Ethereal-users: Re: [Ethereal-users] Parse error in filter screen.. ?
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Wed, 24 Jan 2001 10:22:09 -0800
On Wed, Jan 24, 2001 at 10:15:22AM -0500, Peter J. DiCostanzo Jr. - ComPath Inc. wrote:
> When I create a new filter using the gui "New Expression" button, i make a
> filter, name it and save it. When i include it in a capture I get this:
> Unable to parse filter string. (Parse Error).
>
> Any ideas?
My first idea is "what is the filter"?
If the filter doesn't follow the rules for capture filters, which are
the same rules as tcpdump has (because Ethereal and tcpdump use the
*same library routine* to parse capture filter strings), you'll get a
parse error.
Note that almost all filters that would be valid *display* filters would
*not* be valid capture filters; the syntaxes of display filters and
capture filters are different. For example:
ip.addr == www.sun.com
may be a valid *display* filter, but it's *not* a valid capture filter;
the equivalent capture filter would be
ip host www.sun.com
The rules for capture filters, from the tcpdump man page (well, the
FreeBSD 3.4 tcpdump man page; later versions of tcpdump and libpcap may
support additional items, e.g. a future libpcap release will support
"ipx" to look for all IPX packets, and only libpcap 0.6 and FreeBSD
libpcap support "iso", "esis", and "isis"):
expression
selects which packets will be dumped. If no
expression is given, all packets on the net will be
dumped. Otherwise, only packets for which expres-
sion is `true' will be dumped.
The expression consists of one or more primitives.
Primitives usually consist of an id (name or num-
ber) preceded by one or more qualifiers. There are
three different kinds of qualifier:
type qualifiers say what kind of thing the id
name or number refers to. Possible types
are host, net and port. E.g., `host foo',
`net 128.3', `port 20'. If there is no type
qualifier, host is assumed.
dir qualifiers specify a particular transfer
direction to and/or from id. Possible
directions are src, dst, src or dst and src
and dst. E.g., `src foo', `dst net 128.3',
`src or dst port ftp-data'. If there is no
dir qualifier, src or dst is assumed. For
`null' link layers (i.e. point to point pro-
tocols such as slip) the inbound and out-
bound qualifiers can be used to specify a
desired direction.
proto qualifiers restrict the match to a particu-
lar protocol. Possible protos are: ether,
fddi, ip, arp, rarp, decnet, lat, sca,
moprc, mopdl, iso, esis, isis, tcp and udp.
E.g., `ether src foo', `arp net 128.3', `tcp
port 21'. If there is no proto qualifier,
all protocols consistent with the type are
assumed. E.g., `src foo' means `(ip or arp
or rarp) src foo' (except the latter is not
legal syntax), `net bar' means `(ip or arp
or rarp) net bar' and `port 53' means `(tcp
or udp) port 53'.
[`fddi' is actually an alias for `ether'; the
parser treats them identically as meaning ``the
data link level used on the specified network
interface.'' FDDI headers contain Ethernet-like
source and destination addresses, and often contain
Ethernet-like packet types, so you can filter on
these FDDI fields just as with the analogous Ether-
net fields. FDDI headers also contain other
fields, but you cannot name them explicitly in a
filter expression.]
In addition to the above, there are some special
`primitive' keywords that don't follow the pattern:
gateway, broadcast, less, greater and arithmetic
expressions. All of these are described below.
More complex filter expressions are built up by
using the words and, or and not to combine primi-
tives. E.g., `host foo and not port ftp and not
port ftp-data'. To save typing, identical quali-
fier lists can be omitted. E.g., `tcp dst port ftp
or ftp-data or domain' is exactly the same as `tcp
dst port ftp or tcp dst port ftp-data or tcp dst
port domain'.
