-
Notifications
You must be signed in to change notification settings - Fork 51
Filter Expressions
salcock edited this page Sep 10, 2014
·
1 revision
Some BPF filter expressions that might be useful:
ether[0] & 1 == 0 and ip[16] >= 224
'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
'tcp[13] & 2 == 2'
'tcp[13] == 2'
'tcp[tcpflags] & tcp-syn != 0'
'port 53 and udp[10]&0x80==0x00'
'port 53 and udp[10]&0x80!=0x00'
'port 53 and udp[10]&0x80!=0 and udp[11]&15==0'
'port 53 and udp[10]&0x80!=0 and udp[11]&15==1'
'port 53 and udp[10]&0x80!=0 and udp[11]&15==2'
'port 53 and udp[10]&0x80!=0 and udp[11]&15==3'
'port 53 and udp[10]&0x80!=0 and udp[11]&15==4'
'port 53 and udp[10]&0x80!=0 and udp[11]&15==5'
'port 53 and udp[10]&0x02!=0'