-
Notifications
You must be signed in to change notification settings - Fork 0
2.1 Pcap Tcpdump BNF Grammar
Mark Bednarczyk edited this page Nov 12, 2024
·
1 revision
This page documents the complete Backus-Naur Form (BNF) grammar for TCP filter expressions supported by the JNetRuntime BPF compiler. This grammar is used by the PcapCompiler implementation.
📘 Note: This grammar defines the syntax for PCAP/TCPDump style filter expressions, which can be compiled into BPF bytecode for execution in either JNetRuntime BPF VM or kernel BPF.
<filter-expression> ::= <primitive>
| <primitive> <logical-op> <filter-expression>
| "(" <filter-expression> ")"
| "not" <filter-expression>
<primitive> ::= <protocol-qualifier>
| <protocol-qualifier> <direction> <type> <value>
| <protocol-qualifier> "proto" <proto-name>
| <length-expr>
| <header-expr>
<protocol-qualifier> ::= "ether" ; Ethernet layer
| "fddi" ; FDDI
| "ip" ; IPv4
| "ip6" ; IPv6
| "arp" ; ARP
| "rarp" ; Reverse ARP
| "tcp" ; TCP
| "udp" ; UDP
| "icmp" ; ICMP
| "http" ; HTTP
| "wlan" ; Wireless LAN
| "vlan" ; VLAN
| "mpls" ; MPLS
| "pppoe" ; PPPoE
| "netbeui" ; NetBEUI
| "igmp" ; IGMP
<direction> ::= "src" ; Source
| "dst" ; Destination
| "" ; Either
<type> ::= "host" ; Host address
| "port" ; Port number
| "net" ; Network address
| "portrange" ; Port range
| "protochain" ; Protocol chain
<value> ::= <host-expr> | <port-expr> | <net-expr>
<host-expr> ::= <ipv4-addr> | <ipv6-addr> | <mac-addr> | <hostname>
<ipv4-addr> ::= <octet> "." <octet> "." <octet> "." <octet>
<octet> ::= <digit> | <digit><digit> | "1"<digit><digit>
| "2"<digit><digit> | "25" ["0"-"5"]
<ipv6-addr> ::= <hex4> ":" <hex4> ":" <hex4> ":" <hex4> ":"
<hex4> ":" <hex4> ":" <hex4> ":" <hex4>
| <ipv6-compressed>
<hex4> ::= <hexdigit>{1,4}
<mac-addr> ::= <hexbyte> ":" <hexbyte> ":" <hexbyte> ":"
<hexbyte> ":" <hexbyte> ":" <hexbyte>
<hexbyte> ::= <hexdigit><hexdigit>
<port-expr> ::= <number>
| <service-name>
<net-expr> ::= <ipv4-addr> "/" <cidr-length>
| <ipv4-addr> "mask" <ipv4-addr>
| <ipv6-addr> "/" <cidr6-length>
<length-expr> ::= "len" <relop> <number>
| "greater" <number>
| "less" <number>
<header-expr> ::= <proto> "[" <offset> ":" <size> "]" <relop> <number>
| <proto> "[" <offset> "]" "&" <number> <relop> <number>
<proto> ::= "ip" | "ip6" | "arp" | "tcp" | "udp" | "icmp"
<offset> ::= <number>
<size> ::= <number>
<logical-op> ::= "and" | "or" | "&&" | "||"
<relop> ::= ">" | "<" | ">=" | "<=" | "=" | "==" | "!="
<proto-name> ::= "ip" | "ip6" | "arp" | "rarp" | "tcp" | "udp" | "icmp"
| "http" | "ftp" | "ssh" | "telnet" | <number>
<service-name> ::= "http" | "https" | "ftp" | "ssh" | "telnet" | "smtp"
| "pop3" | "imap" | "dns" | "dhcp" | <number>
<cidr-length> ::= "0".."32"
<cidr6-length> ::= "0".."128"
<number> ::= <digit>+
<digit> ::= "0".."9"
<hexdigit> ::= "0".."9" | "a".."f" | "A".."F"
<hostname> ::= <letter> (<letter> | <digit> | "-")*
<letter> ::= "a".."z" | "A".."Z"
<flag-expr> ::= <proto> "[" <flag-offset> "]" "&" <flag-mask> <relop> <flag-value>
<tcp-flag-expr> ::= "tcp[tcpflags]" "&" <tcp-flag-mask> <relop> <tcp-flag-value>
<tcp-flag-mask> ::= "tcp-fin" | "tcp-syn" | "tcp-rst" | "tcp-push"
| "tcp-ack" | "tcp-urg"
| <number>
<vlan-expr> ::= "vlan" <number>
| "vlan" <relop> <number>
<mpls-expr> ::= "mpls" <number>
| "mpls" <relop> <number>
<broadcast-expr> ::= <proto-qualifier> "broadcast"
<multicast-expr> ::= <proto-qualifier> "multicast"
<type-expr> ::= "type" <ether-type>
<ether-type> ::= "ip" | "ip6" | "arp" | "rarp" | "atalk" | "aarp"
| "decnet" | "sca" | "lat" | "mopdl" | "moprc" | "iso"
| <number>
<subtype-expr> ::= "subtype" <number>
<ip-proto-number> ::= "1" ; ICMP
| "6" ; TCP
| "17" ; UDP
| "47" ; GRE
| "50" ; ESP
| "51" ; AH
| <number>
<tcp-port-number> ::= "20" ; FTP-DATA
| "21" ; FTP
| "22" ; SSH
| "23" ; TELNET
| "25" ; SMTP
| "53" ; DNS
| "80" ; HTTP
| "443" ; HTTPS
| <number>
Here are some valid expressions that conform to this grammar:
# Basic protocol filtering
tcp
ip6 and tcp
# Port filtering
tcp port 80
tcp dst port 443
# Host filtering
ip host 192.168.1.1
ip6 host 2001:db8::1
# Combined expressions
tcp port 80 and not broadcast
ip host 192.168.1.1 and (tcp port 80 or port 443)
# Packet length
greater 64 and ip proto tcp
less 1500 and not tcp
# Header field access
tcp[tcpflags] & tcp-syn != 0
ip[2:2] > 576
# VLAN and broadcast
vlan 100 and ip multicast
vlan and broadcast
Operators are evaluated in the following order (highest to lowest):
-
[ ]Array subscript -
( )Grouping -
notNegation -
and&&Logical AND -
or||Logical OR