On Wed, Oct 17, 2012 at 3:59 AM, Ezequiel Garzón <garzon.luc...@gmail.com> wrote: > Greetings! I'm trying to understand tcpdump expressions a bit more, > and I'm confused about a basic example given in the pcap-filter man > pages. They first state: > > | The filter expression consists of one or more primitives. Primitives > usually consist of an id (name or number) preceded by one or more > qualifiers. > > In turn, these qualifiers are type, dir and proto. So far so good, but > further down we find this: > > | ip host host > | which is equivalent to: > | ether proto \ip and host host > > If I'm not mistaken, in the first case, ip and host are, respectively, > proto and type. What pattern does 'ether proto \ip' follow? Isn't > that, as a whole, a proto qualifier? If so, why isn't (a properly > escaped) 'ether proto \ip host host' legal (without the keyboard > 'and')?
They're two separate primitives: "ether proto \ip" is: <proto> <type> <id> "host host" is <type> <id> Concatenating two primitives requires "and". (Don't get confused between "ether" being a <proto> and "proto" being a <type>: that doesn't make "proto" a <proto>.) Bill _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
