Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   netsniff-ng    ( 8 )

зверь, обнюхивающий пакеты (the packet sniffing beast)
  Name  |  Synopsis  |  Description  |  Options  |  Usage example  |  Config file  |    Filter example    |  Pcap formats:  |  Note  |  Bugs  |  History  |  See also  |

FILTER EXAMPLE

netsniff-ng supports both, low-level and high-level filters that are attached to its packet(7) socket. Low-level filters are described in the bpfc(8) man page.

Low-level filters can be used with netsniff-ng in the following way:

1. bpfc foo > bar 2. netsniff-ng -f bar 3. bpfc foo | netsniff-ng -i nlmon0 -f -

Here, foo is the bpfc program that will be translated into a netsniff-ng readable 'opcodes' file and passed to netsniff-ng through the -f option.

Similarly, high-level filter can be either passed through the -f option, e.g. -f "tcp or udp" or at the end of all options without the '-f'.

The filter syntax is the same as in tcpdump(8), which is described in the man page pcap-filter(7). Just to quote some examples:

host sundown To select all packets arriving at or departing from sundown.

host helios and (hot or ace) To select traffic between helios and either hot or ace.

ip host ace and not helios To select all IP packets between ace and any host except helios.

net ucb-ether To select all traffic between local hosts and hosts at Berkeley.

gateway snup and (port ftp or ftp-data) To select all FTP traffic through Internet gateway snup.

ip and not net localnet To select traffic neither sourced from, nor destined for, local hosts. If you have a gateway to another network, this traffic should never make it onto your local network.

tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet To select the start and end packets (the SYN and FIN packets) of each TCP conversation that involve a non-local host.

tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) To select all IPv4 HTTP packets to and from port 80, that is to say, print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)

gateway snup and ip[2:2] > 576 To select IP packets longer than 576 bytes sent through gateway snup.

ether[0] & 1 = 0 and ip[16] >= 224 To select IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast.

icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply To select all ICMP packets that are not echo requests or replies (that is to say, not "ping" packets).