Package: libpcap0.8
Version: 1.10.0-2
Severity: normal
Tags: upstream
X-Debbugs-Cc:
debbug.libpcap0.8@sideload.33mail.com
From the pcap-filter man page:
proto proto qualifiers restrict the match to a particular protocol.
Possible protos are: ether, fddi, tr, wlan, ip, ip6, arp,
rarp, decnet, tcp and udp. E.g., `ether src foo', `arp net
128.3', `tcp port 21', `udp portrange 7000-7009', `wlan addr2
0:2:3:4:5:6'. If there is no proto qualifier, all protocols
consistent with the type are assumed. E.g., `src foo' means
`(ip or arp or rarp) src foo' (except the latter is not legal
syntax), `net bar' means `(ip or arp or rarp) net bar' and
`port 53' means `(tcp or udp) port 53'.
…
proto protocol
True if the packet is an IPv4 or IPv6 packet of protocol type
protocol. Note that this primitive does not chase the protocol
header chain.
tcp, udp, icmp
Abbreviations for:
proto \protocol
where protocol is one of the above protocols.
It’s a bit screwy because the “proto” conditional is specified twice
in the man page. The first time it presents a mostly different set of
possible arguments than the 2nd time. When a user searches the man
page for “ICMP” they only see the 2nd syntax spec for “proto”. This
2nd occurance does not supply the BNF for the argument. The very next
paragraph is not intented but appears to list the arguments. A
speed-reading user sees “tcp, udp, icmp” and stops reading. Not that
it matters, because this abbreviation clause seems to suggest “tcp,
udp, icmp” are in fact valid parameters for “proto”. Yet this fails:
$ tcpdump -Avvv -r session.pcap 'proto icmp'
reading from file session.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
tcpdump: can't parse filter expression: syntax error
I was stumped. I could not work out why my usage was syntactically
incorrect. I had to get support from someone who suggested simply
removing “proto”. That worked. But according to the man page my
original attempt should have also worked.
-- System Information:
Debian Release: 11.5
APT prefers oldstable-updates
APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990, 'testing'), (990, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-19-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libpcap0.8 depends on:
ii libc6 2.31-13+deb11u5
ii libdbus-1-3 1.12.24-0+deb11u1
libpcap0.8 recommends no packages.
libpcap0.8 suggests no packages.
-- no debconf information
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)