What's the BPF for HTTP?

Question

The definition can be seen here.

The candidate answer may be tcp and dst port 80,but can tcp and dst port 80 guarantee it's HTTP traffic and includes all HTTP traffic?

It seems not,because some site can be visited by specifying a different port other than 80 this way:

http://domain.name:8080

So my question is: what's the exact BPF for HTTP?

UPDATE

Is there an implementation to verify whether a packet is a HTTP one in c already?

Answer 1

• Simplest filter: tcp and dst port 80
• Many ports (including SSL): tcp and (dst port 80 or dst port 8080 or dst port 443)
• If you want only HTTP GET packets for example, and don't mind that you will only get the first packet of every GET and you assume there are no TCP options in the GET packets, you can filter TCP and the fact that the TCP payload (HTTP) starts with "GET " without the quotes: tcp and tcp[20:4] = 0x47455420
• If you think there can be TCP options (I'm pretty sure it's not that common for non SYN packets), you can do a more complex filter, which actually uses the TCP header and checks for the TCP header length (instead of assuming it's 20): tcp and tcp[(tcp[12] >> 4) * 4 : 4] = 0x47455420
• A combination of all these filters would look like that (though SSL won't really work here since the GET is encrypted): tcp and (dst port 80 or dst port 8080 or dst port 443) and tcp[(tcp[12] >> 4) * 4 : 4] = 0x47455420
• In a similar manner, you can filter any HTTP request method by filtering the bytes that this method starts with. If you want also the SYN and SYN-ACK packets, you add them by filtering the TCP flags using bitwise operations.
• Unfortunately, filtering all HTTP traffic is pretty hard since a packet that isn't in the first in the request or response is pretty hard to filter - any TCP payload can be part of an HTTP request or response. If you want all HTTP traffic, you should probably rely on ports alone.