Relational Operators of the Expression Parameter
This section describes different relational operators of the expression parameter.
The simple relationship:
expr relop expr
Is true where relop is one of the following:
- ampersand (&)
- asterisk (*)
- equal (=)
- exclamation point and equal sign (!=) and expr is an arithmetic expression composed of integer constants (expressed in standard C syntax)
- greater than (>)
- greater than or equal to (>=)
- less than (<)
- less than or equal to (<=)
- length operator
- minus sign (-)
- pipe (|)
- plus sign (+)
- slash (/)
- special packet data accessors
To access data inside the packet, use the following syntax:
proto [ expr : size ]
Proto is one of the keywords ip, arp, rarp, tcp or icmp, and indicates the protocol layer for the index operation. The byte offset relative to the indicated protocol layer is given by expr. The indicator size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one byte. The length operator, indicated by the keyword len, gives the length of the packet.
For example, expression ip[0] & 0xf != 5 catches only nonfragmented datagrams and frag 0 of fragmented datagrams. This check is implicitly implied to the tcp and udp index operations. For example, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment.