Thanks a lot, Bill! That was a great, compact lesson!
On Thu, Oct 18, 2012 at 1:50 PM, Bill Fenner <fen...@gmail.com> wrote: > On Oct 18, 2012, at 7:00 AM, Ezequiel Garzón <garzon.luc...@gmail.com> wrote: > >> Thanks for your reply, Bill. >> >>> "ether proto \ip" is: <proto> <type> <id> >> >> In what sense is "proto" here a <type>. <type>s are described as >> "qualifiers say what kind of thing the id name or number refers to. >> Possible types are host, net , port and portrange." Not only is >> "proto" not given as an option, but it seems to me as if it belongs in >> another category entirely. > > That part of the documentation is incomplete. "Proto" is just like "port" in > the sense that it is saying "look in this part of the packet". > >> This leads to the more central question of how to match "\ip" with >> <id>. <id>s are defined in passing as "(name or number)". How can one >> match conceptually "\ip" with an address? > > \ip is turned into 0x800 via an internal name -> number lookup. > >> >> I'm sorry to insist on this open-ended issue. I know there must be >> something off with my understanding, and would like to fix it if >> possible! > > "Ether proto ip" says "look in the Ethernet header, in the proto field, for > the value 0x800". > > "Host host" says "look up host in /etc/hosts or in DNS, get an IP address for > it, and look for that IP address in the source or destination headers". > > You have to use "and" to join any "look here for this value and look there > for that value". > > Bill > >> >> Thanks again. >> >> Best regards, >> >> Ezequiel >> >> On Wed, Oct 17, 2012 at 4:49 PM, Bill Fenner <fen...@gmail.com> wrote: >>> On Wed, Oct 17, 2012 at 3:59 AM, Ezequiel Garzón >>> <garzon.luc...@gmail.com> wrote: >>>> Greetings! I'm trying to understand tcpdump expressions a bit more, >>>> and I'm confused about a basic example given in the pcap-filter man >>>> pages. They first state: >>>> >>>> | The filter expression consists of one or more primitives. Primitives >>>> usually consist of an id (name or number) preceded by one or more >>>> qualifiers. >>>> >>>> In turn, these qualifiers are type, dir and proto. So far so good, but >>>> further down we find this: >>>> >>>> | ip host host >>>> | which is equivalent to: >>>> | ether proto \ip and host host >>>> >>>> If I'm not mistaken, in the first case, ip and host are, respectively, >>>> proto and type. What pattern does 'ether proto \ip' follow? Isn't >>>> that, as a whole, a proto qualifier? If so, why isn't (a properly >>>> escaped) 'ether proto \ip host host' legal (without the keyboard >>>> 'and')? >>> >>> They're two separate primitives: >>> >>> "ether proto \ip" is: <proto> <type> <id> >>> >>> "host host" is <type> <id> >>> >>> Concatenating two primitives requires "and". >>> >>> (Don't get confused between "ether" being a <proto> and "proto" being >>> a <type>: that doesn't make "proto" a <proto>.) >>> >>> Bill >> _______________________________________________ >> tcpdump-workers mailing list >> tcpdump-workers@lists.tcpdump.org >> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
