TCP Source Port: If 443, goto #18, else #19
TCP Source Port: If 443, goto #18, else #6 IPv6 Next Header: If TCP, goto #4, else #19 If this looks like Greek to you, BPF is documented and has a section dedicated to explaining instructions. In this article, we will explore how to generate BPF code with a capture filter. Some people refer to “capture filter syntax” as “BPF syntax”, and this is why. It tells the kernel whether to drop or allow packets and is based on the BSD version. This code is called BPF, or “Berkeley Packet Filter”. They can literally compile to a code that the Linux kernel understands. The reason we use capture filters is that they are fast. If you are used to working with display filters, the syntax can feel less expressive. You are not able to filter for most protocols or expert information. Quicklinks: Linux Kernel Docs: Berkeley Packet FilterĪt first glance, capture filters might seem like the ugly twin of display filters. 5 min | Ross Jacobs | MaTable of Contents
0 kommentar(er)
