Byte Offset
- Yuki Bradley Kondo
Description | Comments | Examples | NOTES | |
|---|---|---|---|---|
| 1 |
By IP broadcast or multicast packets Note: jump to specific byte offset to verify |
IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast.
|
Note: ‘&' and '>’ should be escaped with backslash |
(, ), >, < and & must be escaped using backward-slash
|
| 2 |
By Packet Size | IPv4 packets longer than X bytes IPv6 packets longer than X bytes
|
|
|
| 3 |
Extracts TCP packets with flags |
SYN or SYN-ACK or ACK or ACK-FIN
SYN or SYN-ACK
SYN
SYN or ACK or FIN or ACK-FIN |
| \(\(\(tcp[8:4] \& 0xffffffff == 0\) and \(tcp[tcpflags] \& tcp-syn != 0\)\) or \(tcp[13]\&0x12 == 18\) or \(tcp[13]\&0x10 == 16\) or \(tcp[13]\&0x11 == 17\)\) \(\(\(tcp[8:4] \& 0xffffffff == 0\) and \(tcp[tcpflags] \& tcp-syn != 0\)\) or \(tcp[13]\&0x12 == 18\)\) \(\( \(tcp[8:4] \& 0xffffffff == 0\) and \(tcp[tcpflags] \& tcp-syn != 0\)\)\)
\(\( \(tcp[8:4] \& 0xffffffff == 0\) and \(tcp[tcpflags] \& tcp-syn != 0\)\) or \(tcp[13]\&0x12 == 18\) or \(tcp[13]\&0x11 == 17\) or \(tcp[13]\&0x01 == 1\) \) |
| 4 |
By partial MAC address |
match first three bytes of source or dest mac addres. Ex:- a0:4f:c6:01:f5:21 |
NOTE: [0:4] & 0xffffff00 — dst starts from offset 0, read the 4 bytes, mask the 4th byte.
|
|
| 5 | Extarct ICMP Packets embedded in VxLAN |
| ( ( (((udp[0:2]==4789) or (udp[0:2]==8472)) or ((udp[2:2]==4789) or (udp[2:2]==8472))) and ((udp[28:2]==0x0800) and (udp[39:1]==0x01))))
| BPF can recognize outer layers only, in this case its untill the transport layer. If you want to match the protocol embedded inside the VxLAN header, from the transport layer (which carries the VxLAN headers and the rest of the data), offset to the specific byte/s to match.
|
| 6 | Extarct ARP Packets embedded in VXLAN:
|
| (( (((udp[0:2]==4789) or (udp[0:2]==8472)) or ((udp[2:2]==4789) or (udp[2:2]==8472))) and ((udp[28:2]==0x0806) and (udp[44:4]==0x0a000001))) |
|
| 7 | Extarct GTP tagged Packets:
|
| (((udp[0:2]==2152) or (udp[0:2]==2123)) or ((udp[2:2]==2152) or (udp[2:2]==2123)) or ((udp[0:2]==3386) or (udp[2:2]==3386))))
|
|
| 8 | ICMP Packets Embedded in VXLAN:
|
| (((((udp[0:2]==4789) or (udp[0:2]==8472)) or ((udp[2:2]==4789) or (udp[2:2]==8472))) and ((udp[28:2]==0x0800) and (udp[39:1]==0x01)))) or ((ip[8:1]==0x01) or (vlan and (ip[8:1]==0x01)))
|
|
| 9 | Extract packets with matching src IPaddres1 and dst IPaddress2 from VLAN tagged Vxlan Packets
|
| (src host 10.0.0.1 and dst host 10.0.0.2) or ((( ( (udp[0:2]==4789) or (udp[0:2]==8472) or (udp[2:2]==4789) or (udp[2:2]==8472)) and ( ((udp[28:2]==0x0800) and ((udp[42:4]==10.0.0.1) and (udp[46:4]==10.0.0.2))) or (((udp[28:2]==0x8100) and (udp[32:2]==0x0800)) and ((udp[46:4]==10.0.0.1) and (udp[50:4]==10.0.0.2))))))) ((src host 10.192.168.176 and dst host 19.187.16.27) or ( ( ((udp[0:2]==4789) or (udp[0:2]==8472) or (udp[2:2]==4789) or (udp[2:2]==8472))) and ((udp[28:2]==0x0800) and ((udp[42:4]==srcip) and (udp[46:4]==dstip)) )) or (( ((udp[0:2]==4789) or (udp[0:2]==8472) or (udp[2:2]==4789) or (udp[2:2]==8472)) ) and ( ((udp[28:2]==0x8100) and (udp[32:2]==0x0800)) and ((udp[46:4]==srcip) and (udp[50:4]==dstip)) ))
|
|
| 10 |
|
| (icmp and port 48139 and ( src host 10.0.0.2 and dst host 10.0.0.1 )) or ( (((udp[0:2]==0x12b5) or (udp[2:2]==0x12b5) or (udp[0:2]==0x2118) or (udp[2:2]==0x2118)) and (((udp[28:2]==0x0800) and (((udp[30+((udp[30:1]\&0x0f)*4):2]==0xBC0B) or (udp[30+((udp[30:1]\&0x0f)*4)+2:2]==0xBC0B)) or (udp[39:1]==0x01))) or ((udp[28:2]==0x08dd) and ((udp[36:1]==0x01) or ((udp[70:2]==0xBC0B) or (udp[72:2]==0xBC0B)))) ))) (port 48139 and ( src host 10.0.0.2 and dst host 10.0.0.1 )) or ( (((udp[0:2]==0x12b5) or (udp[2:2]==0x12b5) or (udp[0:2]==0x2118) or (udp[2:2]==0x2118)) and ((udp[28:2]==0x0800) and ((udp[39:1]==0x01) and ((udp[30+((udp[30:1]\&0x0f)*4):2]==0xBC0B) or (udp[30+((udp[30:1]\&0x0f)*4)+2:2]==0xBC0B)) ))) and ( ) ) )
|
|
| 11 |
|
|
|
|