Make assorted fixups in pcap-filter(7). [skip ci]

Make more man page references BSD style. Spell more protocol names within
prose. Fix more letter case and a few typos. Move a period out of a
quoted string. Tell equivalents for "and", "or" and "not" at the top of
the page too.  Spell "\protocol" instead of "\p", which was easy to
misread as "lp" or "Ip" with some fonts. Mention "vlan_id", "label_num"
and "vni" as optional and omit the square brackets within prose so they
do not look like a part of the syntax. In a few cases keywords were
called expressions, put that right.

Correct some example filter expressions so the reader can try them
exactly as shown: escape with backslash all identifiers that are
keywords, lose backslashes before parentheses (these are specific only to
command line invocation of tcpdump), lose a trailing period at the end of
a filter expression.

1 files changed, 41 insertions, 40 deletions

diff --git a/pcap-filter.manmisc.in b/pcap-filter.manmisc.in
index aee6b9e3..ba8dde5f 100644
--- a/pcap-filter.manmisc.in
+++ b/pcap-filter.manmisc.in
@@ -18,7 +18,7 @@
 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 .\"
-.TH PCAP-FILTER @MAN_MISC_INFO@ "28 August 2020"
+.TH PCAP-FILTER @MAN_MISC_INFO@ "2 September 2020"
 .SH NAME
 pcap-filter \- packet filter syntax
 .br
@@ -114,7 +114,7 @@ arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
 .LP
 [`fddi' is actually an alias for `ether'; the parser treats them
 identically as meaning ``the data link level used on the specified
-network interface.''  FDDI headers contain Ethernet-like source
+network interface''.  FDDI headers contain Ethernet-like source
 and destination addresses, and often contain Ethernet-like packet
 types, so you can filter on these FDDI fields just as with the
 analogous Ethernet fields.
@@ -141,6 +141,7 @@ More complex filter expressions are built up by using the words
 .B or
 and
 .B not
+(or equivalently: `\fB&&\fP', `\fB||\fP' and `\fB!\fP' respectively)
 to combine primitives.
 E.g., `host foo and not port ftp and not port ftp-data'.
 To save typing, identical qualifier lists can be omitted.
@@ -170,7 +171,7 @@ which is equivalent to:
 \fBether proto \fI\\ip\fB and host \fIhost\fR
 .fi
 .in -.5i
-If \fIhost\fR is a name with multiple IP addresses, each address will
+If \fIhost\fR is a name with multiple IPv4 addresses, each address will
 be checked for a match.
 .IP "\fBether dst \fIehost\fP"
 True if the Ethernet destination address is \fIehost\fP.
@@ -231,9 +232,9 @@ May be qualified with \fBsrc\fR or \fBdst\fR.
 True if the packet is IPv4 TCP, IPv4 UDP, IPv6 TCP or IPv6 UDP and has a
 destination port value of \fIport\fP.
 The \fIport\fP can be a number or a name used in /etc/services (see
-.IR tcp (4P)
+.BR tcp (4P)
 and
-.IR udp (4P)).
+.BR udp (4P)).
 If a name is used, both the port
 number and protocol are checked.
 If a number or ambiguous name is used,
@@ -274,7 +275,7 @@ True if the packet has a length less than or equal to \fIlength\fP.
 This is equivalent to:
 .in +.5i
 .nf
-\fBlen <= \fIlength\fP.
+\fBlen <= \fIlength\fP
 .fi
 .in -.5i
 .IP "\fBgreater \fIlength\fR"
@@ -282,12 +283,12 @@ True if the packet has a length greater than or equal to \fIlength\fP.
 This is equivalent to:
 .in +.5i
 .nf
-\fBlen >= \fIlength\fP.
+\fBlen >= \fIlength\fP
 .fi
 .in -.5i
 .IP "\fBip proto \fIprotocol\fR"
 True if the packet is an IPv4 packet (see
-.IR ip (4P))
+.BR ip (4P))
 of protocol type \fIprotocol\fP.
 \fIProtocol\fP can be a number or one of the names
 \fBicmp\fP, \fBicmp6\fP, \fBigmp\fP, \fBigrp\fP, \fBpim\fP, \fBah\fP,
@@ -306,10 +307,10 @@ header chain.
 Abbreviations for:
 .in +.5i
 .nf
-\fBproto \fIp\fR\fB
+\fBproto \\\fIprotocol\fR\fB
 .fi
 .in -.5i
-where \fIp\fR is one of the above protocols.
+where \fIprotocol\fR is one of the above protocols.
 .IP "\fBip6 protochain \fIprotocol\fR"
 True if the packet is IPv6 packet,
 and contains protocol header with type \fIprotocol\fR
@@ -367,9 +368,9 @@ True if the packet is of ether type \fIprotocol\fR.
