Monday, 13 July 2009

BPF (Berkeley Packet Filter)

Berkeley Packet Filters (BPFs) allow you to create detailed fine grain filters in TCPDump and other libpcap based programs. As BPFs run at the libpcap level, they are fast. They can be used to extract and filter date for display or to save far quicker than many other methods.

BPFs can also be made into a file for processing if there are many options. Using Snort, the '-F' filter is used to load such a file - e.g.:

snort {some options} -F filter_file.bpf
Some of the primary terms used in creating BPFs are listed below:
  • dst host [host name] - filter on the destination host address.
  • src host [host name] - filter on the source host address
  • gateway [host name] - the packet used the selected host as a gateway.
  • dst net [network identifier] - In this example, the destination address of the packet belongs to the selected network. This can be from /etc/networks or a network address.
  • src net [network identifier]- In this instance, the source address of the packet is selected.
  • dst port [Port Number] - In this example, the packet is either IP/TCP or IP/UDP with a destination port value that we have selected.
  • src port [Port Number] - Similarly, we can filter on packets based on a source port.
  • tcp src [Port Number] - Or we can match only TCP packets whose source port is port.
  • less [length] - Is used to select packets less than a certain length
These are a SMALL selection of the many options. In addition we can use logical operators to refine our values:
  • Negation (`!' or `not').
  • Concatenation (`&&' or `and').
  • Alternation (`||' or `or').
The best way to get to know these is to start using them. You will discover that you can filter on IP or TCP options, and in fcat that you can go right down to the individual flags and options in a packet.

No comments: