Extended Inline Search Syntax List

Owned by Michael Francisco
about 10 hours ago
5 min read

 

Description

Syntax

Examples

Comments

Description

Syntax

Examples

Comments

1

By IPv4 Address only

ip host {[ipv4] address}

ip host 192.168.1.10

 

2

By IPv6 Address only

ip6 host {[ipv6] address}

ip6 host fffe:f221::2231:dec3::1f:1

 

3

By Source IP only

src host {[ipv4/v6] address}

src host 192.168.1.10

 

4

By Destination IP only

dst host {[ipv4/v6] address}

dst host 25.29.83.222

 

5

 

By source and/or destination IPv4/IPv6 address

 

src host {[ipv4] address} [and/or] dst host {[ipv4] address}

src host {[ipv4] address} [and/or] dst host {[ipv6] address}

 

 

src host 192.168.1.10 and dst host 25.29.83.222

 

src host 192.168.1.10 or src host fffe:f221::2231:dec3::1f:1

 

6

By Port Number

src port {[port number] limited to 2^16} [and/or] dst port {[port number] limited to 2^16}

port 874

src port 8740

dst port 22

 

 

7

By source and/or destination IPv4/IPv6 address and/or Port number

ip host {[ipv4] address} [and/or] port {[port number] limited to 2^16}

ip6 host {[ipv6] address} [and/or] port {[port number] limited to 2^16}

 

ip host 192.168.1.10 and port 8080

 

ip6 host fffe:f221::2231:dec3::1f:1 and port 9845

 

8

By source and/or destination IPv4/IPv6 address and/or source and/or destination Port number

src/dst host {[ipv6] address} [and/or] src/dst port {[port number] limited to 2^16}

src host fffe:f221::2231:dec3::1f:1 and src port 9845

dst host fffe:f221::2231:dec3::1f:1 and dst port 9845

 

 

9

By MAC address

ether {[src/dst/host]} {[mac] address}

ether host a8:86:dd:ab:b3:f5

NOTE: Matches either source or destination address

ether src a8:86:dd:ab:b3:f5

ether dst ec:a9:40:e5:b7:d0

 

 

10

 

 

By mac and/or IP address

ether {[src/dst/host]} {[mac] address} and ip host {[ipv4] address}

ether {[src/dst/host]} {[mac] address} or ip host {[ipv6] address}

ether {[src/dst/host]} {[mac] address} or ip src/dst {[ipv4/ipv6] address}

 

ether host a8:86:dd:ab:b3:f5 and ip host 192.168.1.10

 

ether host a8:86:dd:ab:b3:f5 and ip6 host fffe:f221::2231:dec3::1f:1

ether dst a8:86:dd:ab:b3:f5 and ip6 src fffe:f221::2231:dec3::1f:1

ether src a8:86:dd:ab:b3:f5 and ip6 dst fffe:f221::2231:dec3::1f:1

ether dst a8:86:dd:ab:b3:f5 and \(ip6 dst fffe:f221::2231:dec3::1f:1 or ip src 192.168.1.10\)

 

 

11

By src or dst MAC address and protocol

(ether {[src/dst/host]} {[mac] address} or ether src/dst host {[mac] address}) and {[ip4/ip6] proto {[tcp/udp/icmp/sctp/igmp/arp/rarp]} }

 

\(ether dst a8:86:dd:ab:b3:f5 or ether dst ec:a9:40:e5:b7:d0\) and ip6 proto \\tcp

 

12

 

 

 

 

 

By Protocol

{[tcp/udp/icmp/sctp/igmp/arp/rarp]}

ip proto {[tcp/udp/icmp/sctp/igmp/arp/rarp]}

 

 

 

 

 

ether proto {[ip/ip6/arp/rarp]}

tcp or udp or icmp or icmp6 or igmp or arp

ip proto \\tcp or ip proto \\udp

ip proto \\igmp

NOTE: with ip proto tag tcp, udp, icmp, igmp protocols must be escaped with backslash.

ip proto 0x06  (same as ip proto \\tcp or just tcp)

ip6 proto 0x11  (same as ip6 proto \\udp or just udp)

ip6 proto 0x58 (same as ip6 proto \\icmp6 or just icmp6)

ether proto \\ip (same as ether proto 0x0800)

ether proto \\ip6 (same as ether proto 0x86dd)

ether proto \\arp (same as ether proto 0x0806)

NOTE: with ether proto tag tcp, udp, icmp, igmp protocols must be escaped with backslash

 

 

13

By Protocol header chain

ip protochain {[tcp/udp/icmp/sctp/igmp]}

ip6 protochain {[tcp/udp/icmp/sctp/igmp]}

ip protochain 6

ip6 protochain 11

 

Doesnt seem to take the keywords, only numbers

14

 

 

 

 

By Protocol and Port Number

{[tcp/udp/icmp/sctp/igmp/arp/rarp]} [and/or] (src port {[port number] limited to 2^16} [and/or] dst port {[port number] limited to 2^16})

 

 

ip proto {[tcp/udp/icmp/sctp/igmp/arp/rarp]} [and/or] (src port {[port number] limited to 2^16} [and/or] dst port {[port number] limited to 2^16})

tcp and port 80

tcp and src port 80

udp and dst port 80

!tcp and dst port 80

!udp and src port 80

ip proto \\tcp and port 80

ip proto \\udp or src port 4343

NOTE: with ip proto tag tcp, udp, icmp, igmp protocols must be escaped with backslash.

