All geek questions in one place

What is BPF for HTTP?

The definition can be seen here .

The candidate response may be tcp and dst port 80 , but can tcp and dst port 80 guarantee HTTP traffic and include all HTTP traffic?

It seems not, because one site can be visited by specifying a different port other than 80, thus:

 http://domain.name:8080

So my question is: what is the exact BPF for HTTP ?

UPDATE

Is there an implementation to check if an HTTP packet is one of c already?

+4
source share
4 answers

There is no exact BPF for HTTP because HTTP is not a link layer protocol. The best way to do this is to select any traffic that is likely to be HTTP, and then check what is in your application. To do this, you will have to stitch together the TCP segments, since the data in a specific TCP segment from the middle of the stream does not indicate the application layer protocol.

+3
source
  • The easiest filter: tcp and dst port 80
  • Many ports (including SSL): tcp and (dst port 80 or dst port 8080 or dst port 443)
  • If you want, for example, only HTTP GET packets, and do not mind that you will receive only the first packet of each GET and assume that there are no TCP parameters in the GET packets, you can filter TCP and the fact that the TCP payload (HTTP ) starts with "GET" without quotes: tcp and tcp[20:4] = 0x47455420
  • If you think that there may be TCP parameters (I'm sure this is not so easy for non-SYN packets), you can make a more complex filter that actually uses the TCP header and checks the length of the TCP header (assuming it is 20 instead): tcp and tcp[(tcp[12] >> 4) * 4 : 4] = 0x47455420
  • The combination of all these filters will look like this (although SSL will not work here, since GET is encrypted): tcp and (dst port 80 or dst port 8080 or dst port 443) and tcp[(tcp[12] >> 4) * 4 : 4] = 0x47455420
  • Similarly, you can filter any HTTP request method by filtering the bytes from which this method begins. If you also want SYN and SYN-ACK packets, you add them by filtering TCP flags using bitwise operations.
  • Unfortunately, filtering all HTTP traffic is rather complicated, since a packet that is not in the first in the request or response is quite difficult to filter - any TCP payload can be part of an HTTP request or response. If you want all the HTTP traffic, you should probably rely on ports only.
+3
source

BPF is not a stateful packet filter, so any traffic that resides on non-standard HTTP ports will not be detected using BPF. BPF filters at the transport level, not the application , so it just takes care of TCP / IP, not the application data encapsulated in TCP / IP packets. It is best to filter on the common HTTP ports 80, 8000 and 8080. Also 443 if you want to also consider HTTPS.

+2
source

Wireshark does a decent job of decoding the packets and, as necessary, puts them HTTP.

0
source

Source: https://habr.com/ru/post/1308912/

More articles:


All Articles