Allowable primitives are:
dst host host
True if the IP destination field of the
packet is host, which may be either an
address or a name.
src host host
True if the IP source field of the packet is
host.
host host
True if either the IP source or destination
of the packet is host. Any of the above
host expressions can be prepended with the
keywords, ip, arp, or rarp as in:
ip host host
which is equivalent to:
ether proto \ip and host host
If host is a name with multiple IP
addresses, each address will be checked for
a match.
ether dst ehost
True if the ethernet destination address is
ehost. Ehost may be either a name from
/etc/ethers or a number (see ethers(3N) for
numeric format).
ether src ehost
True if the ethernet source address is
ehost.
ether host ehost
True if either the ethernet source or desti-
nation address is ehost.
gateway host
True if the packet used host as a gateway.
I.e., the ethernet source or destination
address was host but neither the IP source
nor the IP destination was host. Host must
be a name and must be found in both
/etc/hosts and /etc/ethers. (An equivalent
expression is
ether host ehost and not host host
which can be used with either names or num-
bers for host / ehost.)
dst net net
True if the IP destination address of the
packet has a network number of net. Net may
be either a name from /etc/networks or a
network number (see networks(4) for
details).
src net net
True if the IP source address of the packet
has a network number of net.
net net
True if either the IP source or destination
address of the packet has a network number
of net.
net net mask mask
True if the IP address matches net with the
specific netmask. May be qualified with src
or dst.
net net/len
True if the IP address matches net a netmask
len bits wide. May be qualified with src or
dst.
dst port port
True if the packet is ip/tcp or ip/udp and
has a destination port value of port. The
port can be a number or a name used in
/etc/services (see tcp(4P) and udp(4P)). If
a name is used, both the port number and
protocol are checked. If a number or
ambiguous name is used, only the port number
is checked (e.g., dst port 513 will print
both tcp/login traffic and udp/who traffic,
and port domain will print both tcp/domain
and udp/domain traffic).
src port port
True if the packet has a source port value
of port.
port port
True if either the source or destination
port of the packet is port. Any of the
above port expressions can be prepended with
the keywords, tcp or udp, as in:
tcp src port port
which matches only tcp packets whose source
port is port.
less length
True if the packet has a length less than or
equal to length. This is equivalent to:
len <= length.
greater length
True if the packet has a length greater than
or equal to length. This is equivalent to:
len >= length.
ip proto protocol
True if the packet is an ip packet (see
ip(4P)) of protocol type protocol. Protocol
can be a number or one of the names icmp,
igrp, udp, nd, or tcp. Note that the iden-
tifiers tcp, udp, and icmp are also keywords
and must be escaped via backslash (\), which
is \\ in the C-shell.
ether broadcast
True if the packet is an ethernet broadcast
packet. The ether keyword is optional.
ip broadcast
True if the packet is an IP broadcast
packet. It checks for both the all-zeroes
and all-ones broadcast conventions, and
looks up the local subnet mask.
ether multicast
True if the packet is an ethernet multicast
packet. The ether keyword is optional.
This is shorthand for `ether[0] & 1 != 0'.
ip multicast
True if the packet is an IP multicast
packet.
ether proto protocol
True if the packet is of ether type proto-
col. Protocol can be a number or a name
like ip, arp, or rarp. Note these identi-
fiers are also keywords and must be escaped
via backslash (\). [In the case of FDDI
(e.g., `fddi protocol arp'), the protocol
identification comes from the 802.2 Logical
Link Control (LLC) header, which is usually
layered on top of the FDDI header. Tcpdump
assumes, when filtering on the protocol
identifier, that all FDDI packets include an
LLC header, and that the LLC header is in
so-called SNAP format.]
decnet src host
True if the DECNET source address is host,
which may be an address of the form
``10.123'', or a DECNET host name. [DECNET
host name support is only available on
Ultrix systems that are configured to run
DECNET.]
decnet dst host
True if the DECNET destination address is
host.
decnet host host
True if either the DECNET source or destina-
tion address is host.
ip, arp, rarp, decnet, iso
Abbreviations for:
ether proto p
where p is one of the above protocols.
