Difference between two similar tcpdump filters

Question

I don't understand the difference between these two filters found here:

proto[x:y] & z = z  : every bits are set to z when applying mask z to proto[x:y]
proto[x:y] = z      : p[x:y] has exactly the bits set to z

Any idea?

Answer 1

With that syntax you can filter the packets bitwise.

For example, consider the first two bytes of an IP frame.

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Let's say you want to filter only ip packets with version equal to 4 (indicating IPv4 packets).

You can do something like this

tcpdump -i ethX 'ip[0:1] & 0xf0 = 0x40'

• ip[0:1] means "extract 1 bytes from offset zero of the IP frame"
• & 0xf0 filters out the IHL bits off the first byte
• = 0x40 will match only if the version bits contains the number 4

et voilà, you built a custom filter digging deeply into the captured frames.

In the two cases you listed, i suppose there's a typo.

I think it should be:

proto[x:y] & z = n   : every bits are set to n when applying mask z to proto[x:y]
proto[x:y] = n       : p[x:y] has exactly the bits set to n