Allowable Primitives
This section describes the allowable primitives.
The following primitives are allowed:
| Item | Description |
|---|---|
| dst host Host | True if the value of the IP (Internet Protocol) destination field of the packet is the same as the value of the Host variable, which can be either an address or a name. |
| dst port Port | True if the packet is TCP/IP (Transmission Control Protocol/Internet Protocol) or IP/UDP (Internet Protocol/User Datagram Protocol) and has a destination port value of Port. The port can be a number or a name used in /etc/services. If a name is used, both the port number and protocol are checked. If a number or ambiguous name is used, only the port number is checked (dst port 513 will print both TCP/login traffic and UDP/who traffic, and port domain will print both TCP/domain and UDP/domain traffic). |
| DST net Net | True if the value of the IP destination address of the packet has a network number of Net. Note that Net must be in dotted decimal format. |
| greater Length | True if the packet has a length greater than or equal to the Length variable.
This is equivalent to the following: len > = Length |
| host Host | True if the value of either the IP source or destination of
the packet is the same as the value of the Host variable. You
can add the keywords ip, arp, or rarp in front
of any previous host expressions as in the following: ip host Host If the Host variable is a name with multiple IP addresses, each address will be checked for a match. |
| ip, arp,rarp | These keywords are abbrieviated forms of the following: proto ip, proto arp, and proto rarp. |
| ip broadcast | True if the packet is an IP broadcast packet. It checks for the all-zeroes and all-ones broadcast conventions, and looks up the local subnet mask. |
| ip multicast | True if the packet is an IP multicast packet. |
| ip proto Protocol | True if the packet is an IP packet of protocol type Protocol. Protocol can be a number or one of the names icmp,udp, or tcp. |
| less Length | True if the packet has a length less than or equal to Length.
This is equivalent to the following: len < = Length |
| net Net | True if the value of either the IP source or destination address of the packet has a network number of Net. Note that Net must be in dotted decimal format |
| net Net/Len | True if the value of either the IP source or destination address of the packet has a network number of Net and a netmask with the width of Len bits. Note that Net must be in dotted decimal format. |
| net Net mask Mask | True if the value of either the IP source or destination address of the packet has a network number of Net and the specific netmask of Mask. Note that Net and Mask must be in dotted decimal format. |
| port Port | True if the value of either the source or the destination port
of the packet is Port. You can add the keywords tcp or udp in
front of any of the previous port expressions, as in the following:
tcp src port port which matches only TCP packets. |
| proto Protocol | True if the packet is of type Protocol. Protocol can be a number or a name like ip, arp, or rarp. |
| src host Host | True if the value of the IP source field of the packet is the same as the value of the Host variable. |
| src net Net | True if the value of the IP source address of the packet has a network number of Net. Note that Net must be in dotted decimal format. |
| src port Port | True if the value of the Port variable is the same as the value of the source port. |
| tcp, udp, icmp | These keywords are abbrieviated forms of the following: ip proto tcp, ip proto udp, or ip proto icmp |