libpcap/tcpdump filter syntax 语法:
type type qualifiers say what kind of thing the id name or number refers to. Possible
types are host, net , port and portrange. E.g., `host foo', `net 128.3', `port
20', `portrange 6000-6008'. If there is no type qualifier, host is assumed.
dir dir qualifiers specify a particular transfer direction to and/or from id. Possible
directions are src, dst, src or dst, src and dst, ra, ta, addr1, addr2, addr3, and
addr4. E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. If there is
no dir qualifier, src or dst is assumed. The ra, ta, addr1, addr2, addr3, and
addr4 qualifiers are only valid for IEEE 802.11 Wireless LAN link layers. For some
link layers, such as SLIP and the ``cooked'' Linux capture mode used for the
``any'' device and for some other device types, the inbound and outbound qualifiers
can be used to specify a desired direction.
proto proto qualifiers restrict the match to a particular protocol. Possible protos are:
ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. E.g., `ether src
foo', `arp net 128.3', `tcp port 21', `udp portrange 7000-7009', `wlan addr2
0:2:3:4:5:6'. If there is no proto qualifier, all protocols consistent with the
type are assumed. E.g., `src foo' means `(ip or arp or rarp) src foo' (except the
latter is not legal syntax), `net bar' means `(ip or arp or rarp) net bar' and
`port 53' means `(tcp or udp) port 53'.
sample :
sprintf(szProgram, “ether[0x0a:4]==0x13223344 && ether[0x0e:2] == 0x55%.2x”, port);
pcap_compile(interface->ppcap, &bpfprogram, szProgram, 1, 0) == -1) {