Reputation: 91
how to use BPF filter to filter packet payload?
I need to do a homework about analysis some packets.
I found that BPF filtering is a good thing for my homework, I want to filter all packet that have a payload that start with a specific string like "Test it". The packets are combination of TCP,UDP,ICMP and some may not even have a payload.
How can I set the filter?
Upvotes: 3
Views: 9746
Answers (2)
Reputation: 10852
A classic example of how you can filter out HTTP GET requests with tcpdump and BPF filters
tcp[((tcp[12:1] & 0xf0) >> 2):4]
There is a good explanation about above filter in details https://security.stackexchange.com/questions/121011/wireshark-tcp-filter-tcptcp121-0xf0-24 https://wiki.wireshark.org/CaptureFilters
Upvotes: 0
Reputation: 91
I found the answer,
http://www.foo.be/cours/dess-20112012/bpf/bpf.pdf
in this pdf, there is a place talking about BPF syntax to filter payload. The following is from the pdf, in this way, we can use the BPF to skip the header
An example, you want to match "GE" string in a TCP payload :
echo -n "GE" | hexdump -C
00000000 47 45 |GE|
sudo tcpdump -s0 -n -i ath0 "tcp[20:2] = 0x4745"
Upvotes: 0
Related Questions
- Simple way to verify valid BPF filter
- BPF filters load half word and byte of a packet. Syntax explanation required
- Convert Wireshark Filter Expression to BPF
- eBPF packet filter not giving me correct data
- Write packet filtering program in ebpf
- BPF filter source address == transmission address
- How can I re-filter a scapy packet using BPF?
- classic BPF on Linux: filter does not work
- BPF Filter TCP Connections
- Deconstructing BPF filter in TCPdump