This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

BPF syntax help

Go to solution
Anonymous
Not applicable

‎2017-06-22 09:45 PM

Hi All,

 

I have three separate communications between hosts that I want to be able to filter out from our packet decoder.

I cannot for the life of me figure out the correct BPF syntax to make that happen.

I end up usually filtering nothing, or everything.

 

I've trying to filter the following out.

---

anything on vlan300

192.168.30.12 > 10.21.32.90:902

172.14.9.9 > 192.168.30.20:10566

----

I dont want to filter out the whole host traffic, just the specific communication on a specific port (eg. backup traffic).

Does anyone have experience in writing BPF?

 

thanks.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-06-22 10:41 PM

How about this? Should be a single long line in the filter field:

 

not ((vlan 300) or (src host 192.168.30.12 and dst host 10.21.32.90 and dst port 902) or (src host 172.14.9.9 and dst host 192.168.30.20 and dst port 10566))

 

You can also specify tcp dst port if you want as well otherwise above just ignore the protocol and is just port focused:

 

not ((vlan 300) or (src host 192.168.30.12 and dst host 10.21.32.90 and tcp dst port 902) or (src host 172.14.9.9 and dst host 192.168.30.20 and tcp dst port 10566))

 

Naushad A Kasu | Senior Practice Consultant, Professional Services | RSA | m: 612.772.5843<tel:612.772.5843> | e: naushad.kasu@rsa.com<mailto:naushad.kasu@rsa.com> | www.rsa.com<http://www.rsa.com/>

 

<https://community.rsa.com/welcome>

<https://community.rsa.com/welcome>

View solution in original post

8 REPLIES 8

Go to solution
NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-06-22 10:41 PM

How about this? Should be a single long line in the filter field:

 

not ((vlan 300) or (src host 192.168.30.12 and dst host 10.21.32.90 and dst port 902) or (src host 172.14.9.9 and dst host 192.168.30.20 and dst port 10566))

 

You can also specify tcp dst port if you want as well otherwise above just ignore the protocol and is just port focused:

 

not ((vlan 300) or (src host 192.168.30.12 and dst host 10.21.32.90 and tcp dst port 902) or (src host 172.14.9.9 and dst host 192.168.30.20 and tcp dst port 10566))

 

Naushad A Kasu | Senior Practice Consultant, Professional Services | RSA | m: 612.772.5843<tel:612.772.5843> | e: naushad.kasu@rsa.com<mailto:naushad.kasu@rsa.com> | www.rsa.com<http://www.rsa.com/>

 

<https://community.rsa.com/welcome>

<https://community.rsa.com/welcome>

Go to solution
NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-06-22 11:03 PM

If all your traffic is VLAN tagged then you need to specify that as well like so:

 

 

not ((vlan 300) or (vlan and src host 192.168.30.12 and dst host 10.21.32.90 and dst port 902) or (vlan and src host 172.14.9.9 and dst host 192.168.30.20 and dst port 10566<tel:10566>))

 

 

Naushad A Kasu | Senior Practice Consultant, Professional Services | RSA | m: 612.772.5843<tel:612.772.5843> | e: naushad.kasu@rsa.com<mailto:naushad.kasu@rsa.com> | www.rsa.com<http://www.rsa.com/>

 

<https://community.rsa.com/welcome>

<https://community.rsa.com/welcome>

0 Likes

Go to solution
Anonymous
Not applicable
In response to NaushadKasu1

‎2017-06-22 11:45 PM

Thanks for that, I'll give it a try.
So even if you're not filtering by VLAN you still need to specifiy the vlan option?

0 Likes

Go to solution
NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to Anonymous

‎2017-06-22 11:56 PM

Yes, if you're filtering traffic that is VLAN tagged, you have to tell the BPF that in the filter otherwise it will assume it's not VLAN tagged and the header offset it reads info from will be offset thus never matching the IP, port etc...

 

Naushad A Kasu | Senior Practice Consultant, Professional Services | RSA | m: 612.772.5843<tel:612.772.5843> | e: naushad.kasu@rsa.com<mailto:naushad.kasu@rsa.com> | www.rsa.com<http://www.rsa.com/>

 

<https://community.rsa.com/welcome>

<https://community.rsa.com/welcome>

0 Likes

Go to solution
GuyBruneau
Frequent Contributor
Frequent Contributor

‎2017-06-23 08:32 AM

Jeremy,

 

I assume you have already configured your Decoder/Concentrator/Broker to support VLAN

 

https://community.rsa.com/docs/DOC-74080

Decoder Service - Explore > decoder > config > capture.device.params > vlan-fix=true

<key description="VLAN ID" level="IndexValues" name="vlan" format="UInt16" valueMax="4096"/>

0 Likes

Go to solution
Anonymous
Not applicable
In response to GuyBruneau

‎2017-06-25 07:49 AM

I'll need to check, but thanks for the tip.

0 Likes

Go to solution
Anonymous
Not applicable
In response to GuyBruneau

‎2017-06-26 09:04 PM

Checked our decoders and we're not supporting VLAN. So my guess is that the VLAN is the BPF doesn't matter.

0 Likes

Go to solution
GuyBruneau
Frequent Contributor
Frequent Contributor

‎2017-06-27 08:14 AM

capture.device.params = vlan-fix=true is not enabled by default, that is why you need to add it manually if you are using VLAN. If you are not, then adding a BPF filter for VLAN will have no effect. If you want to check to see if there are any VLAN in your network, you can go directly to the decoder and execute:

tcpdump -ni INF vlan -c 1000

 

If you network has any VLAN, it will show the first 1000 packets and then stop.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.