@@ -108,73 +108,79 @@ PRIMITIVES
108108 for Ethernet-like link-layer types is equivalent to
109109 ether proto \ip and ip src host hostnameaddr
110110
111- hostnameaddr may be either an address or a name. If it is a
112- name, the name must resolve to at least one IPv4 address for arp
113- host, ip host and rarp host, at least one IPv6 address for ip6
114- host and at least one IPv4/IPv6 address for host.
115-
116- When not qualified with a protocol, this primitive matches all
111+ hostnameaddr may be either an address or a name. If it is an
112+ IPv6 address, it may use both the zero compression (::) and the
113+ IPv4-mapped (x:x:x:x:x:x:d.d.d.d) notations as discussed in
114+ inet_pton(3). If it is a name, the name must resolve to at
115+ least one IPv4 address for arp host, ip host and rarp host, at
116+ least one IPv6 address for ip6 host and at least one IPv4/IPv6
117+ address for host.
118+
119+ When not qualified with a protocol, this primitive matches all
117120 protocols that make sense for the address families of the speci-
118- fied/resolved addresses. For example, for a name that resolves
119- only to an IPv6 address arp host returns an error, but host is
121+ fied/resolved addresses. For example, for a name that resolves
122+ only to an IPv6 address arp host returns an error, but host is
120123 valid and means IPv6; likewise, for a name that resolves only to
121124 an IPv4 address ip6 host returns an error, but host is valid and
122125 means ARP/IPv4/RARP.
123126
124- Whether qualified with a protocol or not, this primitive evalu-
125- ates to true if the name resolves to more than one address and
127+ Whether qualified with a protocol or not, this primitive evalu-
128+ ates to true if the name resolves to more than one address and
126129 at least one of the addresses matches the packet.
127130
128131 ether host ethernameaddr
129- True if the source or the destination Ethernet/802.11/IPFC/ATM
130- LANE/FDDI/Token Ring address of the packet is ethernameaddr.
131- May be qualified with a different direction (src, dst, src and
132+ True if the source or the destination Ethernet/802.11/IPFC/ATM
133+ LANE/FDDI/Token Ring address of the packet is ethernameaddr.
134+ May be qualified with a different direction (src, dst, src and
132135 dst), in which case the host keyword is optional.
133136
134137 ethernameaddr may be either a name from /etc/ethers or a numeri-
135- cal MAC address of the form "xx:xx:xx:xx:xx:xx",
138+ cal MAC address of the form "xx:xx:xx:xx:xx:xx",
136139 "xx.xx.xx.xx.xx.xx", "xx-xx-xx-xx-xx-xx", "xxxx.xxxx.xxxx" or
137- "xxxxxxxxxxxx", where each "x" is a hex digit (0-9, a-f, or A-
140+ "xxxxxxxxxxxx", where each "x" is a hex digit (0-9, a-f, or A-
138141 F).
139142
140143 gateway host
141- True if the packet used host as a gateway. I.e., the source or
142- the destination Ethernet-like address is host but neither the
143- source nor the destination ARP/IPv4/RARP address is host. This
144- primitive is valid only for the same link-layer types as the
145- ether host primitive above. May be qualified with a specific
144+ True if the packet used host as a gateway. I.e., the source or
145+ the destination Ethernet-like address is host but neither the
146+ source nor the destination ARP/IPv4/RARP address is host. This
147+ primitive is valid only for the same link-layer types as the
148+ ether host primitive above. May be qualified with a specific
146149 protocol (arp, ip, rarp). For example,
147150 ip gateway host
148151 is equivalent to
149152 ether host ethernameaddr and not ip host hostnameaddr
150- which can be used with either names or numbers for hostnameaddr
153+ which can be used with either names or numbers for hostnameaddr
151154 and ethernameaddr.
