• PCAP过滤器


    PCAP-FILTER



    ## NAME ##

    pcap-filter-packet filter syntax

    DESCRIPTION

    pcap_compile() 将字符串编译成过滤器程序。 合理的过滤器程序可以定义什么样的包可以给
    pcap_loop(), pcap_dispatch(), pcap_next(), pcap_net_ex().

    过滤器表达式通常由一个 id(名字或者数字)还有一个或多个修饰词(qualifiers)组成。修饰词分为 3 种:

    type

      type 修饰词用来说明 id 是什么类型。可以使用 host net portportrange 。 默认 host 。E.g., host foo, net 128.3, port 20, portrange 6000-6008

    dir

      dir 修饰词指定 id 的传输方向。可以使用 src, dst, src or dst, src and dst, ra, ta, addr1, addr2, addr3, addr4。 默认为 src or dstra, ta, addr1, addr2, addr3, addr4 仅在 IEEE 802.11 Wireless LAN link layers 有效。E.g., src foo, dst net 128.3, src or dst port ftp-data

    proto

      proto 修饰词限定了匹配的协议。可以使用 ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp , udp。默认是所有。E.g., ether src foo, arp net 128.3, tcp port 21, udp portrange 7000-7009, wlan addr2 0:2:3:4:5:6.

    'fddi'通常是'ether'的别名;解析器会认为它们是在特定网络接口上的数据链路层。FDDI的首部包含了和以太网很相似的源地址和目的地址,并且通常也包含了和以太网很相似的数据包类型。所以,在FDDI网域上使用过滤器和在以太网上使用过滤器基本一致。FDDI的首部还包括了其他的数据,不过你不能在过滤器表达式内表示他们。

    同样的,'tr'也是'ether'的一个别名,它是较早被应用于FDDI的首部,也应用在令牌环网络首部。

    此外,除了上述修饰词,还有一些算数表达式 gateway, broadcast, less, greater ,这些下面都会讲到

    更复杂的过滤表达式可以用关键词 and ,or ,not 组合。E.g.,host foo and not port ftp and not port ftp-data. 也可以用省略写法 E.g.,tcp dst port ftp or ftp-data or domain 作用和 tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain一样。

    可以用的修饰词如下:

    dst host host

      获取目的主机(destination field)IPv4/v6 的分组(packet)

    src host host

      获取源主机(source field)IPv4/v6 的分组

    host host

      获取目的主机或源主机的分组。关键词可以是 ip, arp, rarp, 或者 ip6,例如

      ip host host

      等同于

      ether proto \ip and host host

      如果 host 是多个IP地址,每个地址都会被检查

      ether dst ehost

      ehost可以是任何以太网目的主机地址,Ehost可能是/etc/ethers中的名字或者一个数字代号(参见 ethers(3N)for numeric format)。

    ether src ehost

      以太网源主机地址

    ether host ehost

      以太网源主机或目的主机地址

    gateway host

      host是网关,可以是以太网源主机和目的主机地址但不是IP地址。host必须是个名字而且可以在机器的域名解析文件种找到(DNS,INS等等),同时也在/etc/ethers中存在。等价表达式为:

      ether host ehost and not host host

      目前此语法暂不适用ipv6

    dst net net

      捕获net目的主机的IPv4/v6分组。net可以是/etc/networks里的网络数据库或者网络数字。 IPv4的地址可以写成4组,3组,2组,1组。例如192.168.1.0,192.168.1,172.16,10 等。对应掩码(netmask)为255.255.255.255,255.255.255.0,255.255.0.0,255.0.0.0。对于IPv6,必须是全部写上,对应掩码为ff:ff:ff:ff:ff:ff:ff:ff。

    src net net

      捕获net源主机IPv4/v6分组。

    net net

      捕获net源主机或目的主机IPv4/v6分组。

    net net mask netmask

      捕获net和netmask都匹配的源主机或目的主机IPv4/v6分组。

    net net/len

      捕获len定义位宽的net的源主机或目的主机IPv4/v6分组。

    dst port port

      捕获目的主机端口的分组。

    src port port

      捕获源主机端口的分组。

    port port

      捕获目的主机或源主机端口的分组。

    dst portrange port1-port2

      捕获目的主机端口1到端口2的分组。

      前面也可以用tcp或udp修饰:

      tcp src port port

    less length

      捕获小于等于length的分组,等价于

      len <= length.

