Greetings! I'm trying to understand tcpdump expressions a bit more, and I'm confused about a basic example given in the pcap-filter man pages. They first state:
| The filter expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers. In turn, these qualifiers are type, dir and proto. So far so good, but further down we find this: | ip host host | which is equivalent to: | ether proto \ip and host host If I'm not mistaken, in the first case, ip and host are, respectively, proto and type. What pattern does 'ether proto \ip' follow? Isn't that, as a whole, a proto qualifier? If so, why isn't (a properly escaped) 'ether proto \ip host host' legal (without the keyboard 'and')? Thanks! (For the record, I first tried getting an answer in serverfault, but the question didn't get much traction...) _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
