Berkeley packet filters

Berkeley Packet Filters (BPF) provide a powerful tool for intrusion detection analysis. Use BPF filtering to quickly reduce large packet captures to a reduced set of results by filtering based on a specific type of traffic. Both admin and non-admin users can create BPF filters.

To use a BPF filter, on the Forensics Recovery window, select the Enable Custom BPF check box to activate the BPF input field.

Primitives

Primitives are references to fields in a network protocol header, such as host, port, or TCP port. The BPF syntax consists of one or more primitives, which usually consist of an ID, typically a name or number, which is preceded by one or more qualifiers.
Type qualifiers
Type qualifiers identify the kind of information that the ID name or number refers to. For example, the type might refer to host, net, port, or portrange. When no type qualifier exists, host is assumed.
Dir qualifiers
Dir qualifiers specify the transfer direction in relation to the ID. For example, the dir qualifier might be src, dst, or src or dst.
Proto qualifiers
The proto qualifier restricts the match to a particular protocol. Possible protocols are ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, TCP, or UDP.
Table 1. Primitive filters
Primitive filter Description
[src|dst] host <host> Matches a host as the IP source, destination, or either.
The following list shows examples of host expressions:
  • dst host 192.168.1.0
  • src host 192.168.1
  • dst host 172.16
  • src host 10
  • host 192.168.1.0
  • host 192.168.1.0/24
  • src host 192.168.1/24

The host expressions can be used with other protocols like ip, arp, rarp or ip6.

ether [src|dst] host <ehost> Matches a host as the Ethernet source, destination, or either.
The following list shows examples of host expressions:
  • ether host <MAC>
  • ether src host <MAC>
  • ether dst host <MAC>
[src|dst] net <network> Matches packets to or from the source and destination, or either.
An IPv4 network number can be specified as:
  • Dotted quad (for example, 192.168.1.0)
  • Dotted triple (for example, 192.168.1)
  • Dotted pair (for example, 172.16)
  • Single number (for example, 10)
The following list shows some examples:
  • dst net 192.168.1.0
  • src net 192.168.1
  • dst net 172.16
  • src net 10
  • net 192.168.1.0
  • net 192.168.1.0/24
  • src net 192.168.1/24
[src|dst] net <network> mask <netmask> or [src|dst] net <network>/<len> Matches packets with specific netmask.
You can also use /len to capture traffic from range of IP addresses.
  • Netmask for dotted quad (for example, 192.168.1.0) is 255.255.255.255
  • Netmask for dotted triple (for example, 192.168.1) is 255.255.255.0
  • Netmask for dotted pair (for example, 172.16) is 255.255.0.0
  • Netmask for a single number (for example, 10) is 255.0.0.0
The following list shows some examples:
  • dst net 192.168.1.0 mask 255.255.255.255 or dst net 192.168.1.0/24
  • src net 192.168.1 mask 255.255.255.0 or src net 192.168.1/24
  • dst net 172.16 mask 255.255.0.0 src net 10 mask 255.0.0.0
[src|dst] port <port> or [tcp|udp] [src|dst] port <port> Matches packets that are sent to or from a port.

Protocols, such as TCP, UDP, and IP, can be applied to a port to get specific results.

The following list shows some examples:
  • src port 443
  • dst port 20
  • port 80
[src|dst] portrange <p1>-<p2> or [tcp|udp] [src|dst] portrange <p1>-<p2> Matches packets to or from a port in a specific range.

Protocols can be applied to port range to filter specific packets within the range

The following list shows some examples:
  • src portrange 80-88
  • tcp portrange 1501-1549
less <length> Matches packets less than or equal to length, for example, len <= length.
greater <length> Matches packets greater than or equal to length, for example, len >= length.
(ether|ip|ip6) proto <protocol> Matches an Ethernet, IPv4, or IPv6 protocol.
The protocol can be a number or name, for example,
  • ether proto 0x888e
  • ip proto 50
(ip|ip6) protochain <protocol> Matches IPv4, or IPv6 packets with a protocol header in the protocol header chain, for example ip6 protochain 6.
(ether|ip) broadcast Matches Ethernet or IPv4 broadcasts
(ether|ip|ip6) multicast Matches Ethernet, IPv4, or IPv6 multicasts. For example, ether[0] & 1 != 0.
vlan [<vlan>] Matches 802.1Q frames with a VLAN ID of vlan.
Here are some examples:
  • vlan 100 && vlan 200 filters on vlan 200 encapsulated within vlan 100.
  • vlan && vlan 300 && ip filters IPv4 protocols encapsulated in vlan 300 encapsulated within any higher-order vlan.
mpls [<label>] Matches MPLS packets with a label.

The MPLS expression can be used more than once to filter on MPLS hierarchies.

This list shows some examples:
  • mpls 100000 && mpls 1024 filters packets with outer label 100000 and inner label 1024.
  • mpls && mpls 1024 && host 192.9.200.1 filters packets to and from 192.9.200.1 with an inner label of 1024 and any outer label.
 

Protocols and operators

You can build complex filter expressions by using modifiers and operators to combine protocols with primitive BPF filters.

The following list shows protocols that you can use:
  • arp
  • ether
  • fddi
  • icmp
  • ip
  • ip6
  • link
  • ppp
  • radio
  • rarp
  • slip
  • tcp
  • tr
  • udp
  • wlan
Table 2. Valid modifiers and operators
Description Syntax
Parentheses ( )
Negation !=
Concatenation '&&' or 'and'
Alteration '||' or 'or'

BPF filter examples

The following table shows examples of BPF filters that use operators and modifiers:

Table 3. BPF filter examples
BPF filter example Description
udp dst port not 53 UDP not bound for port 53.
host 10.0 .0.1 && host 10.0 .0.2 Traffic between these hosts.
tcp dst port 80 or 8080 Packets to either of the specified TCP ports.
ether[0:4] & 0xffffff0f > 25 Range based mask that is applied to bytes greater than 25.
ip[1] != 0 Captures packets for which the Types of Service (TOS) field in the IP header is not equal to 0.
ether host 11:22:33:44:55:66 Matches a specific host with that Mac address.
ether[0] & 1 = 0 and ip[16] >= 224 Captures IP broadcast or multicast broadcast that were not sent via Ethernet broadcast or multicast.
icmp[icmptype] != icmp-echo Captures all icmp packets that are not echo requests.
ip[0] & 0xf !=5 Captures all IP packets with options.
ip[6:2] & 0x1fff = 0 Captures only unfragmented IPv4 datagrams, and frag zero of fragmented IPv4 datagrams.
tcp[13] & 16 != 0 Captures TCP-ACK packets.
tcp[13] & 32 !=0 Captures TCP-URG packets.
tcp[13] & 8!=0 Captures TCP-PSH packets.
tcp[13] & 4!=0 Captures TCP-RST packets.
TCP[13] & 2!=0 Captures TCP-SYN packets.
tcp[13] & 1!=0 Captures TCP-FIN packets.
tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 Captures start and end packets (the SYN and FIN packets) of each TCP conversation.