[Winpcap-users] Filtering expression syntax

[Guy Harris]

On Sep 30, 2008, at 9:18 AM, Ziara . wrote:

> I'm using filtering expression syntax. And I was wondering why if a  
> write: ip proto icmp in:
>
> pcap_compile(adhandle, &fcode, "ip proto icmp", 1, netmask)
>
> is a invalid expression syntax.

Because, to quote the tcpdump man page:

               ip proto protocol
                      True if the packet is an IPv4 packet (see  
ip(4P)) of pro-
                      tocol  type protocol.  Protocol can be a number  
or one of
                      the names icmp, icmp6, igmp, igrp, pim,  ah,   
esp,  vrrp,
                      udp,  or  tcp.   Note  that the identifiers tcp,  
udp, and
                      icmp are also keywords and must be escaped via   
backslash
                      (\) ...

The last sentence is the key - you'd need

	pcap_compile(adhandle, &fcode, "ip proto \\icmp", 1, netmask)

("\\" because, in C strings, "\" is an escape character, so "\icmp"  
would be "\i" followed by "cmp" - you need to escape the escape  
character).

>  Which one is the correct form to filter icmp packets?

"icmp", as per Gianluca's mail.  "icmp", "ip and icmp", and "ip proto \ 
\icmp" all generate the same filter, which checks for IPv4's ICMP (to  
check for ICMPv6, use "icmp6").