-.\" @(#) $Header: /tcpdump/master/tcpdump/Attic/tcpdump.1,v 1.92 2001-01-03 17:35:34 mcr Exp $ (LBL)
+.\" @(#) $Header: /tcpdump/master/tcpdump/Attic/tcpdump.1,v 1.93 2001-01-14 05:03:42 guy Exp $ (LBL)
.\"
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
True if the packet is of ether type \fIprotocol\fR.
\fIProtocol\fP can be a number or one of the names
\fIip\fP, \fIip6\fP, \fIarp\fP, \fIrarp\fP, \fIatalk\fP, \fIaarp\fP,
-\fIdecnet\fP, \fIsca\fP, \fIlat\fP, \fImopdl\fP, \fImoprc\fP, or
-\fIiso\fP.
+\fIdecnet\fP, \fIsca\fP, \fIlat\fP, \fImopdl\fP, \fImoprc\fP,
+\fIiso\fP, or \fIstp\fP.
Note these identifiers are also keywords
and must be escaped via backslash (\\).
-[In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), the
-protocol identification comes from the 802.2 Logical Link Control
-(LLC) header, which is usually layered on top of the FDDI header.
-\fITcpdump\fP assumes, when filtering on the protocol identifier,
-that all FDDI packets include an LLC header, and that the LLC header
-is in so-called SNAP format. The same applies to Token Ring.]
+.IP
+[In the case of FDDI (e.g., `\fBfddi protocol arp\fR') and Token Ring
+(e.g., `\fBtr protocol arp\fR'), for most of those protocols, the
+protocol identification comes from the 802.2 Logical Link Control (LLC)
+header, which is usually layered on top of the FDDI or Token Ring
+header.
+.IP
+When filtering for those protocol identifiers on FDDI or Token Ring,
+\fBtcpdump\fR checks only the protocol ID field of an LLC header in
+so-called SNAP format with an Organizational Unit Identifier (OUI) of
+0x000000, for encapsulated Ethernet; it doesn't check whether the packet
+is in SNAP format with an OUI of 0x000000.
+.IP
+The exceptions are \fIiso\fP, for which it checks the DSAP (Destination
+Service Access Point) and SSAP (Source Service Access Point) fields of
+the LLC header, \fIstp\fP, where it checks the DSAP of the LLC
+header, and \fIatalk\fP, where it checks for a SNAP-format packet with
+an OUI of 0x080007 and the Appletalk etype.
+.IP
+In the case of Ethernet, \fBtcpdump\fR checks the Ethernet type field
+for most of those protocols; the exceptions are \fIiso\fP and \fIsap\fP,
+for which it checks for an 802.3 frame and then checks the LLC header as
+it does for FDDI and Token Ring, \fIatalk\fP, where it checks both for
+the Appletalk etype in an Ethernet frame and for a SNAP-format packet as
+it does for FDDI and Token Ring, and \fIaarp\fP, where it checks for the
+Appletalk ARP etype in either an Ethernet frame or an 802.2 SNAP frame
+with an OUI of 0x000000.]
.IP "\fBdecnet src \fIhost\fR"
True if the DECNET source address is
.IR host ,
.IP "\fBdecnet host \fIhost\fR"
True if either the DECNET source or destination address is
.IR host .
-.IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR"
+.IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR"
Abbreviations for:
.in +.5i
.nf
projects / tcpdump / commitdiff