 Note these identifiers (except \fBloopback\fP) are also keywords
 and must be escaped via backslash (\\).
 .IP
-[In the case of FDDI (e.g., `\fBfddi proto arp\fR'), Token Ring
-(e.g., `\fBtr proto arp\fR'), and IEEE 802.11 wireless LANs (e.g.,
-`\fBwlan proto arp\fR'), for most of those protocols, the
+[In the case of FDDI (e.g., `\fBfddi proto \\arp\fR'), Token Ring
+(e.g., `\fBtr proto \\arp\fR'), and IEEE 802.11 wireless LANs (e.g.,
+`\fBwlan proto \\arp\fR'), for most of those protocols, the
 protocol identification comes from the 802.2 Logical Link Control (LLC)
 header, which is usually layered on top of the FDDI, Token Ring, or
 802.11 header.
@@ -419,18 +420,18 @@ IPX, and the IPX etype in a SNAP frame.
 Abbreviations for:
 .in +.5i
 .nf
-\fBether proto \fIp\fR
+\fBether proto \\\fIprotocol\fR
 .fi
 .in -.5i
-where \fIp\fR is one of the above protocols.
+where \fIprotocol\fR is one of the above protocols.
 .IP "\fBlat\fR, \fBmoprc\fR, \fBmopdl\fR"
 Abbreviations for:
 .in +.5i
 .nf
-\fBether proto \fIp\fR
+\fBether proto \\\fIprotocol\fR
 .fi
 .in -.5i
-where \fIp\fR is one of the above protocols.
+where \fIprotocol\fR is one of the above protocols.
 Note that not all applications using
 .BR pcap (3PCAP)
 currently know how to parse these protocols.
@@ -460,7 +461,7 @@ Token Ring packets (no check is done for LLC frames);
 FDDI packets (no check is done for LLC frames);
 .IP
 LLC-encapsulated ATM packets, for SunATM on Solaris.
-.IP "\fBllc\fP \Fitype\fR"
+.IP "\fBllc\fP \fItype\fR"
 True if the packet has an 802.2 LLC header and has the specified
 .IR type .
 .I type
@@ -668,13 +669,13 @@ Valid directions are:
 or a numeric value.
 .IP "\fBvlan \fI[vlan_id]\fR"
 True if the packet is an IEEE 802.1Q VLAN packet.
-If \fI[vlan_id]\fR is specified, only true if the packet has the specified
+If the optional \fIvlan_id\fR is specified, only true if the packet has the specified
 \fIvlan_id\fR.
 Note that the first \fBvlan\fR keyword encountered in \fIexpression\fR
 changes the decoding offsets for the remainder of \fIexpression\fR on
 the assumption that the packet is a VLAN packet.  The \fBvlan
-\fI[vlan_id]\fR expression may be used more than once, to filter on VLAN
-hierarchies.  Each use of that expression increments the filter offsets
+\fI[vlan_id]\fR keyword may be used more than once, to filter on VLAN
+hierarchies.  Each use of that keyword increments the filter offsets
 by 4.
 .IP
 For example:
@@ -689,17 +690,17 @@ filters on VLAN 200 encapsulated within VLAN 100, and
 \fBvlan && vlan 300 && ip\fR
 .fi
 .in -.5i
-filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any
+filters IPv4 protocol encapsulated in VLAN 300 encapsulated within any
 higher order VLAN.
 .IP "\fBmpls \fI[label_num]\fR"
 True if the packet is an MPLS packet.
-If \fI[label_num]\fR is specified, only true is the packet has the specified
+If the optional \fIlabel_num\fR is specified, only true if the packet has the specified
 \fIlabel_num\fR.
 Note that the first \fBmpls\fR keyword encountered in \fIexpression\fR
 changes the decoding offsets for the remainder of \fIexpression\fR on
 the assumption that the packet is a MPLS-encapsulated IP packet.  The
-\fBmpls \fI[label_num]\fR expression may be used more than once, to
-filter on MPLS hierarchies.  Each use of that expression increments the
+\fBmpls \fI[label_num]\fR keyword may be used more than once, to
+filter on MPLS hierarchies.  Each use of that keyword increments the
 filter offsets by 4.
 .IP
 For example:
@@ -723,7 +724,7 @@ type 0x8863).
 .IP "\fBpppoes \fI[session_id]\fR"
 True if the packet is a PPP-over-Ethernet Session packet (Ethernet
 type 0x8864).
-If \fI[session_id]\fR is specified, only true if the packet has the specified
+If the optional \fIsession_id\fR is specified, only true if the packet has the specified
 \fIsession_id\fR.
