Packet Capture Library Filter Expressions
This section describes the filter expressions for the packets that should be captured.
The filter expression is passed into the pcap_compile subroutine to specify the packets that should be captured. If no filter expression is given, all packets on the network will be captured. Otherwise, only packets for which the filter expression is True will be captured. The filter expression is an ASCII string that consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers. There are three types of qualifiers:
| Item | Description |
|---|---|
| type | Specifies what kind of device the id name or number refers to. Possible types are host, net, and port. Examples are host foo, net 128.3, port 20. If there is no type qualifier, then host is assumed. |
| dir | Specifies a particular transfer direction to or from id. Possible directions are src, dst, src or dst, and src and dst. Some examples with dir qualifiers are: src foo, dst net 128.3, srcor dst port ftp-data. If there is no dir qualifier, src or dst is assumed. |
| proto | Restricts the match to a particular protocol. Possible protoqualifiers are: ether, ip, arp, rarp, tcp, and udp. Examples are: ether src foo, arp net 128.3, tcp port 21. If there is no proto qualifier, all protocols consistent with the type are assumed. For example, src foo means ip or arp, net bar means ip or arp or rarp net bar, and port 53 means tcp or udp port 53. |
There are also some special primitive keywords that do not follow the pattern: broadcast, multicast, less, greater, and arithmetic expressions. All of these keywords are described in the following information.