Module bpf 

Pure-Rust tcpdump/libpcap-style BPF expression filter.

Grammar (supported subset)

Reference: https://biot.com/capstats/bpf.html

expr      = or_expr
or_expr   = and_expr  ('or'  and_expr)*
and_expr  = not_expr  ('and' not_expr)*
not_expr  = 'not' not_expr | '(' expr ')' | primitive
primitive = proto_kw ['host'|'net'|'port'|'portrange' …]
          | dir ('host'|'net'|'port'|'portrange') …
          | ('host'|'net'|'port'|'portrange') …
          | 'proto' number
          | 'len' cmp_op number
proto_kw  = 'tcp'|'udp'|'icmp'|'icmp6'|'ip'|'ip6'|'arp'
dir       = 'src' | 'dst' | 'src or dst' | 'src and dst'
cmp_op    = '>' | '<' | '>=' | '<=' | '==' | '!='

Sugar: tcp port 443 expands to tcp and port 443. arp matches non-IP frames (best-effort: any packet with no parsed flow key).

Structs

BpfError

Error returned when a BPF expression cannot be parsed.

Enums

BpfExpr

A compiled BPF expression tree.

CmpOp

Comparison operator used in len expressions.

Dir

Direction qualifier for host / net / port primitives.

Functions

parse

Parse a tcpdump/libpcap-style BPF filter expression into a compiled tree.