Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Berkeley Packet Filter BPF Cheat Sheet, Cheat Sheet of Operating Systems

Filter packets with Berkeley Packet Filter syntax and examples

Typology: Cheat Sheet

2020/2021

Uploaded on 04/27/2021

ekachakra
ekachakra 🇺🇸

4.6

(33)

269 documents

1 / 3

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Filter packets with Berkeley Packet Filter syntax
Search for packets with the Berkeley Packet Filter (BPF) syntax alone, or in combination with the built-in
filters.
Berkeley Packet Filters are a raw interface to data link layers and are a powerful tool for intrusion detection
analysis. The BPF syntax enables users to write filters that quickly drill down on specific packets to see the
essential information.
The ExtraHop system constructs a synthetic packet header from the packet index data and then runs the
BPF syntax queries against the packet header to ensure that queries are much faster than scanning the full
packet payload. Note that ExtraHop supports only a subset of the BPF syntax. See Supported BPF syntax.
The BPF syntax consists of one or more primitives preceded by one or more qualifiers. Primitives usually
consist of an ID (name or number) preceded by one or more qualifiers. There are three different kinds of
qualifiers:
type
Qualifiers that indicate what type the ID name or number refers to. For example, host, net, port,
and portrange. If there is no qualifier, host is assumed.
dir
Qualifiers that specify a particular transfer direction to and or from an ID. Possible directions are
src, dst, src and dst, and src or dst. For example, dst net 128.3.
proto
Qualifiers that restrict the match to the particular protocol. Possible protocols are ether, ip, ip6,
tcp, and udp.
Add a filter with BPF syntax
1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
2. From the top menu, click Packets.
3. In the trifield filter section, select BPF, and then type your filter syntax. For example, type src
portrange 80-443 and net 10.10.
4. Click Download PCAP to save the packet capture with your filtered results.
Supported BPF syntax
The ExtraHop system supports the following subset of the BPF syntax for filtering packets.
pf3

Partial preview of the text

Download Berkeley Packet Filter BPF Cheat Sheet and more Cheat Sheet Operating Systems in PDF only on Docsity!

Filter packets with Berkeley Packet Filter syntax

Search for packets with the Berkeley Packet Filter (BPF) syntax alone, or in combination with the built-in filters. Berkeley Packet Filters are a raw interface to data link layers and are a powerful tool for intrusion detection analysis. The BPF syntax enables users to write filters that quickly drill down on specific packets to see the essential information. The ExtraHop system constructs a synthetic packet header from the packet index data and then runs the BPF syntax queries against the packet header to ensure that queries are much faster than scanning the full packet payload. Note that ExtraHop supports only a subset of the BPF syntax. See Supported BPF syntax. The BPF syntax consists of one or more primitives preceded by one or more qualifiers. Primitives usually consist of an ID (name or number) preceded by one or more qualifiers. There are three different kinds of qualifiers:

type Qualifiers that indicate what type the ID name or number refers to. For example, host, net, port, and portrange. If there is no qualifier, host is assumed. dir Qualifiers that specify a particular transfer direction to and or from an ID. Possible directions are src, dst, src and dst, and src or dst. For example, dst net 128.3. proto Qualifiers that restrict the match to the particular protocol. Possible protocols are ether, ip, ip6, tcp, and udp.

Add a filter with BPF syntax

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. From the top menu, click Packets.
  3. In the trifield filter section, select BPF , and then type your filter syntax. For example, type src portrange 80-443 and net 10.10.
  4. Click Download PCAP to save the packet capture with your filtered results.

Supported BPF syntax

The ExtraHop system supports the following subset of the BPF syntax for filtering packets.

Note: • ExtraHop only supports numeric IP address searches. Hostnames are not allowed.

  • Indexing into headers, […], is only supported for tcpflags and ip_offset. For example, tcp[tcpflags] & (tcp-syn|tcp-fin) != 0
  • ExtraHop supports both numeric and hexadecimal values for VLAN ID, EtherType, and IP Protocol fields. Prefix hexadecimal values with 0x, such as 0x11.

Primitive Examples Description

[src|dst] host host 203.0.113.

dst host 198.51.100.

Matches a host as the IP source, destination, or either. These host expressions can be specified in conjunction with other protocols like ip, arp, rarp or ip6.

ether [src|dst] host

ether host 00:00:5E:00:53: ether dst host 00:00:5E:00:53:

Matches a host as the Ethernet source, destination, or either.

vlan vlan 100 Matches a VLAN. Valid ID numbers are 0-4095. VLAN priority bits are zero. If the original packet had more than one VLAN tag, the synthetic packet the BPF matches against will only have the innermost VLAN tag.

[src|dst] portrange -

or

[tcp|udp] [src|dst] portrange -

src portrange 80- tcp dst portrange 1501-

Matches packets to or from a port in the given range. Protocols can be applied to a port range to filter specific packets within the range.

[ip|ip6][src|dst] proto

proto 1 src 10.4.9.40 and proto ICMP ip6 and src fe80::aebc:32ff:fe84:70b and proto 47 ip and src 10.4.9.40 and proto 0x

Matches IPv4 or IPv6 protocols other than TCP and UDP. The protocol can be a number or name.

[ip|ip6][tcp|udp] [src| dst] port

udp and src port 2005 ip6 and tcp and src port 80

Matches IPv4 or IPv6 packets on a specific port.

[src|dst] net dst net 192.168.1.

src net 10 net 192.168.1.0/

Matches packets to or from a source or destination or either, that reside in a network. An IPv network number can be specified as one of the following values:

  • Dotted quad (x.x.x.x)