Combining Primitives

Edit online

More complex filter expressions are created by using the words and, or, and not to combine primitives.

For example, host foo and not port ftp and not port ftp-data. To save typing, identical qualifier lists can be omitted. For example, tcp dst port ftp or ftp-data or domain is exactly the same as tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain.

Primitives can be combined using a parenthesized group of primitives and operators:

  • A
  • Negation (`!' or `not').
  • Concatenation (`and').
  • Alternation (`or').

Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right.

If an identifier is given without a keyword, the most recent keyword is assumed. For example:


not host gil and devo

This filter captures packets that do not have a source or destination of host gil and also packets that do have a source or destination of host devo. It is an abbreviated version of the following:


not host gil and host devo

Avoid confusing it with the following filter which captures packets that do not have a source or destination of either gil or devo:


not (host gil or devo)