 Note that the first \fBpppoes\fR keyword encountered in \fIexpression\fR
 changes the decoding offsets for the remainder of \fIexpression\fR on
@@ -735,9 +736,9 @@ For example:
 \fBpppoes 0x27 && ip\fR
 .fi
 .in -.5i
-filters IPv4 protocols encapsulated in PPPoE session id 0x27.
+filters IPv4 protocol encapsulated in PPPoE session id 0x27.
 .IP "\fBgeneve \fI[vni]\fR"
-True if the packet is a Geneve packet (UDP port 6081). If \fI[vni]\fR
+True if the packet is a Geneve packet (UDP port 6081). If the optional \fIvni\fR
 is specified, only true if the packet has the specified \fIvni\fR.
 Note that when the \fBgeneve\fR keyword is encountered in
 \fIexpression\fR, it changes the decoding offsets for the remainder of
@@ -749,8 +750,8 @@ For example:
 \fBgeneve 0xb && ip\fR
 .fi
 .in -.5i
-filters IPv4 protocols encapsulated in Geneve with VNI 0xb. This will
-match both IP directly encapsulated in Geneve as well as IP contained
+filters IPv4 protocol encapsulated in Geneve with VNI 0xb. This will
+match both IPv4 directly encapsulated in Geneve as well as IPv4 contained
 inside an Ethernet frame.
 .IP "\fBiso proto \fIprotocol\fR"
 True if the packet is an OSI packet of protocol type \fIprotocol\fP.
@@ -760,10 +761,10 @@ True if the packet is an OSI packet of protocol type \fIprotocol\fP.
 Abbreviations for:
 .in +.5i
 .nf
-\fBiso proto \fIp\fR
+\fBiso proto \\\fIprotocol\fR
 .fi
 .in -.5i
-where \fIp\fR is one of the above protocols.
+where \fIprotocol\fR is one of the above protocols.
 .IP "\fBl1\fR, \fBl2\fR, \fBiih\fR, \fBlsp\fR, \fBsnp\fR, \fBcsnp\fR, \fBpsnp\fR"
 Abbreviations for IS-IS PDU types.
 .IP "\fBvpi\fP \fIn\fR"
@@ -908,7 +909,7 @@ Concatenation (`\fB&&\fP' or `\fBand\fP').
 .IP
 Alternation (`\fB||\fP' or `\fBor\fP').
 .LP
-Negation has highest precedence.
+Negation has the highest precedence.
 Alternation and concatenation have equal precedence and associate
 left to right.
 Note that explicit \fBand\fR tokens, not juxtaposition,
@@ -946,11 +947,11 @@ To select all packets arriving at or departing from \fIsundown\fP:
 To select traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
 .RS
 .nf
-\fBhost helios and \\( hot or ace \\)\fP
+\fBhost helios and (hot or ace)\fP
 .fi
 .RE
 .LP
-To select all IP packets between \fIace\fR and any host except \fIhelios\fR:
+To select all IPv4 packets between \fIace\fR and any host except \fIhelios\fR:
 .RS
 .nf
 \fBip host ace and not helios\fP
@@ -965,7 +966,7 @@ net ucb-ether
 .fi
 .RE
 .LP
-To select all ftp traffic through internet gateway \fIsnup\fP:
+To select all FTP traffic through Internet gateway \fIsnup\fP:
 .RS
 .nf
 .B
@@ -973,7 +974,7 @@ gateway snup and (port ftp or ftp-data)
 .fi
 .RE
 .LP
-To select traffic neither sourced from nor destined for local hosts
+To select IPv4 traffic neither sourced from nor destined for local hosts
 (if you gateway to one other net, this stuff should never make it
 onto your local net).
 .RS
@@ -1012,7 +1013,7 @@ tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
 .fi
 .RE
 .LP
-To select IP packets longer than 576 bytes sent through gateway \fIsnup\fP:
+To select IPv4 packets longer than 576 bytes sent through gateway \fIsnup\fP:
 .RS
 .nf
 .B
@@ -1020,7 +1021,7 @@ gateway snup and ip[2:2] > 576
 .fi
 .RE
 .LP
-To select IP broadcast or multicast packets that were
+To select IPv4 broadcast or multicast packets that were
 .I not
 sent via Ethernet broadcast or multicast:
 .RS
@@ -1059,7 +1060,7 @@ correctly handle 802.11 data packets with both To DS and From DS set.
 .BR "ip6 proto"
 should chase header chain, but at this moment it does not.
 .BR "ip6 protochain"
-is supplied for this behavior.  For example, to match ipv6 fragments:
+is supplied for this behavior.  For example, to match IPv6 fragments:
 .B
 ip6 protochain 44
 .LP