 

 

15

 

 

 

By Protocol and Port Number and IP address

 

{[tcp/udp/icmp/sctp/igmp/arp/rarp]} [and/or] (src port {[port number] limited to 2^16} [and/or] dst port {[port number] limited to 2^16}) [and/or] src/dst host {[ipv4/ipv6] address}

By destination Port Number but should not have specific src port number and specific protocol

tcp and port 80 and ip host 10.190.3.6

udp and dst port 8080 and src host 10.190.3.6

tcp and dst port 8080 and dst host 198.168.3.6

udp and src port 8080 and src host 10.190.3.6

\(not arp and not src port 7634\) and dst port 2159

\(not tcp and not src port 2123\) and dst port 2159

NOTE: parentheses are special to the Shell and must be escaped

 

 

16

 

By Protocol and IP

 

{[tcp/udp/sctp/icmp/igmp/arp/rarp]} and src host {[ipv4/v6] address}

tcp and src host fffe:f221::2231:dec3::1f:1

NOTE: To exclude a particular protocol, see below examples

not tcp and src host fffe:f221::2231:dec3::1f:1

!sctp and \(src host 10.192.168.7 or src host ffe:84::8\)

 

 

17

 

 

By Protocol and Multiple IP

 

{[tcp/udp/icmp/sctp/igmp/arp/rarp]} and (src host {[ipv4/v6] address1} or src host {[ipv4/v6] address2} or src host {[ipv4/v6] address3})

tcp and \(src host fffe:f221::2231:dec3::1f:1 or src host fffe:f221::2231:dec3::1f:2 or src host fffe:f221::2231:dec3::1f:3\)

 

tcp and \(src host fffe:f221::2231:dec3::1f:1 or src host 107.12.184.4 or src host fffe:f221::2231:dec3::1f:3\)

 

 

18

 

 

By Port and IP

 

 

src host [ipv4/v6] and dst host [ipv4/v6] and src port {[port number] limited to 2^16} [and/or] dst port {[port number] limited to 2^16}

src host 192.168.1.10 and dst host 25.29.83.222 and src port 80 and dst port 443

Alternatively you can rewrite the above example as shown below.

\(src port 80 and host 192.168.1.10\) and \(dst port 443 and host 25.29.83.222\)

 

\(src port 80 and host 192.168.1.10\) or \(dst port 443 and host 25.29.83.222\)

 

 

19

 

 

 

By Protocol Port and Multiple IP

 

tcp && port 8000 && \(\(src host 10.192.168.76 && dst host 10.192.168.57) or (src host 1:87::9:54:53:ff:f && dst host ff::62:864:1\)\)

 

!icmp and port 443 and \(src host 10.192.168.7 or src host ffe:84::8\)

 

!tcp && !port 8000 && \(\(src host 10.192.168.76 && dst host 10.192.168.57\) or \(src host 1:87::9:54:53:ff:f && dst host ff::62:864:1\)\)

 

 

20

 

By Portrange

 

portrange {[0-65535] limited to 0 - 2^16}}

portrange 2123-2152 and not port 2144

NOTE: Extracts all the packets with port num in the range
2123-2152 but excludes the packets with port number 2144

 

 

21

 

By Port Portrange and IP

 

portrange 0-65535 and not port {[port number] limited to 2^16} [and/or] ip host {[ipv4/v6] address}

portrange 2123-2152 and not port 2144 and ip host 10.41.33.3

NOTE: If you omit [src/dst] for example in "ip host [IP Address]",
will display all the packets that match the [IP Address]
irrespective of whether it is src/dst IP Address.

 

 

22

 

By Subnet

[IP Address range]

net [IP]/Mask(bits)

net [IP] mask [Subnet Mask]

dst net [IP]/Mask(bits)

src net [IP]/Mask(bits)

[src/dst] net [IP] mask [Subnet Mask]

net 192.168.1.0/24

net 192.168.1.0 mask 255.255.255.0

dst net 192.168.1.0/24

src net 192.168.1.0/24

src net 192.168.1.0 mask 255.255.255.0

Errors:

1. pcap_compile: Mask syntax for networks only. Use net.

2. pcap_compile: non-network bits set in net 172.16.243.240 mask 255.255.255.0

What's happening is that the network address 172.16.243.240, i.e. 0xAC.0x10.0xF3.0xF0 has bits that are clear in the network mask 255.255.255.0, i.e. 0xFF.0xFF.0xFF.0x00.

Try, net 172.16.243.0 mask 255.255.255.0

If the netmask truly is 255.255.255.0, a network of 172.16.243.0 is the same as a network of 172.16.243.1 is the same as a network of 172.16.243.2 ... is the same as a network of 172.16.243.239 is the same as a network if 172.16.243.240 is the same as a network of 172.16.243.241 ....  I.e., the network is really 172.16.243.0.

libPcap is warning you that the network can't possibly really be 172.16.243.240 if the netmask is 255.255.255.0, as the hosts on that network could have addresses between 172.16.243.1 and 172.16.243.254.

23

 

By Multicast Address

multicast [multicast IP addr]

multicast [mac addr]

multicast 224.0.0.0

multicast 01:00:00:00:00:00

 

 

24

 

By Broadcast Address

broadcast [broadcast IP addr]

broadcast [broadcast mac addr]

broadcast broadcastIPaddr

broadcast FF:FF:FF:FF:FF:FF

 

 

25

By IP broadcast or multicast packets

Note: jump to specific byte offset to verify

IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:

ether[0] \& 1 = 0 and ip[16] \>= 224

Note: ‘&' and '>’ should be escaped with backslash

 

 

26

 

By TCP flags

start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host

ALL IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets.

tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet

 

"tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)"

NOTE: the expression is quoted to prevent the shell from (mis-)interpreting the parentheses.

 

 

27

By Gateway

gateway <hostname>

Where hostname can be retrieved from /etc/hosts file or run “arp” command.  

NOTE:  However this syntax doesnt work with IPv6 enabled configuration. Hence search binary doesn’t support this for the time being.

gateway snup