Saturday, September 15, 2007

BPF - Birectional Filter

Imagine you have the server farm, and one of your web server is suspected to be under attack or in the state of uncertainty, and you would like to examine the traffics that flowing to your web server and the exchange session from the remote nodes to your web server(port 80 by default). How can you do it with BPF filter?

The network conversation is illustrated as below -

Host A - Web Client
Host B - Web Server

Host A (any port) -> Host B (port 80)
Host B (port 80) -> Host A (any port)
Host A (any port) -> Host B (port 80)
Blablablabla .....

Given the web server IP address is 192.168.0.55, here's the pretty quick tip for you to assess the network traffics that flowing in and out from your web server that initiated by the remote node. As the port 80 resides on the web server, therefore the filter below should work -

(src host 192.168.0.55 and src port 80) or (dst host 192.168.0.55 and dst port 80)

There you go, the bidirectional filter!!!!!

Happy packetysis (;])

4 comments:

Anonymous said...

Could you just do:

host 192.168.0.55 and port 80

I think that would include both source and destination port 80 traffic involving 192.168.0.55, which would do the same thing, but then again I could be wrong...

C.S.Lee said...

anonymous,

Yes, you can just do that but you will catch all the traffics where 192.168.0.55 connects to destination port 80 too instead of you just want the conversation where the traffics flowing to and from 192.168.0.55 port 80(web server condition).

Simply say that if you use that filter, you will filter the traffics when 192.168.0.55 acts as either web client or web server which is not what I want here.

Cheers ;]

Anonymous said...

Okay, I understand now. Thanks for setting me straight. :)

C.S.Lee said...

anonymous,

np ;]