pcaplibpcapbpf
libpcap "dir" filter: what do the options mean?
In the man page of pcap-filter https://www.tcpdump.org/manpages/pcap-filter.7.html, it mentions the "dir" primitive:
dir direction
True if the IEEE 802.11 frame direction matches the specified direction. Valid directions are: nods, tods, fromds, dstods, or a numeric value.
My question is: what do these valid directions mean respectively?
Solution
The IEEE 802.11 frame has 2 bits called "From DS" and "To DS". DS stands for Distribution System, which if understand correctly would be a wireless access point.
Directions have the following meaning:
| Direction | From DS | To DS |
|---|---|---|
| nods | 0 | 0 |
| tods | 0 | 1 |
| fromds | 1 | 0 |
| dstods | 1 | 1 |