I don't understand the difference between these two filters found here:
proto[x:y] & z = z : every bits are set to z when applying mask z to proto[x:y]
proto[x:y] = z : p[x:y] has exactly the bits set to z
Any idea?
With that syntax you can filter the packets bitwise.
For example, consider the first two bytes of an IP frame.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Let's say you want to filter only ip packets with version equal to 4 (indicating IPv4 packets).
You can do something like this
tcpdump -i ethX 'ip[0:1] & 0xf0 = 0x40'
et voilà, you built a custom filter digging deeply into the captured frames.
In the two cases you listed, i suppose there's a typo.
I think it should be:
proto[x:y] & z = n : every bits are set to n when applying mask z to proto[x:y]
proto[x:y] = n : p[x:y] has exactly the bits set to n