Berkeley packet filters
Berkeley Packet Filters (BPF) provide a powerful tool for intrusion detection analysis. Use BPF filtering to quickly reduce large packet captures to a reduced set of results by filtering based on a specific type of traffic. Both admin and non-admin users can create BPF filters.
Primitives
- Type qualifiers
Type
qualifiers identify the kind of information that the ID name or number refers to. For example, the type might refer to host, net, port, or portrange. When no type qualifier exists, host is assumed.- Dir qualifiers
Dir
qualifiers specify the transfer direction in relation to the ID. For example, the dir qualifier might be src, dst, or src or dst.- Proto qualifiers
- The
proto
qualifier restricts the match to a particular protocol. Possible protocols are ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, TCP, or UDP.
Primitive filter | Description |
---|---|
[src|dst] host <host> |
Matches a host as the IP source, destination, or either. The following list shows examples
of host expressions:
The host expressions can be used with other protocols like |
ether [src|dst] host <ehost> |
Matches a host as the Ethernet source, destination, or either. The following list shows
examples of host expressions:
|
[src|dst] net <network> |
Matches packets to or from the source and destination, or either. An IPv4 network number
can be specified as:
The following list shows some examples:
|
[src|dst] net <network> mask <netmask> or [src|dst] net
<network>/<len> |
Matches packets with specific netmask. You can also use
/len to capture
traffic from range of IP addresses.
The following list shows some examples:
|
[src|dst] port <port> or [tcp|udp] [src|dst] port <port> |
Matches packets that are sent to or from a port. Protocols, such as TCP, UDP, and IP, can be applied to a port to get specific results. The following list shows some examples:
|
[src|dst] portrange <p1>-<p2> or [tcp|udp] [src|dst] portrange
<p1>-<p2> |
Matches packets to or from a port in a specific range. Protocols can be applied to port range to filter specific packets within the range The following list shows some examples:
|
less <length> |
Matches packets less than or equal to length, for example, len <=
length . |
greater <length> |
Matches packets greater than or equal to length, for example, len >=
length . |
(ether|ip|ip6) proto <protocol> |
Matches an Ethernet, IPv4, or IPv6 protocol. The protocol can be a number or name, for example,
|
(ip|ip6) protochain <protocol> |
Matches IPv4, or IPv6 packets with a protocol header in the protocol header chain, for
example ip6 protochain 6 . |
(ether|ip) broadcast |
Matches Ethernet or IPv4 broadcasts |
(ether|ip|ip6) multicast |
Matches Ethernet, IPv4, or IPv6 multicasts. For example, ether[0] & 1 !=
0 . |
vlan [<vlan>] |
Matches 802.1Q frames with a VLAN ID of vlan .Here are some examples:
|
mpls [<label>] |
Matches MPLS packets with a label. The MPLS expression can be used more than once to filter on MPLS hierarchies. This list shows some examples:
|
Return to top of page |
Protocols and operators
You can build complex filter expressions by using modifiers and operators to combine protocols with primitive BPF filters.
arp
ether
fddi
icmp
ip
ip6
link
ppp
radio
rarp
slip
tcp
tr
udp
wlan
Description | Syntax |
---|---|
Parentheses | ( ) |
Negation | != |
Concatenation | '&&' or 'and' |
Alteration | '||' or 'or' |
Return to top of page |
BPF filter examples
The following table shows examples of BPF filters that use operators and modifiers:
BPF filter example | Description |
---|---|
udp dst port not 53 |
UDP not bound for port 53. |
host 10.0 .0.1 && host 10.0 .0.2 |
Traffic between these hosts. |
tcp dst port 80 or 8080 |
Packets to either of the specified TCP ports. |
ether[0:4] & 0xffffff0f > 25 |
Range based mask that is applied to bytes greater than 25. |
ip[1] != 0 |
Captures packets for which the Types of Service (TOS) field in the IP header
is not equal to 0. |
ether host 11:22:33:44:55:66 |
Matches a specific host with that Mac address. |
ether[0] & 1 = 0 and ip[16] >= 224 |
Captures IP broadcast or multicast broadcast that were not sent via Ethernet broadcast or multicast. |
icmp[icmptype] != icmp-echo |
Captures all icmp packets that are not echo requests. |
ip[0] & 0xf !=5 |
Captures all IP packets with options. |
ip[6:2] & 0x1fff = 0 |
Captures only unfragmented IPv4 datagrams, and frag zero of fragmented IPv4 datagrams. |
tcp[13] & 16 != 0 |
Captures TCP-ACK packets. |
tcp[13] & 32 !=0 |
Captures TCP-URG packets. |
tcp[13] & 8!=0 |
Captures TCP-PSH packets. |
tcp[13] & 4!=0 |
Captures TCP-RST packets. |
TCP[13] & 2!=0 |
Captures TCP-SYN packets. |
tcp[13] & 1!=0 |
Captures TCP-FIN packets. |
tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 |
Captures start and end packets (the SYN and FIN packets) of each TCP conversation. |
Return to top of page |