Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the BPF for HTTP?

The definition can be seen here.

The candidate answer may be tcp and dst port 80,but can tcp and dst port 80 guarantee it's HTTP traffic and includes all HTTP traffic?

It seems not,because some site can be visited by specifying a different port other than 80 this way:

http://domain.name:8080

So my question is: what's the exact BPF for HTTP?

UPDATE

Is there an implementation to verify whether a packet is a HTTP one in c already?

like image 839
Gtker Avatar asked May 05 '10 16:05

Gtker


People also ask

What is BPF code?

BPF is a virtual machine that allows running user defined programs in the kernel when certain events happen on a Linux system.

What is BPF in Wireshark?

Wireshark uses the Berkeley Packet Filter format for capture filtering, as this is the format used by Libpcap and Winpcap libraries for capturing of packets at the NIC. It's generally not possible to use BPF for display filters, however certain filters do overlap.

Does Wireshark use BPF?

This inspection requires that a specified subset of packets be captured and then rele- vant fields of the packet can be analyzed. This capability is invaluable for network analysis and debugging. A key benefit of Wireshark is its usage of the BSD Packet Filter (BPF), which is supported by most OS kernels.


1 Answers

  • Simplest filter: tcp and dst port 80
  • Many ports (including SSL): tcp and (dst port 80 or dst port 8080 or dst port 443)
  • If you want only HTTP GET packets for example, and don't mind that you will only get the first packet of every GET and you assume there are no TCP options in the GET packets, you can filter TCP and the fact that the TCP payload (HTTP) starts with "GET " without the quotes: tcp and tcp[20:4] = 0x47455420
  • If you think there can be TCP options (I'm pretty sure it's not that common for non SYN packets), you can do a more complex filter, which actually uses the TCP header and checks for the TCP header length (instead of assuming it's 20): tcp and tcp[(tcp[12] >> 4) * 4 : 4] = 0x47455420
  • A combination of all these filters would look like that (though SSL won't really work here since the GET is encrypted): tcp and (dst port 80 or dst port 8080 or dst port 443) and tcp[(tcp[12] >> 4) * 4 : 4] = 0x47455420
  • In a similar manner, you can filter any HTTP request method by filtering the bytes that this method starts with. If you want also the SYN and SYN-ACK packets, you add them by filtering the TCP flags using bitwise operations.
  • Unfortunately, filtering all HTTP traffic is pretty hard since a packet that isn't in the first in the request or response is pretty hard to filter - any TCP payload can be part of an HTTP request or response. If you want all HTTP traffic, you should probably rely on ports alone.
like image 161
brickner Avatar answered Sep 21 '22 05:09

brickner