BPF cheatsheet
Introduction | This article collects a number of BPF filters. The filters are grouped by the OSI layer. These BPF filters are used throughout the ByteBlower API. Both for counting traffic, as for selecting the traffic to save in the PCAP capture |
IP, IPv6, ARP |
|
TCP and UDP | This is the transport layer, ByteBlower supports the two major families: TCP and UDP. Both protocols can be used over IPv4 or IPv6. When the network layer isn't explicitly mentioned in the filter all traffic from both is captured. In the examples below we'll use tcp by default, but the last 3 example filters can also be used with udp.
Both TCP and UDP use ports. In the examples below, the filters are shown for both protocols
|
TCP flags | The filters below are TCP specific. They filter on specific flags. This makes the following filters very useful to capture only the start of traffic, the end, or any abnormal behavior. This type of filters uses the array operators of BPF. The filter tcp[13:1] fetches a single byte at offset 13; i.e. the fourteenth byte of the TCP header. This can be written even easier using the tcpflags shorthand. That is used most heavily in the filters below. Other shorthands are those for those to select the individual bits of the tcp-flags: tcp-fin (= 0x01),
The BPF syntax has no such definitions for the slightly newer TCP flags: ECE (0x40), CWR (0x80), and NS (0x100). These flags are related to Congestion Notification (rfc3168, rfc3540). Especially this last one poses a challenge, it's the final example in the list below.
|