lat, moprc, mopdl
Abbreviations for:
ether proto p
where p is one of the above protocols. Note
that tcpdump does not currently know how to
parse these protocols.
tcp, udp, icmp
Abbreviations for:
ip proto p
where p is one of the above protocols.
esis, isis
Abbreviations for:
iso proto p
where p is one of the above protocols. Note
that tcpdump does an incomplete job of pars-
ing these protocols.
expr relop expr
True if the relation holds, where relop is
one of >, <, >=, <=, =, !=, and expr is an
arithmetic expression composed of integer
constants (expressed in standard C syntax),
the normal binary operators [+, -, *, /, &,
|], a length operator, and special packet
data accessors. To access data inside the
packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp,
tcp, udp, or icmp, and indicates the proto-
col layer for the index operation. The byte
offset, relative to the indicated protocol
layer, is given by expr. Size is optional
and indicates the number of bytes in the
field of interest; it can be either one,
two, or four, and defaults to one. The
length operator, indicated by the keyword
len, gives the length of the packet.
For example, `ether[0] & 1 != 0' catches all
multicast traffic. The expression `ip[0] &
0xf != 5' catches all IP packets with
options. The expression `ip[6:2] & 0x1fff =
0' catches only unfragmented datagrams and
frag zero of fragmented datagrams. This
check is implicitly applied to the tcp and
udp index operations. For instance, tcp[0]
always means the first byte of the TCP
header, and never means the first byte of an
intervening fragment.
Primitives may be combined using:
A parenthesized group of primitives and
operators (parentheses are special to the
Shell and must be escaped).
Negation (`!' or `not').
Concatenation (`&&' or `and').
Alternation (`||' or `or').
Negation has highest precedence. Alternation and
concatenation have equal precedence and associate
left to right. Note that explicit and tokens, not
juxtaposition, are now required for concatenation.
If an identifier is given without a keyword, the
most recent keyword is assumed. For example,
not host vs and ace
is short for
not host vs and host ace
which should not be confused with
not ( host vs or ace )
Expression arguments can be passed to tcpdump as
either a single argument or as multiple arguments,
whichever is more convenient. Generally, if the
expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces
before being parsed.
EXAMPLES
To print all packets arriving at or departing from sun-
down:
tcpdump host sundown
To print traffic between helios and either hot or ace:
tcpdump host helios and \( hot or ace \)
To print all IP packets between ace and any host except
helios:
tcpdump ip host ace and not helios
To print all traffic between local hosts and hosts at
Berkeley:
tcpdump net ucb-ether
To print all ftp traffic through internet gateway snup:
(note that the expression is quoted to prevent the shell
from (mis-)interpreting the parentheses):
tcpdump 'gateway snup and (port ftp or ftp-data)'
To print traffic neither sourced from nor destined for
local hosts (if you gateway to one other net, this stuff
should never make it onto your local net).
tcpdump ip and not net localnet
To print the start and end packets (the SYN and FIN pack-
ets) of each TCP conversation that involves a non-local
host.
tcpdump 'tcp[13] & 3 != 0 and not src and dst net localnet'
To print IP packets longer than 576 bytes sent through
gateway snup:
tcpdump 'gateway snup and ip[2:2] > 576'
To print IP broadcast or multicast packets that were not
sent via ethernet broadcast or multicast:
tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
To print all ICMP packets that are not echo
requests/replies (i.e., not ping packets):
tcpdump 'icmp[0] != 8 and icmp[0] != 0'
- References:
- [Ethereal-users] Parse error in filter screen.. ?
- From: Peter J. DiCostanzo Jr. - ComPath Inc.
- [Ethereal-users] Parse error in filter screen.. ?
- Prev by Date: Re: [Ethereal-users] v0.8.15 under WinNT
- Next by Date: RE: [Ethereal-users] Parse error in filter screen.. ?
- Previous by thread: Re: [Ethereal-users] Parse error in filter screen.. ?
- Next by thread: RE: [Ethereal-users] Parse error in filter screen.. ?
- Index(es):