    greater length

      捕获大于等于length的分组,等价于

      len >= length

    ip proto protocol

      捕获IPv4中protocol协议的分组。protocol可以是 icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp, udp, tcp. 注意 tcp,udp,icmp 也是关键字需要加 ** 。注意这个语法不会追踪协议头链(protocol header chain)。

    ip6 proto protocol

      捕获IPv6中protocol协议的分组。注意这个语法不会追踪协议头链(protocol header chain)。

    proto protocol

      捕获IPv6或IPv4中protocol协议的分组。注意这个语法不会追踪协议头链(protocol header chain)。

    tcp, udp, icmp

      proto protocol 的省略写法

    ip6 protochain protocol

      捕获IPv6中protocol的分组,并且包括协议头链(protocol header chain)。例如

      ip6 protochain 6

      注意这个表达式运行的可能会很慢,而且丢包率可能很高。

    ip protochain protocol

      同上,不过用于IPv4

    protochain protocol

      捕获IPv4或IPv6中protocol协议的包,会追踪协议头链(protocol header chain)。

    ether broadcast

      捕获以太网广播包,ether可省

    ip broadcast

      捕获IPv4的广播包,这条语句会检测全0和全1的默认广播地址,并且查询已经捕获的接口的subnet掩码。
    如果捕获的接口的subnet掩码不可用或者接口没有掩码或者在linux下监听any接口会导致工作不正常。

    If the subnet mask of the interface on which the capture is being done is not available, either because the interface on which capture is being done has no netmask or because the capture is being done on the Linux "any" interface, which can capture on more than one interface, this check will not work correctly.

    ether multicast

      捕获以太网多目分组(Ethernet multicast)。ether可省,这条是 ether[0] & 1 != 0的缩写。

    ip multicast

      捕获IPv4多目分组。

    ip6 multicast

      捕获IPv6多目分组。

    ether proto protocol

      捕获 ether 类型的 protocol。 protocol可以是数字或者下面的一个名字:
    ip, ip6, arp, rarp, atalk, aarp, decnet, sca, lat, mopdl, moprc, iso, stp, ipx, netbeui .
    注意这些是关键词,需要用 **

    [In the case of FDDI (e.g., `fddi proto arp`), Token Ring (e.g., `tr proto arp`), and IEEE 802.11 wireless LANS (e.g., `wlan proto arp`), for most of those protocols, the protocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually layered on top of the FDDI, Token Ring, or 802.11 header.
    When filtering for most protocol identifiers on FDDI, Token Ring, or 802.11, the filter checks only the protocol ID field of an LLC header in so-called SNAP format with an Organizational Unit Identifier (OUI) of 0x000000, for encapsulated Ethernet; it doesn`t check whether the packet is in SNAP format with an OUI of 0x000000. The exceptions are:

    iso
    the filter checks the DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) fields of the LLC header;

    stp and netbeui
    the filter checks the DSAP of the LLC header;

    atalk
    the filter checks for a SNAP-format packet with an OUI of 0x080007 and the AppleTalk etype.

    In the case of Ethernet, the filter checks the Ethernet type field for most of those protocols. The exceptions are:
    iso, stp, and netbeui
    the filter checks for an 802.3 frame and then checks the LLC header as it does for FDDI, Token Ring, and 802.11;

    atalk
    the filter checks both for the AppleTalk etype in an Ethernet frame and for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11;

    aarp
    the filter checks for the AppleTalk ARP etype in either an Ethernet frame or an 802.2 SNAP frame with an OUI of 0x000000;

    ipx
    the filter checks for the IPX etype in an Ethernet frame, the IPX DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of IPX, and the IPX etype in a SNAP frame.

    ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui

      ether proto protocol 的缩写

    lat, moprc, mopdl

      ether proto protocol 的缩写

    decnet src host

      捕获DECNET源主机分组,host 可以是10.123形式的地址或者一个DECNET主机名。
    注意DECNET主机名只支持ULTRIX系统。

    decnet dst host

      捕获DECNET目标主机分组。

    decnet host host

      捕获DECNET目标主机或源主机分组。

    llc

      捕获有802.2LLC报头的分组。包括:

    Ethernet packets with a length field rather than a type field that aren`t raw NetWare-over-802.3 packets;
    IEEE 802.11 data packets;
    Token Ring packets (no check is done for LLC frames);
    FDDI packets (no check is done for LLC frames);
    LLC-encapsulated ATM packets, for SunATM on Solaris.

    llc Fitype

      捕获有802.2LLC报头指定类型的分组,包括:

    i
    Information (I) PDUs
    s
    Supervisory (S) PDUs
    u
    Unnumbered (U) PDUs
    rr
    Receiver Ready (RR) S PDUs
    rnr
    Receiver Not Ready (RNR) S PDUs
    rej
    Reject (REJ) S PDUs
    ui
    Unnumbered Information (UI) U PDUs
    ua
    Unnumbered Acknowledgment (UA) U PDUs
    disc
    Disconnect (DISC) U PDUs
    sabme
    Set Asynchronous Balanced Mode Extended (SABME) U PDUs
    test
    Test (TEST) U PDUs
    xid
    Exchange Identification (XID) U PDUs
    frmr
    Frame Reject (FRMR) U PDUs

    ifname interface

      捕获记录的指定interface的分组。(只适用于OpenBSD或FreeBSD记录的分组)。

    on interface

      同上

    rnr num

      捕获已经被记录的匹配的指定的PF规则号的分组。(只适用于OpenBSD或FreeBSD记录的分组)。

    rulenum num

      同上

    reason code

      捕获已经被记录的指定的 PF reason code。已知的codes包括:match, bad-offset, fragment, short, normalize, 和 memor。(只适用于OpenBSD或FreeBSD记录的分组)。

    rset name

    True if the packet was logged as matching the specified PF ruleset name of an anchored ruleset (applies only to packets logged by OpenBSDs or FreeBSDs pf(4)).

    ruleset name

      同上

    srnr num

    True if the packet was logged as matching the specified PF rule number of an anchored ruleset (applies only to packets logged by OpenBSDs or FreeBSDs pf(4)).

    subrulenum num

      同上

    action act

    True if PF took the specified action when the packet was logged. Known actions are: pass and block and, with later versions of pf(4)), nat, rdr, binat and scrub (applies only to packets logged by OpenBSDs or FreeBSDs pf(4)).

    wlan ra ehost

      捕获 ehost 的 IEEE 802.11 RA 帧。RA除了管理帧(frame)存在所有帧。

    wlan ta ehost

      捕获 ehost的 IEEE 802.11 TA 帧。TA除了管理帧(frame), CTS (Clear To Send) 和 ACK (Acknowledgment)控制帧外存在所有帧。

    wlan addr1 ehost

      捕获 ehost的 IEEE 802.11 第一地址的帧。

    True if the first IEEE 802.11 address is ehost.

    wlan addr2 ehost

      捕获 ehost的 IEEE 802.11 第二地址的帧。第二地址区(The second address field)除了 CTS (Clear To Send) 和 ACK (Acknowledgment)控制帧外存在所有帧。

    wlan addr3 ehost

      捕获 ehost的 IEEE 802.11 第三地址的帧。第三地址区存在管理帧和数据帧,但是不存在于控制帧。

    wlan addr4 ehost

      捕获 ehost的 IEEE 802.11 第四地址的帧。第四地址区仅存在WDS(Wireless Distribution System)帧。

    type wlan_type

      捕获指定的 IEEE 802.11 wlan_type 的帧.有效的 wlan_typs 为:mgt, ctl 和 data.

    type wlan_type subtype wlan_subtype

      捕获指定的 IEEE 802.11 wlan_type ,subtype 为wlan_subtype的帧。
    如果wlan_type是 mgt ,则有效的 wlan_subtypes为:

      assoc-req, assoc-resp, reassoc-req, reassoc-resp, probe-req, probe-resp, beacon, atim, disassoc, auth, deauth.