152155
153- Host must be a name and must be found both by the machine's
154- host-name-to-IP-address resolution mechanisms (host name file,
155- DNS, NIS, etc.) and by the machine's host-name-to-Ethernet-ad-
156+ Host must be a name and must be found both by the machine's
157+ host-name-to-IP-address resolution mechanisms (host name file,
158+ DNS, NIS, etc.) and by the machine's host-name-to-Ethernet-ad-
156159 dress resolution mechanism (/etc/ethers, etc.).
157160
158161 net netnameaddr
159162 True if the source or the destination ARP/IPv4/IPv6/RARP address
160- of the packet belongs to the specified network. May be quali-
163+ of the packet belongs to the specified network. May be quali-
161164 fied with a specific protocol (arp, ip, ip6, rarp) and/or a dif-
162165 ferent direction (src, dst, src and dst), in the latter case the
163166 net keyword remains mandatory. netnameaddr may be either a name
164- from the networks database (/etc/networks, etc.) or a network
167+ from the networks database (/etc/networks, etc.) or a network
165168 number.
166169
167- An IPv4 network number can be written as a dotted quad (e.g.,
170+ An IPv4 network number can be written as a dotted quad (e.g.,
168171 192.168.1.0), dotted triple (e.g., 192.168.1), dotted pair (e.g,
169- 172.16), or single number (e.g., 10); the netmask is
170- 255.255.255.255 (/32) for a dotted quad (which means that it's
171- really a host match), 255.255.255.0 (/24) for a dotted triple,
172- 255.255.0.0 (/16) for a dotted pair, or 255.0.0.0 (/8) for a
173- single number. An IPv6 network number must be written out
174- fully; the netmask is ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
175- (/128), so in this primitive IPv6 "network" matches are really
176- always host matches. For an actual IPv6 network match see the
177- `net netaddr/len' primitive below.
172+ 172.16), or single number (e.g., 10); the netmask is
173+ 255.255.255.255 (/32) for a dotted quad (which means that it's
174+ really a host match), 255.255.255.0 (/24) for a dotted triple,
175+ 255.255.0.0 (/16) for a dotted pair, or 255.0.0.0 (/8) for a
176+ single number.
177+
178+ An IPv6 network number is an IPv6 address as discussed for the
179+ host primitive above; the implicit netmask is
180+ ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (/128), so in this prim-
181+ itive IPv6 "network" matches are really always host matches.
182+ For an actual IPv6 network match see the `net netaddr/len' prim-
183+ itive below.
178184
179185 net netaddr mask netmask
180186 True if the source or the destination ARP/IPv4/RARP address of
@@ -208,13 +214,11 @@ PRIMITIVES
208214 For IPv4, len is an integer between 0 and 32 (both inclusive)
209215 and netaddr is the same as the above. For IPv6, len is an inte-
210216 ger between 0 and 128 (both inclusive) and netaddr is an IPv6
211- address. For the latter zero compression notation (::) is
212- valid, but IPv4-mapped notation (x:x:x:x:x:x:d.d.d.d) is not.
213- For both IPv4 and IPv6 the maximum value of len is equivalent to
214- a host match and the 0 value (which implies an all-zeroes value
215- of netaddr) matches any address. In the latter case this primi-
216- tive reduces to matching the specified (or implied) protocols
217- only.
217+ address as discussed for the host primitive above. For both
218+ IPv4 and IPv6 the maximum value of len is equivalent to a host
219+ match and the 0 value (which implies an all-zeroes value of ne-
220+ taddr) matches any address. In the latter case this primitive
221+ reduces to matching the specified (or implied) protocols only.
218222
219223 port portnamenum
220224 True if the source or the destination TCP/UDP/SCTP port of an
@@ -1173,4 +1177,4 @@ BUGS
11731177 and may incorrectly match packets that have a different combination of
11741178 protocol and hardware.
11751179
1176- 9 October 2025 PCAP-FILTER(7)
1180+ 18 October 2025 PCAP-FILTER(7)
0 commit comments