Package: libpcap0.8
Version: 1.10.0-2
Severity: normal
Tags: upstream
X-Debbugs-Cc: debbug.libpcap0.8@sideload.33mail.com

From the pcap-filter man page:

proto proto qualifiers restrict the match to a particular protocol.
Possible protos are: ether, fddi, tr, wlan, ip, ip6, arp,
rarp, decnet, tcp and udp. E.g., `ether src foo', `arp net
128.3', `tcp port 21', `udp portrange 7000-7009', `wlan addr2
0:2:3:4:5:6'. If there is no proto qualifier, all protocols
consistent with the type are assumed. E.g., `src foo' means
`(ip or arp or rarp) src foo' (except the latter is not legal
syntax), `net bar' means `(ip or arp or rarp) net bar' and
`port 53' means `(tcp or udp) port 53'.
…

proto protocol

True if the packet is an IPv4 or IPv6 packet of protocol type
protocol. Note that this primitive does not chase the protocol
header chain.

tcp, udp, icmp
Abbreviations for:
proto \protocol
where protocol is one of the above protocols.

It’s a bit screwy because the “proto” conditional is specified twice
in the man page. The first time it presents a mostly different set of
possible arguments than the 2nd time. When a user searches the man
page for “ICMP” they only see the 2nd syntax spec for “proto”. This
2nd occurance does not supply the BNF for the argument. The very next
paragraph is not intented but appears to list the arguments. A
speed-reading user sees “tcp, udp, icmp” and stops reading. Not that
it matters, because this abbreviation clause seems to suggest “tcp,
udp, icmp” are in fact valid parameters for “proto”. Yet this fails:

$ tcpdump -Avvv -r session.pcap 'proto icmp'
reading from file session.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
tcpdump: can't parse filter expression: syntax error

I was stumped. I could not work out why my usage was syntactically
incorrect. I had to get support from someone who suggested simply
removing “proto”. That worked. But according to the man page my
original attempt should have also worked.

-- System Information:
Debian Release: 11.5
APT prefers oldstable-updates
APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990, 'testing'), (990, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-19-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpcap0.8 depends on:
ii libc6 2.31-13+deb11u5
ii libdbus-1-3 1.12.24-0+deb11u1

libpcap0.8 recommends no packages.

libpcap0.8 suggests no packages.

-- no debconf information

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Sun, Mar 17, 2024 at 7:45 PM <debbug.libpcap0.8@sideload.33mail.com> wrote:

From the pcap-filter man page:

[...]

tcp, udp, icmp
Abbreviations for:
proto \protocol

[...]

I was stumped. I could not work out why my usage was syntactically
incorrect. I had to get support from someone who suggested simply
removing “proto”. That worked. But according to the man page my
original attempt should have also worked.

No, the backslash character in the example is significant and you did
not provide it. What you were looking for is either 'icmp', 'ip proto
1' or 'ip proto \icmp' which are equivalent.

'proto \icmp' also works but generates support code for IPv6 as well
which does not really make sense for ICMP and is likely not what you
wanted.

--
Romain Francoise <rfrancoise@debian.org>
https://people.debian.org/~rfrancoise/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)