======
https://biot.com/capstats/bpf.html
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_forensics_bpf.html
arp,ether,fddi,icmp,ip,ip6,link,ppp,radio,rarp,slip,tcp,tr,udp,wlan
!=
{&&|and}
{|| | or}
BPFs may also be referred to with their primitives. Multiple examples are given here.
proto 1
ip[9] = 0x1
icmp[0] = 0x08
icmp[icmptype] != icmp-echo
ip host <ip-addr>
host 10.0.0.1 and host 10.0.0.2
host host1 and ( host2 or host3 )
dst net <ip-subnet-CIDR>
src host <ip-addr>
tcp[2:2] < 0x14
tcp dst port 80 or 8080
tcp port 80
ip[9] = 0x11
udp dst port not 53
src portrange 80-88
ether {src|dst} <mac-addr>
vlan 100
ip[6:2] & 0x3fff != 0x0000
ip[0] & 0xf0 != 4
ip6
ip[13] & 0x02 = 2
tcp-syn
tcp-fin
ip[13] & 0x3f = 0x03
tcp[13] & 16 != 0
tcp[13] & 32 != 0
tcp[13] & 8 != 0
tcp[13] & 4 != 0
tcp[13] & 2 != 0
tcp[13] & 1 != 0
tcp[13] = 24
{ip|ip6} tcp tcp-{ack|fin|syn|rst|push|urg|
ip[2:2] > 0x86
tcp[13] 0x02 = 2 and ip[2:2] > <hex-size> and ip[0] & 0xF0 != 4
ip[1] != 0
ifname <interface>
on <interface>
vpi <n> (where n is a path identifier)
llc
https://yaleman.org/2013/09/11/berkeley-packet-filter-bpf-syntax/
sudo tcpdump -A -n 'tcp[13] = 24' -r input.pcap
net 10.1.1.1/24
tcp.port==21