Berkeley Packet Filter (BPF) syntax

In this section, we'll take a look at the BPF, its syntax, and some of its history.

So, let's talk about BPF's history. Many years ago, every operating system had its own packet filtering API. There are a number of examples, such as Sun, DEC, SGI, and Xerox. They all had their own operating systems, and each operating system had its own API for capturing and filtering packets. So, when you needed to do network analysis, you had to use their specific software, which is built into the operating system, and their specific filtering capabilities within the API that they designed. That made it very difficult because depending on the implementation of your network and what different operating systems were involved, you had to know all these different APIs and all of these different filtering rules in order to get anything done. So, in 1993, Steven McCanne and Van Jacobson released a paper titled The BSD Packet Filter (BPF) and they outlined the rules and the ideas behind BPF and explained how it could be a standardized method for filtering the captured traffic. It just so happened that it caught on and became very popular, especially as libpcap, WinPcap, and other libraries out there began to utilize BPF as its standardized filtering system, and especially with the use of Wireshark nowadays which utilizes these libraries.

In order to write BPF, you need to create an expression, which contains one or more primitives, including an ID, such as a name or number, an IP address, or an Ethernet address plus a qualifier. A qualifier has the following three pieces to it:

  • Type
  • Direction
  • Protocol

For a type, it could be an individual host, a network, a port, or a port range. The direction can be either the source or the destination, or the source and destination. And the protocol is either Ethernet, FDDI, Wireless LAN, IP, IPv6 nowadays, ARP, RARP, DECNET, TCP, or UDP. You need to define these different pieces that you want, and how you want to limit your traffic and the values that go with them—the ID, the name, or number to go along with these qualifiers. So, I have some examples for you so that it can make some sense as to how to create a BPF expression. The first one is ip host 192.168.1.1. The IP is the protocol, the host is the type, and the ID is the IP address. This will filter the traffic for that IP address, whether it's the source or destination. This host keyword does both of these for us.

Next up, I have ether src AA:BB:CC:DD:EE:FF and a fictitious MAC address. This has the same idea as the IP host. We're defining Ethernet as our protocol, the source as the direction, and the MAC address that we're looking for.

If you happen to be capturing traffic that has multiple VLANs, such as spanning a port that's a trunk port on a switch, you can specify the VLAN(s), for example, vlan 100.

The next example is ether broadcast, and this one has a special keyword being used for broadcast to tell the BPF that we want to filter all of our traffic, if it's a broadcast of some kind, on layer 2.

And my last example is tcp port 80. So, we'll filter that traffic looking for HTTP traffic most likely—looking for only port 80 of any source destination.

Up next is capture filters, where we'll take this BPF syntax and apply it to interfaces within Wireshark.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset