- icmptype (offset of ICMP type field)
- icmpcode (offset of ICMP code field)
- tcpflags (offset of TCP flags field)
and field values:
- icmp-echoreply, icmp-unreach, icmp-sourcequench,
icmp-redirect, icmp-echo, icmp-routeradvert,
icmp-routersolicit, icmp-timxceed, icmp-paramprob,
icmp-tstamp, icmp-tstampreply, icmp-ireq, icmp-ireqreply,
icmp-maskreq, icmp-maskreply
- tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg
This allows expressions like the following:
icmp[0] = 3
(tcp[13] & 0x02) != 0
to be written as:
icmp[icmptype] = icmp-unreach
(tcp[tcpflags] & tcp-syn) != 0
which is a bit more user-friendly for e.g. writing packet filter rules.
"tcp" will match both IPv4 TCP and IPv6 TCP.
"ip6" will match IPv6.
you can chase header chain by using "protochain" instead of "proto"
(but bpf code is not optimizable in this case)
commit to tcpdump will follow.
I've sent this fix to LBL guys to get no response. I wonder why it was.
hannken