

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
Filter packets with Berkeley Packet Filter syntax and examples
Typology: Cheat Sheet
1 / 3
This page cannot be seen from the preview
Don't miss anything!
Search for packets with the Berkeley Packet Filter (BPF) syntax alone, or in combination with the built-in filters. Berkeley Packet Filters are a raw interface to data link layers and are a powerful tool for intrusion detection analysis. The BPF syntax enables users to write filters that quickly drill down on specific packets to see the essential information. The ExtraHop system constructs a synthetic packet header from the packet index data and then runs the BPF syntax queries against the packet header to ensure that queries are much faster than scanning the full packet payload. Note that ExtraHop supports only a subset of the BPF syntax. See Supported BPF syntax. The BPF syntax consists of one or more primitives preceded by one or more qualifiers. Primitives usually consist of an ID (name or number) preceded by one or more qualifiers. There are three different kinds of qualifiers:
type Qualifiers that indicate what type the ID name or number refers to. For example, host, net, port, and portrange. If there is no qualifier, host is assumed. dir Qualifiers that specify a particular transfer direction to and or from an ID. Possible directions are src, dst, src and dst, and src or dst. For example, dst net 128.3. proto Qualifiers that restrict the match to the particular protocol. Possible protocols are ether, ip, ip6, tcp, and udp.
The ExtraHop system supports the following subset of the BPF syntax for filtering packets.
Note: • ExtraHop only supports numeric IP address searches. Hostnames are not allowed.
Primitive Examples Description
[src|dst] host
dst host 198.51.100.
Matches a host as the IP source, destination, or either. These host expressions can be specified in conjunction with other protocols like ip, arp, rarp or ip6.
ether [src|dst] host
ether host 00:00:5E:00:53: ether dst host 00:00:5E:00:53:
Matches a host as the Ethernet source, destination, or either.
vlan
[src|dst] portrange
or
[tcp|udp] [src|dst] portrange
src portrange 80- tcp dst portrange 1501-
Matches packets to or from a port in the given range. Protocols can be applied to a port range to filter specific packets within the range.
[ip|ip6][src|dst] proto
proto 1 src 10.4.9.40 and proto ICMP ip6 and src fe80::aebc:32ff:fe84:70b and proto 47 ip and src 10.4.9.40 and proto 0x
Matches IPv4 or IPv6 protocols other than TCP and UDP. The protocol can be a number or name.
[ip|ip6][tcp|udp] [src| dst] port
udp and src port 2005 ip6 and tcp and src port 80
Matches IPv4 or IPv6 packets on a specific port.
[src|dst] net
src net 10 net 192.168.1.0/
Matches packets to or from a source or destination or either, that reside in a network. An IPv network number can be specified as one of the following values: