My key takeaways
- one lib to capture all pakets for all OS
- BPF is to filter packages
- better SNR for packet filtering
- BPF filter effect only the programm you call it with
- no change to the package itself
- Process:
- human creats filter
- single quotes at the end of the line invoking the prg like
tcpdump
- double quotes for
windump
- single quotes at the end of the line invoking the prg like
- programm pass it to libpcap
- libpcap pass to kernel <- fast!
- human creats filter
- Works also fine with
ngrep
- you can stack multiple filters by putting one after the other at the end of the line each separated by a space
Env
-
Provided by Active Countermeasures
-
Speaker
additional links
- https://wiki.wireshark.org/DisplayFilters
- https://corelight.com/blog/2020/08/27/mixed-vlan-tags-and-bpf-syntax
- https://www.activecountermeasures.com/alternative-dns-techniques/
- https://github.com/activecm/pcap-stats
- https://en.wikipedia.org/wiki/Berkeley_Packet_Filter
- https://www.activecountermeasures.com/filtering-out-high-volume-traffic/
- https://www.freebsd.org/cgi/man.cgi?query=bpf&sektion=4
- https://ebpf.io/
- https://www.activecountermeasures.com/?s=BPF
- https://blog.cloudflare.com/bpf-the-forgotten-bytecode/
- http://www.stearns.org/doc/pcap-apps.html
- http://www.stearns.org/doc/ngrep-intro.current.html