      如果wlan_type是 ctl ,则有效的 wlan_subtypes为:

      ps-poll, rts, cts, ack, cf-end, cf-end-ack.

      如果wlan_type是 data ,则有效的 wlan_subtypes为:

      data, data-cf-ack, data-cf-poll, data-cf-ack-poll, null, cf-ack, cf-poll, cf-ack-poll, qos-data, qos-data-cf-ack, qos-data-cf-poll, qos-data-cf-ack-poll, qos, qos-cf-poll, qos-cf-ack-poll

    subtype wlan_subtype

      捕获指定 IEEE 802.11 subtype 为 wlan_subtype 或属于 wlan_subtype 的帧。

    dir dir

      捕获匹配 IEEE 802.11 direction dir的帧。有效的 direction 为:
    nods, tods, fromds, dstods, 或者数字值(numeric value)。

    vlan [vlan_id]

      捕获匹配 IEEE 802.1Q VLAN 的分组。如果[vlan_id]是指定的,只有匹配 vlan_id的会被捕获。

    Note that the first vlan keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a VLAN packet.

      vlan [vlan_id] 表达式可以被多次使用,to filter on VLAN hierarchies。每次使用表达式增加过滤器偏移 4.( Each use of that expression increments the filter offsets by 4.)

      例如

    vlan 100 && vlan 200

    filters on VLAN 200 encapsulated within VLAN 100, and

    vlan && vlan 300 && ip

    filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any higher order VLAN.

    mpls [label_num]

      捕获 MPLS 分组。如果指定[label_num],则捕获匹配[label_num]的分组。

    Note that the first mpls keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a MPLS-encapsulated IP packet. The mpls [label_num] expression may be used more than once, to filter on MPLS hierarchies. Each use of that expression increments the filter offsets by 4.
    For example:
    mpls 100000 && mpls 1024
    filters packets with an outer label of 100000 and an inner label of 1024, and
    mpls && mpls 1024 && host 192.9.200.1
    filters packets to or from 192.9.200.1 with an inner label of 1024 and any outer label

    pppoed
    True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet type 0x8863).

    pppoes [session_id]
    True if the packet is a PPP-over-Ethernet Session packet (Ethernet type 0x8864). If [session_id] is specified, only true if the packet has the specified session_id. Note that the first pppoes keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a PPPoE session packet.
    For example:
    pppoes 0x27 && ip
    filters IPv4 protocols encapsulated in PPPoE session id 0x27.
    geneve [vni]
    True if the packet is a Geneve packet (UDP port 6081). If [vni] is specified, only true if the packet has the specified vni. Note that when the geneve keyword is encountered in expression, it changes the decoding offsets for the remainder of expression on the assumption that the packet is a Geneve packet.
    For example:
    geneve 0xb && ip
    filters IPv4 protocols encapsulated in Geneve with VNI 0xb. This will match both IP directly encapsulated in Geneve as well as IP contained inside an Ethernet frame.
    iso proto protocol
    True if the packet is an OSI packet of protocol type protocol. Protocol can be a number or one of the names clnp, esis, or isis.
    clnp, esis, isis
    Abbreviations for:
    iso proto p
    where p is one of the above protocols.
    l1, l2, iih, lsp, snp, csnp, psnp
    Abbreviations for IS-IS PDU types.
    vpi n
    True if the packet is an ATM packet, for SunATM on Solaris, with a virtual path identifier of n.
    vci n
    True if the packet is an ATM packet, for SunATM on Solaris, with a virtual channel identifier of n.
    lane
    True if the packet is an ATM packet, for SunATM on Solaris, and is an ATM LANE packet. Note that the first lane keyword encountered in expression changes the tests done in the remainder of expression on the assumption that the packet is either a LANE emulated Ethernet packet or a LANE LE Control packet. If lane isn`t specified, the tests are done under the assumption that the packet is an LLC-encapsulated packet.
    oamf4s
    True if the packet is an ATM packet, for SunATM on Solaris, and is a segment OAM F4 flow cell (VPI=0 & VCI=3).
    oamf4e
    True if the packet is an ATM packet, for SunATM on Solaris, and is an end-to-end OAM F4 flow cell (VPI=0 & VCI=4).
    oamf4
    True if the packet is an ATM packet, for SunATM on Solaris, and is a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
    oam
    True if the packet is an ATM packet, for SunATM on Solaris, and is a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
    metac
    True if the packet is an ATM packet, for SunATM on Solaris, and is on a meta signaling circuit (VPI=0 & VCI=1).
    bcc
    True if the packet is an ATM packet, for SunATM on Solaris, and is on a broadcast signaling circuit (VPI=0 & VCI=2).
    sc
    True if the packet is an ATM packet, for SunATM on Solaris, and is on a signaling circuit (VPI=0 & VCI=5).
    ilmic
    True if the packet is an ATM packet, for SunATM on Solaris, and is on an ILMI circuit (VPI=0 & VCI=16).
    connectmsg
    True if the packet is an ATM packet, for SunATM on Solaris, and is on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, Connect Ack, Release, or Release Done message.
    metaconnect
    True if the packet is an ATM packet, for SunATM on Solaris, and is on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect, Release, or Release Done message.

