Filter Expressions - LibtraceTeam/libtrace GitHub Wiki

Some BPF filter expressions that might be useful:

Broadcast IP packets that didn't use ethernet broadcast

ether[0] & 1 == 0 and ip[16] >= 224

Non ICMP Echo-Request/Echo-Reply ICMP packets

'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

TCP SYN packets

'tcp[13] & 2 == 2' 'tcp[13] == 2' 'tcp[tcpflags] & tcp-syn != 0'

DNS Related

Queries

'port 53 and udp[10]&0x80==0x00'

Responses

'port 53 and udp[10]&0x80!=0x00'

Successful replies (RCODE=NoError))

'port 53 and udp[10]&0x80!=0 and udp[11]&15==0'

Format Error (RCODE=FormErr)

'port 53 and udp[10]&0x80!=0 and udp[11]&15==1'

Server failure (RCODE=ServFail)

'port 53 and udp[10]&0x80!=0 and udp[11]&15==2'

Name Error (RCODE=NXDOMAIN)

'port 53 and udp[10]&0x80!=0 and udp[11]&15==3'

Not implemented (RCODE=NotImp)

'port 53 and udp[10]&0x80!=0 and udp[11]&15==4'

Refused (RCODE=Refused)

'port 53 and udp[10]&0x80!=0 and udp[11]&15==5'

Truncated reply (requiring a resend via TCP)

'port 53 and udp[10]&0x02!=0'