bpf过滤规则

Filtering packets while capturing
---------------------------------
Capture Filters are used to filter out uninteresting packets already at capture time. This is done to reduce the size of the resulting capture (file) and is especially useful on high traffic networks or for long term capturing.

Ethereal uses the pcap (libpcap/WinPcap) filter language for capture filters. This language is explained in the tcpdump man page under "expression" (http://www.tcpdump.org and search for "selects which").

Note: This capture filter language is different from the one used for the Ethereal display filters!

-------------------------------------------------

Some common examples
--------------------
Example Ethernet: capture all traffic to and from the Ethernet address 08:00:08:15:ca:fe
以太网地址例子：抓取网络地址 08:00:08:15:ca:fe 上所有流入流出的数据包
ether host 08:00:08:15:ca:fe

Example IP: capture all traffic to and from the IP address 192.168.0.10
IP地址例子：抓取IP地址 192.168.0.10 上所有流入流出的数据包
host 192.168.0.10

Example TCP: capture all traffic to and from the TCP port 80 (http) of all machines
协议例子：抓取 80 端口上的所有流入流出的TCP协议的包。
tcp port 80

Examples combined: capture all traffic to and from 192.168.0.10 except http
组合例子：抓取 192.168.0.10 上除 http 之外的所有流入流出的数据包
host 192.168.0.10 and not tcp port 80

Beware: if you capture TCP/IP traffic with the primitives "host" or "port", you will not see the ARP traffic belonging to it!
注意：如果用了抓取TCP/IP数据包的关键字"host"、"port"，结果将是忽略所有ARP数据包。
-------------------------------------------------

Capture Filter Syntax
---------------------
The following is a short description of the capture filter language syntax. For a further reference, have a look at: http://www.tcpdump.org/tcpdump_man.html

A capture filter takes the form of a series of primitive expressions, connected by conjunctions (and/or) and optionally preceeded by not:

[x] x 为可选内容
a|b 选 a 或 b
<x> x 为必选
xyz xyz 为关键字，不可改变，必需。

[not] primitive [and|or [not] primitive ...]
与、或、非 = and、or、not

A primitive is simply one of the following:

 

[src|dst] host <host>
尖括号里的是一个主机IP或主机名字，用src、dst来设定这是目的地址或源地址。
This primitive allows you to filter on a host IP address or name. You can optionally preceed the primitive with the keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears as either the source or the destination address will be selected.

ether [src|dst] host <ehost>
尖括号里的是一个网络地址，用src、dst来设定这是目的地址或源地址。
This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src|dst between the keywords ether and host to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears in either the source or destination address will be selected.

gateway host <host>
<host> 是一个网关，抓取流过 <host> 的数据包，但这些数据包的目的地址和源地址都不是 <host>。
This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was host but neither the source nor destination IP address was host.

[src|dst] net <net> [{mask <mask>}|{len <len>}]
<net>表示一个网络地址，可以用 src、dst来表示这个网络是目的地址还是源地址的数据包。如果没有"src/dst"，表示全部数据包。可以选择加上子网掩码或使用无类型域间选路（CIDR）的方式。
This primitive allows you to filter on network numbers. You can optionally preceed this primitive with the keyword src|dst to specify that you are only interested in a source or destination network. If neither of these are present, packets will be selected that have the specified network in either the source or destination address. In addition, you can specify either the netmask or the CIDR (Classless Inter-Domain Routing) prefix for the network if they are different from your own.

[tcp|udp] [src|dst] port <port>
[tcp|udp]是选择抓取的协议类型，<port>指定端口。需要注意的是，[tcp|udp]必需在[src|dst]之前。
This primitive allows you to filter on TCP and UDP port numbers. You can optionally preceed this primitive with the keywords src|dst and tcp|udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP packets respectively. The keywords tcp|udp must appear before src|dst.
If these are not specified, packets will be selected for both the TCP and UDP protocols and when the specified address appears in either the source or destination port field.

less|greater <length>
抓取碎片数据包或指定长度的数据包。less 与 greater 分别对应小包与大包。
This primitive allows you to filter on packets whose length was less than or equal to the specified length, or greater than or equal to the specified length, respectively.

ip|ether proto <protocol>
在数据链路层上，在指定的IP地址或网络地址(ip|ether)上抓取指定协议<protocol>的数据包。
This primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP layer.

ether|ip broadcast|multicast
在指定的网络地址或IP地址上抓取广播包或组播包。
This primitive allows you to filter on either Ethernet or IP broadcasts or multicasts.

<expr> relop <expr>
This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. Please see the tcpdump man pages for more details.