    expr relop expr

      relop 为: >, <, >=, <=, =, !=

      expr 为一个算数式整数,

      一般二进制操作符(binary operators)[+, -, *, /, %, &, |, ^, <<, >>]

      一个长度操作符(length operator),

      and special packet data accessors.

      注意都是无符号数,因此, 0x80000000 和 0xffffffff 都 > 0.

    The % and ^ operators are currently only supported for filtering in the kernel on Linux with 3.7 and later kernels; on all other systems, if those operators are used, filtering will be done in user mode, which will increase the overhead of capturing packets and may cause more packets to be dropped.
    To access data inside the packet, use the following syntax:
    proto [ expr : size ]
    Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indicates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the "radio header" added to some 802.11 captures.) Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword len, gives the length of the packet.
    For example, ether[0] & 1 != 0 catches all multicast traffic. The expression ip[0] & 0xf != 5 catches all IPv4 packets with options. The expression ip[6:2] & 0x1fff = 0 catches only unfragmented IPv4 datagrams and frag zero of fragmented IPv4 datagrams. This check is implicitly applied to the tcp and udp index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment.

    Some offsets and field values may be expressed as names rather than as numeric values. The following protocol header field offsets are available: icmptype (ICMP type field), icmpcode (ICMP code field), and tcpflags (TCP flags field).

    The following ICMP type field values are available: icmp-echoreply, icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo, icmp-routeradvert, icmp-routersolicit, icmp-timxceed, icmp-paramprob, icmp-tstamp, icmp-tstampreply, icmp-ireq, icmp-ireqreply, icmp-maskreq, icmp-maskreply.

    The following TCP flags field values are available: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.

      同时表达式可以组合使用:

    • 逻辑非 (! or not).
    • 并列 (&& or and).
    • 变换 (|| or or).

      not 的优先级最高 , andor 同级 按从左到右的顺序执行。

    Note that explicit and tokens, not juxtaposition, are now required for concatenation.

      如果分辨器(identifier)没有给关键词,则服从就近原则,例如:

      not host vs and ace

      等同于

      not host vs and host ace

      而不是

      not ( host vs or ace )


    Reference




  • 相关阅读:
    DAY7-面向对象之封装
    Java遇到的问题、错误——持续更新
    008单例、继承、final
    java一些使用
    2.1端口扫描器
    PyCharm设置
    常用算法
    PyCharm最新2018激活码,最新方法
    004数组
    042多进程
  • 原文地址:https://www.cnblogs.com/ash975/p/5798963.html
Copyright © 2020-2023  润新知