Reputation: 652
c - pcap filter expression
I was wondering how the input data in this expression actually works.
char *filter = "dst host 172.17.14.90 and ip";
From what I understand the dest host bit and the following IPv4 address defines what address the recieved packet should be addressed to.
The man page was a bit confusing on that point saying:
dst host host
True if the IPv4/v6 destination field of the packet is host, which may be either an address or a name.
http://www.manpagez.com/man/7/pcap-filter/
so is that what it means? and as for the and ip bit I have no clue.
Upvotes: 4
Views: 3406
Answers (1)
Reputation: 19233
You are right about the first bit:
dst host 172.17.14.90
means that the packet should be addressed to 172.17.14.90.
The second one:
ip
like the manpage says is an abbreviation for:
ether proto ip
which means that the packet must be sent using the IP protocol.
So, to sum up: the packet must be sent using the IP protocol to the host having IP address 172.17.14.90.
As a note, the above could be expressed simpler using:
ip dst host 172.17.14.90
(the shorter syntax is explained near host explanation in the manpage)
Upvotes: 5
Related Questions
- Understanding pcap packet header
- Decomposition of an IP header
- Correct filter expression in libpcap for outgoing packets
- Generating packets from pcap file in C
- filtering packets from pcap file
- pCap capturing outgoing packets
- Is this a correct pcap filter expression
- PCAP functions in tcp raw program.
- Understanding a function. pcap and BPF
- how to filter incoming packets in pcap vc++