Libpcap supports a very powerful filtering language-the "Berkeley Packet Filtering" syntax. With BPF filtering rules, you can determine which traffic to get and check, and which traffic to ignore. BPF allows you to filter traffic by comparing the values of each data field in the 2nd, 3, and 4 layers of the protocol. Some "primitives" are built into the BPF to refer to some commonly used protocol fields. You can use primitives such as "host", "prot" to write very concise BPF filtering rules, or you can detect the value of a field (or even a bit) at a specified offset. BPF filters can also be composed of detailed conditional chains and nested Logic "and", "or" operations.
BPF Primitives
Now, the simplest way to construct a BPF filter is to use the BPF "primitives" to specify protocols, protocol elements, or other packet-grabbing rules. Primitives are usually made up of one ID (name or ordinal) plus one or more qualifiers.
- Type qualifier: Specifies what type of data the ID name or ID number refers to, and the possible type has host, net, prot, and Protrange
- Dir qualifier: Specifies whether the traffic flows in or out of the ID (or both). Possible dir has src, DST, ser or DST, src and DST, ADDR1, ADDR2, ADDR3, and ADDR4
- Proto Qualifier: A matching protocol is specified. Possible proto are: ether, FDDI, TR, WLAN, IP, IP6, ARP, RARP, DECnet, TCP, and UDP
The most commonly used BPF primitive is the "host ID", which is used to filter traffic associated with a host, where the ID column should fill in the previous address or hostname. On this basis,
Berkeley packet Filter (Berkeley Packet FILTER,BPF) language