Filter packets with Berkeley Packet Filter syntax

With an ExtraHop Trace appliance connected to Discover and Command appliances, you have the ability to search for packets with the Berkeley Packet Filter (BPF) syntax alone, or in combination with the built-in filters.

Berkeley Packet Filters are a raw interface to data link layers and are a powerful tool for intrusion detection analysis. The BPF syntax enables users to write filters that quickly drill down on specific packets to see the essential information.

The ExtraHop system constructs a synthetic packet header from the packet index data and then runs the BPF syntax queries against the packet header to ensure that queries are much faster than scanning the full packet payload. Note that ExtraHop supports only a subset of the BPF syntax. See Supported BPF syntax.

The BPF syntax consists of one or more primitives preceded by one or more qualifiers. Primitives usually consist of an ID (name or number) preceded by one or more qualifiers. There are three different kinds of qualifiers:

Qualifiers that indicate what type the ID name or number refers to. For example, host, net, port, and portrange. If there is no qualifier, host is assumed.
Qualifiers that specify a particular transfer direction to and or from an ID. Possible directions are src, dst, src and dst, and src or dst. For example, dst net 128.3.
Qualifiers that restrict the match to the particular protocol. Possible protocols are ether, ip, ip6, tcp, and udp.

Add a filter with BPF syntax

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. From the top menu, click Packets.
  3. In the trifield filter section, select BPF, and then type your filter syntax. For example, type src portrange 80-443 and net 10.10.
  4. Click Download PCAP to save the packet capture with your filtered results.

Supported BPF syntax

The ExtraHop system supports the following subset of the BPF syntax for filtering packets with the Trace appliance.

  • ExtraHop only supports numeric IP address searches. Hostnames are not allowed.
  • Indexing into headers, […], is only supported for tcpflags. For example, tcp[tcpflags] & (tcp-syn|tcp-fin) != 0
Primitive Examples Description
[src|dst] host <host ip> host

dst host

Matches a host as the IP source, destination, or either. These host expressions can be specified in conjunction with other protocols like ip, arp, rarp or ip6.
ether [src|dst] host <MAC> ether host 00:00:5E:00:53:00

ether dst host 00:00:5E:00:53:00

Matches a host as the Ethernet source, destination, or either.
vlan <ID> vlan 100 Matches a VLAN. Valid ID numbers are 0-4095. VLAN priority bits are zero.

If the original packet had more than one VLAN tag, the synthetic packet the BPF matches against will only have the innermost VLAN tag.

[src|dst] portrange <p1>-<p2>


[tcp|udp] [src|dst] portrange <p1>-<p2>

src portrange 80-88

tcp dst portrange 1501-1549

Matches packets to or from a port in the given range. Protocols can be applied to a port range to filter specific packets within the range.
[ip|ip6][src|dst] proto <protocol> proto 1

src and proto ICMP

ip6 and src fe80::aebc:32ff:fe84:70b7 and proto 47

Matches IPv4 or IPv6 protocols other than TCP and UDP. The protocol can be a number or name.
[ip|ip6][tcp|udp] [src|dst] port <port> udp and src port 2005

ip6 and tcp and src port 80

Matches IPv4 or IPv6 packets on a specific port.
[src|dst] net <network> dst net

src net 10


Matches packets to or from a source or destination or either, that reside in a network. An IPv4 network number can be specified as one of the following values:
  • Dotted quad (x.x.x.x)
  • Dotted triple (x.x.x)
  • Dotted pair (x.x)
  • Single number (x)
[ip|ip6] tcp tcpflags & (tcp-[ack|fin|syn|rst|push|urg|) tcp[tcpflags] & (tcp-ack) !=0

tcp[13] & 16 !=0

ip6 and (ip6[40+13] & (tcp-syn) != 0)

Matches all packets with the specified TCP flag
Fragmented IPv4 packets (ip_offset != 0) ip[6:2] & 0x3fff != 0x0000 Matches all packets with fragments.
Published 2018-07-12 18:11