tcpdump mailing list archives

Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression?

From: Bill Fenner <fenner () gmail com>
Date: Wed, 17 Oct 2012 10:49:16 -0400

On Wed, Oct 17, 2012 at 3:59 AM, Ezequiel Garzón
<garzon.lucero () gmail com> wrote:

Greetings! I'm trying to understand tcpdump expressions a bit more,
and I'm confused about a basic example given in the pcap-filter man
pages. They first state:

| The filter expression consists of one or more primitives. Primitives
usually consist of an id (name or number) preceded by one or more
qualifiers.

In turn, these qualifiers are type, dir and proto. So far so good, but
further down we find this:

|      ip host host
| which is equivalent to:
|      ether proto \ip and host host

If I'm not mistaken, in the first case, ip and host are, respectively,
proto and type. What pattern does 'ether proto \ip' follow? Isn't
that, as a whole, a proto qualifier? If so, why isn't (a properly
escaped) 'ether proto \ip host host' legal (without the keyboard
'and')?


They're two separate primitives:

"ether proto \ip" is: <proto> <type> <id>

"host host" is <type> <id>

Concatenating two primitives requires "and".

(Don't get confused between "ether" being a <proto> and "proto" being
a <type>: that doesn't make "proto" a <proto>.)

  Bill
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Why isn't 'ether proto \ip host host' a legal tcpdump expression? Ezequiel Garzón (Oct 17)
- Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression? Bill Fenner (Oct 17)
  - Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression? Ezequiel Garzón (Oct 18)
    - Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression? Bill Fenner (Oct 18)
    - Re: Why isn't 'ether proto \ip host host' a legal tcpdump expression? Ezequiel Garzón (Oct 18)