"tcp" will match both IPv4 TCP and IPv6 TCP.
"ip6" will match IPv6.
you can chase header chain by using "protochain" instead of "proto"
(but bpf code is not optimizable in this case)
commit to tcpdump will follow.
I've sent this fix to LBL guys to get no response. I wonder why it was.
'ip and ((icmp and dst host 1.1.1.1 and not host 2.2.2.2) or (host 1.1.1.1 and src host 3.3.3.3))'
to compile incorrectly. Details about to be mailed to LBL.
itojun