packet. > +.It Cm ether proto Ar protocol > True if the packet is of ether type > -.Ar proto . > -.Ar proto > +.Ar protocol . > +.Ar protocol > can be a number or one of the names > .Cm ip , > .Cm ip6 , > @@ -835,6 +861,53 @@ Valid directions are: > .Ar fromds , > .Ar dstods , > or a numeric value. > +.It Cm vlan Op Ar vlan_id > +True if the packet is an IEEE 802.1Q VLAN packet. > +If > +.Ar vlan_id > +is specified, only true if the packet has the specified ID. > +Note that the first > +.Cm vlan > +keyword encountered in > +.Ar expression > +changes the decoding offsets for the remainder of > +.Ar expression > +on the assumption that the packet is a VLAN packet. > +This expression may be used more than once, to filter on VLAN hierarchies. > +Each use of that expression increments the filter offsets by 4. > +.Pp > +For example, > +to filter on VLAN 200 encapsulated within VLAN 100: > +.Pp > +.Dl vlan 100 && vlan 200 > +.Pp > +To filter IPv4 protocols encapsulated in VLAN 300 encapsulated within any > +higher order VLAN: > +.Pp > +.Dl vlan && vlan 300 && ip > +.It mpls Op Ar label > +True if the packet is an MPLS (Multi-Protocol Label Switching) packet. > +If > +.Ar label > +is specified, only true if the packet has the specified label. > +Note that the first > +.Cm mpls > +keyword encountered in > +.Ar expression > +changes the decoding offsets for the remainder of > +.Ar expression > +on the assumption that the packet is an MPLS packet. > +This expression may be used more than once, to filter on MPLS labels. > +Each use of that expression increments the filter offsets by 4. > +.Pp > +For example, > +to filter on MPLS label 42 first and requires the next label to be 12: > +.Pp > +.Dl mpls 42 && mpls 12 > +.Pp > +To filter on network 192.0.2.0/24 transported inside packets with label 42: > +.Pp > +.Dl mpls 42 && net 192.0.2.0/24 > .It Xo > .Cm atalk , > .Cm ip , >
