Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2026-05-07 22:06:43 +0000

SYN-bit gravatar image

I tried some of the protocols in your list with both the form <protocol-name and ip proto <protocol-name>. It seems that they are mutually exclusive. Looking at the BPF manpage, it turns out you need to escape the protocol names that also exist as a proto qualifier with a backslash:

ip proto protocol

True if the packet is an IPv4 packet of protocol type protocol. For this primitive it does not matter whether the IPv4 packet is fragmented or not. Protocol can be a number or one of the names recognized by getprotobyname(3), for example: ah, esp, eigrp (only in Linux with glibc, FreeBSD, NetBSD, DragonFly BSD, macOS, and QNX), icmp, igmp, igrp (only in Haiku and OpenBSD), pim, sctp, tcp, udp or vrrp. Note that most of these example identifiers are also keywords and must be escaped via backslash (). Note that this primitive does not chase the protocol header chain.

So ip proto \icmp does indeed work. As does ip proto \l2tp.

When doing this in a terminal window on the CLI, the shell might also eat up the \, so you might need to escape the \ with a \ resulting in ip proto \\icmp or use single quotes (ip proto '\l2tp')to prevent the escaping by the shell.

I tried some of the protocols in your list with both the form <protocol-name and ip proto <protocol-name>. It seems that they are mutually exclusive. Looking at the BPF manpage, manpage, it turns out you need to escape the protocol names that also exist as a proto qualifier with a backslash:

ip proto protocol

True if the packet is an IPv4 packet of protocol type protocol. For this primitive it does not matter whether the IPv4 packet is fragmented or not. Protocol can be a number or one of the names recognized by getprotobyname(3), for example: ah, esp, eigrp (only in Linux with glibc, FreeBSD, NetBSD, DragonFly BSD, macOS, and QNX), icmp, igmp, igrp (only in Haiku and OpenBSD), pim, sctp, tcp, udp or vrrp. Note that most of these example identifiers are also keywords and must be escaped via backslash (). Note that this primitive does not chase the protocol header chain.

So ip proto \icmp does indeed work. As does ip proto \l2tp.

When doing this in a terminal window on the CLI, the shell might also eat up the \, so you might need to escape the \ with a \ resulting in ip proto \\icmp or use single quotes (ip proto '\l2tp')to prevent the escaping by the shell.