BPF Settings for Port Mirroring

Specifying BPF filters for port mirroring will filter the traffic that is mirrored to your Mirror Destination Airwall Gateway. If you do not specify any filters, it will mirror all traffic.

Here are some sample BPF filters:

Filter Mirrored Traffic to Include/Exclude BPF Filter Format Description and Examples
Traffic using a specific IP protocol

ip proto <protocol_to_include>

ip proto not <protocol_to_exclude> 

Mirror only traffic using IP protocol of IPv6. Examples:

Only include IPv6 traffic: 
ip proto 41
do not include IPv4 traffic:
ip proto not 4
All traffic on the specified host host <host_ip> 
host 192.0.2.10
All traffic where the specified host is the source src host <host_ip> 
src host 192.0.2.10
Exclude IP traffic no ip 
no ip
All traffic on the specified port port <port_#> 
port 443
All traffic on the ports in the specified range portrange <port1_#>-<port2_#> 
portrange port 443-450
Specific data
You can combine conditions to narrowly match specific protocols like: 
udp port 10500 and udp[8:4] == 0
This filter matches UDP traffic with a source or destination port of 10500 and the first 32 bits of the UDP payload is zero. This matches HIP (control) protocol traffic excluding tunneled overlay traffic.

Spreadsheet showing the bytes filtered

Match HTTP packets where the payload starts with GET:
tcp port 80 and tcp[20:4] == 1195725856
1195725856 is GET represented as a 32-bit network byte order integer.
Specific devices and protocols Mirror traffic for devices on specific hosts and ports:
ip host 192.0.2.10 and (tcp port 80 or tcp port 443)
ip host 192.0.2.11 and udp port 53
Exclude high bandwidth service or known traffic not (ip net <high_bandwidth_IP address> and tcp port <port_number> Exclude all HTTPS traffic to/from 192.0.2.0/24:
not (ip net 192.0.2.0/24 and tcp port 443)
Note: This filter can also work well with rate limiting. By excluding the known traffic (legitimate), you can mirror all of the other traffic and capture a greater portion of the anomalies with a small throughput and processing overhead.

Port Mirroring BPF Reference

To create your own variations, here are the most useful BPF filter choices:

What to Filter

  • IP host / network
  • IPv6 host / network
  • TCP / UDP port

Logical Operators

  • and
  • or
  • not
Note: Identifiers that are also a keyword must be escaped using a backslash (\). For example: ip proto \icmp. You can also refer to protocols by number. See https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml as a reference. In this case, the above would be ip proto 1.

For more information on BPF filters, refer to one of the BPF references available online, such as https://biot.com/capstats/bpf.html.