Syntax

Syntax to Run TCPdump Against a PCAP with BPF:

tcpdump "yourfilter" -r BPFCheck.pcap

tcpdump protocol[byte#:size] {& mask} {operator} {value}

protocol

Identifies which header to look in. Mandatory. Can be ether, arp, ip, ip6, icmp, tcp, udp.

byte#

Starting byte number to start looking. Mandatory. Can be from 0 to 20, etc.

size

Identifies how many bytes to read. Optional. Can be 1 (default), 2, or 4.

& mask

Bitwise mask used to specify specific bits. Optional. Can be in decimal or hex format.

operator

Specifies the condition (=, <, <=, >, >=, !=) for the match. Mandatory.

value

Identifies the value to match (or not match). Mandatory. Should be in the same format as the mask.

To conjoin 2 or more statements you can use = (&& or and), (|| or or)

When using &, &&, ||, and ( ) you must surround the entire statement with " " or ' '

Remember that after every BPF statement must have an operator and a result to search for.

tcpdump {A} [B:C] {D} {E} {F} {G}

A = Protocol header (ether | arp | ip | ip6 | icmp | tcp | udp)

B = Header Byte offset

C = optional: Size in bytes. Can be 1 (byte), 2 (half-word) or 4 (word) (default 1 byte)

D = optional: Bitwise mask (&)

E = Operators = , == , > , < , <= , >= , != , () , << , >>

F = Value to search for

G = optional: Logical Operators and (&&) or or (||) to bridge expressions

Last updated 2 years ago