Filtering by addresses and ports.

Next: Examples Up: Time to talk about Previous: Filtering by state.

Filtering by addresses and ports.

Option list may contain address/port filter. It is boolean expression which consists of boolean operation or, and, not and predicates. Actually, all the flavors of names for boolean operations are eaten: &, &&, , , !, but do not forget about special sense given to these symbols by unix shells and escape them correctly, when used from command line.

Predicates may be of the folowing kinds:

A. Address/port match, where address is checked against mask and port is either wildcard or exact. It is one of:

$\begin{tscreen} \begin{verbatim}dst prefix:port src prefix:port src unix:STRING src link:protocol:ifindex src nl:channel:pid\end{verbatim} \end{tscreen}$

Both prefix and port may be absent or replaced with *, which means wildcard. UNIX socket use more powerful scheme matching to socket names by shell wildcards. Also, prefixes unix: and link: may be omitted, if address family is evident from context (with option -x or with -f unix or with unix keyword)
F.e.

$\begin{tscreen} \begin{verbatim}dst 10.0.0.1 dst 10.0.0.1: dst 10.0.0.1/32: dst 10.0.0.1:*\end{verbatim} \end{tscreen}$

are equivalent and mean socket connected to any port on host 10.0.0.1

$\begin{tscreen} \begin{verbatim}dst 10.0.0.0/24:22\end{verbatim} \end{tscreen}$

sockets connected to port 22 on network 10.0.0.0...255.
Note that port separated of address with colon, which creates troubles with IPv6 addresses. Generally, we interpret the last colon as splitting port. To allow to give IPv6 addresses, trick like used in IPv6 HTTP URLs may be used:

$\begin{tscreen} \begin{verbatim}dst [::1]\end{verbatim} \end{tscreen}$

are sockets connected to ::1 on any port
Another way is dst ::1128/. / helps to understand that colon is part of IPv6 address.
Now we can add another alias for dst 10.0.0.1: dst [10.0.0.1]. :-)
Address may be a DNS name. In this case all the addresses are looked up (in all the address families, if it is not limited by option -f or special address prefix inet:, inet6) and resulting expression is or over all of them.
B. Port expressions:
$\begin{tscreen} \begin{verbatim}dport >= :1024 dport != :22 sport < :32000\end{verbatim} \end{tscreen}$

etc.
All the relations: , , =, =, =, ==, !=, eq, ge, lt, ne... Use variant which you like more, but not forget to escape special characters when typing them in command line. :-)
Note that port number syntactically coincides to the case A! You may even add an IP address, but it will not participate incomparison, except for == and !=, which are equivalent to corresponding predicates of type A. F.e. dst 10.0.0.1:22 is equivalent to dport eq 10.0.0.1:22 and not dst 10.0.0.1:22 is equivalent to dport neq 10.0.0.1:22
C. Keyword autobound. It matches to sockets bound automatically on local system.

Next: Examples Up: Time to talk about Previous: Filtering by state.