difference between "host" and "Src"
To quote the pcap-filter man page (or the tcpdump man page for earlier versions of libpcap and tcpdump):
The filter expression consists of one or more primitives. Primitives
usually consist of an id (name or number) preceded by one or more qual-
ifiers. There are three different kinds of qualifier:
type qualifiers say what kind of thing the id name or number refers
to. Possible types are host, net , port and portrange. E.g.,
host foo', net 128.3', port 20', portrange 6000-6008'. If
there is no type qualifier, host is assumed.
dir qualifiers specify a particular transfer direction to and/or
from id. Possible directions are src, dst, src or dst, src and
dst, addr1, addr2, addr3, and addr4. E.g., src foo', dst net
128.3', `src or dst port ftp-data'. If there is no dir quali-
fier, src or dst is assumed. The addr1, addr2, addr3, and addr4
qualifiers are only valid for IEEE 802.11 Wireless LAN link lay-
ers. For some link layers, such as SLIP and the cooked'' Linux capture mode used for the any'' device and for some
other device types, the inbound and outbound qualifiers can be
used to specify a desired direction.
...
dst host host
True if the IPv4/v6 destination field of the packet is host,
which may be either an address or a name.
src host host
True if the IPv4/v6 source field of the packet is host.
host host
True if either the IPv4/v6 source or destination of the packet
is host.
Any of the above host expressions can be prepended with the key-
words, ip, arp, rarp, or ip6 as in:
ip host host
which is equivalent to:
ether proto \ip and host host
If host is a name with multiple IP addresses, each address will
be checked for a match.</code></pre><p>So <code>host</code> <em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em> means "source or destination address is <em>xxx</em>.<em>xxx</em>.<em>xxx</em>.<em>xxx</em>", and <code>src</code> <em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em> is the same as <code>src host</code> <em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em>, which means "source address is <em>xxx</em>.<em>xxx</em>.<em>xxx</em>.<em>xxx</em>".</p><p>I.e., <code>host</code> <em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em> will match any packets from <em>or</em> to <em>xxx</em>.<em>xxx</em>.<em>xxx</em>.<em>xxx</em>, but <code>src</code> <em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em> will match any packets from <em>xxx</em>.<em>xxx</em>.<em>xxx</em>.<em>xxx</em> but will only match packets <em>to</em> <em>xxx</em>.<em>xxx</em>.<em>xxx</em>.<em>xxx</em> if they are also <em>from</em> <em>xxx</em>.<em>xxx</em>.<em>xxx</em>.<em>xxx</em>.</p><p>Therefore, <code>host</code> <em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em> will match more packets than will <code>src</code> <em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em><code>.</code><em>xxx</em>.</p></div><div class="answer-controls post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>answered <strong>29 Sep '13, 23:20</strong></p><img src="https://secure.gravatar.com/avatar/f93de7000747ab5efb5acd3034b2ebd7?s=32&d=identicon&r=g" class="gravatar" width="32" height="32" alt="Guy%20Harris's gravatar image" /><p><span>Guy Harris ♦♦</span><br />
17.4k●3●35●196
accept rate: 19%
