Hi, On Sun, Mar 17, 2024 at 7:45 PM <debbug.libpcap...@sideload.33mail.com> wrote: > From the pcap-filter man page: [...] > > tcp, udp, icmp > > Abbreviations for: > > proto \protocol [...] > I was stumped. I could not work out why my usage was syntactically > incorrect. I had to get support from someone who suggested simply > removing “proto”. That worked. But according to the man page my > original attempt should have also worked.
No, the backslash character in the example is significant and you did not provide it. What you were looking for is either 'icmp', 'ip proto 1' or 'ip proto \icmp' which are equivalent. 'proto \icmp' also works but generates support code for IPv6 as well which does not really make sense for ICMP and is likely not what you wanted. -- Romain Francoise <rfranco...@debian.org> https://people.debian.org/~rfrancoise/
