The definition can be seen here.
The candidate answer may be tcp and dst port 80
,but can tcp and dst port 80
guarantee it's HTTP
traffic and includes all HTTP traffic?
It seems not,because some site can be visited by specifying a different port other than 80 this way:
http://domain.name:8080
So my question is: what's the exact BPF for HTTP
?
UPDATE
Is there an implementation to verify whether a packet is a HTTP one in c
already?
BPF is a virtual machine that allows running user defined programs in the kernel when certain events happen on a Linux system.
Wireshark uses the Berkeley Packet Filter format for capture filtering, as this is the format used by Libpcap and Winpcap libraries for capturing of packets at the NIC. It's generally not possible to use BPF for display filters, however certain filters do overlap.
This inspection requires that a specified subset of packets be captured and then rele- vant fields of the packet can be analyzed. This capability is invaluable for network analysis and debugging. A key benefit of Wireshark is its usage of the BSD Packet Filter (BPF), which is supported by most OS kernels.
tcp and dst port 80
tcp and (dst port 80 or dst port 8080 or dst port 443)
tcp and tcp[20:4] = 0x47455420
tcp and tcp[(tcp[12] >> 4) * 4 : 4] = 0x47455420
tcp and (dst port 80 or dst port 8080 or dst port 443) and tcp[(tcp[12] >> 4) * 4 : 4] = 0x47455420
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With