The definition can be seen here.
The candidate answer may be tcp and dst port 80
,but can tcp and dst port 80
guarantee it's HTTP
traffic and includes all HTTP traffic?
It seems not,because some site can be visited by specifying a different port other than 80 this way:
http://domain.name:8080
So my question is: what's the exact BPF for HTTP
?
UPDATE
Is there an implementation to verify whether a packet is a HTTP one in c
already?
tcp and dst port 80
tcp and (dst port 80 or dst port 8080 or dst port 443)
tcp and tcp[20:4] = 0x47455420
tcp and tcp[(tcp[12] >> 4) * 4 : 4] = 0x47455420
tcp and (dst port 80 or dst port 8080 or dst port 443) and tcp[(tcp[12] >> 4) * 4 : 4] = 0x47455420
BPF is not a stateful packet filter and so any traffic that is on non-standard HTTP ports won't be detectable with BPF. BPF filters at the transport layer and not the application layer, so it just cares about TCP/IP, not the application data encapsulated within TCP/IP packets. Your best bet is to filter on common HTTP ports, 80, 8000, and 8080. Also 443 if you want to account for HTTPS as well.
Wireshark does a decent job of decoding packets and labeling them HTTP where appropriate.
There's no exact BPF for HTTP, because HTTP is not a link-layer protocol. The best way to do this is to choose any traffic that appears likely to be HTTP, and then verify that in your application. You will have to stitch together TCP segments to do so, as data in a particular TCP segment from the middle of a stream does not indicate the application-layer protocol.