流量洞察常用Filter语句速查表
<h1>1 EVE Pro Network Filter - BPF 过滤表达式完整参考</h1><p><strong>文档版本</strong>: v1.0</p>
<p><strong>创建时间</strong>: 2026-06-15</p>
<p><strong>适用版本</strong>: EVE-NG Pro 6.4+ / 7.0+</p>
<hr />
<h2>1.1 一、预设协议列表(18 种)</h2>
<table>
<thead>
<tr>
<th>类型</th>
<th>协议</th>
<th>EVE Pro BPF 表达式</th>
<th>IPv4/IPv6</th>
<th>子类型</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>L2 控制平面</strong></td>
<td>STP/BPDU</td>
<td><code>ether dst 01:80:c2:00:00:00 or ether dst 01:00:0c:cc:cc:cd</code></td>
<td>❌ L2</td>
<td>✅ Config/TCN/RSTP</td>
</tr>
<tr>
<td></td>
<td>CDP</td>
<td><code>ether dst 01:00:0c:cc:cc:cc and ether = 0x2000</code></td>
<td>❌ L2</td>
<td>❌</td>
</tr>
<tr>
<td></td>
<td>LLDP</td>
<td><code>ether proto 0x88cc</code></td>
<td>❌ L2</td>
<td>❌</td>
</tr>
<tr>
<td></td>
<td>IS-IS</td>
<td><code>isis</code></td>
<td>❌ L2</td>
<td>✅ Hello/LSP/CSNP/PSNP</td>
</tr>
<tr>
<td></td>
<td>802.1Q</td>
<td><code>vlan</code></td>
<td>❌ L2</td>
<td>❌</td>
</tr>
<tr>
<td><strong>IGP</strong></td>
<td>OSPF</td>
<td><code>ip proto 89</code></td>
<td>✅ v4 + v6</td>
<td>✅ Hello/DBD/LSR/LSU/LSAck</td>
</tr>
<tr>
<td></td>
<td>EIGRP</td>
<td><code>ip proto 88</code></td>
<td>✅ v4 + v6</td>
<td>✅ Update/Query/Reply/Hello</td>
</tr>
<tr>
<td></td>
<td>RIP</td>
<td><code>udp port 520</code></td>
<td>✅ v4 + v6</td>
<td>✅ Request/Response</td>
</tr>
<tr>
<td><strong>ICMP</strong></td>
<td>ICMP</td>
<td><code>icmp</code></td>
<td>✅ v4 + v6</td>
<td>✅ Echo/Dest Unreach/TTL-Exceeded</td>
</tr>
<tr>
<td></td>
<td>Ping</td>
<td><code>icmp = 8 or icmp = 0</code></td>
<td>✅ v4 + v6</td>
<td>✅ Echo Request/Reply</td>
</tr>
<tr>
<td><strong>EGP</strong></td>
<td>BGP</td>
<td><code>tcp port 179</code></td>
<td>✅ v4 + v6</td>
<td>✅ OPEN/UPDATE/NOTIFICATION/KEEPALIVE</td>
</tr>
<tr>
<td><strong>Overlay</strong></td>
<td>VXLAN</td>
<td><code>udp port 4789</code></td>
<td>✅ v4 + v6</td>
<td>✅ VNI 匹配</td>
</tr>
<tr>
<td></td>
<td>LISP</td>
<td><code>udp port 4341 or udp port 4342</code></td>
<td>✅ v4 + v6</td>
<td>✅ Map-Req/Reply/Register</td>
</tr>
<tr>
<td><strong>隧道</strong></td>
<td>GRE</td>
<td><code>ip proto 47</code></td>
<td>✅ v4 + v6</td>
<td>❌</td>
</tr>
<tr>
<td><strong>安全</strong></td>
<td>IPsec</td>
<td><code>ip proto 50 or ip proto 51 or (udp and (port 500 or port 4500))</code></td>
<td>✅ v4 + v6</td>
<td>✅ ESP/AH/ISAKMP</td>
</tr>
<tr>
<td><strong>AAA</strong></td>
<td>RADIUS</td>
<td><code>udp and (port 1812 or port 1813 or port 1645 or port 1646)</code></td>
<td>✅ v4 + v6</td>
<td>✅ Auth/Acct</td>
</tr>
<tr>
<td></td>
<td>TACACS+</td>
<td><code>tcp port 49</code></td>
<td>✅ v4 + v6</td>
<td>❌</td>
</tr>
<tr>
<td><strong>自定义</strong></td>
<td>Custom</td>
<td>用户自定义 BPF</td>
<td>✅</td>
<td>❌</td>
</tr>
</tbody>
</table>
<hr />
<h2>1.2 二、BPF 过滤表达式详解</h2>
<h3>1.2.1 2.1 L2 控制平面协议</h3>
<h4>1.2.1.1 <strong>STP / BPDU</strong></h4>
<pre><code class="language-text"># IEEE 802.1D STP + Cisco PVST+/RSTP
ether dst 01:80:c2:00:00:00 or ether dst 01:00:0c:cc:cc:cd
</code></pre>
<p><strong>子类型</strong>:</p>
<table>
<thead>
<tr>
<th>子类型</th>
<th>BPF 表达式</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Config (0x00)</strong></td>
<td><code>(ether dst 01:80:c2:00:00:00 and ether=0x00) or (ether dst 01:00:0c:cc:cc:cd and ether=0x00) or (vlan and ether dst 01:00:0c:cc:cc:cd and ether=0x00)</code></td>
</tr>
<tr>
<td><strong>TCN (0x80)</strong></td>
<td><code>(ether dst 01:80:c2:00:00:00 and ether=0x80) or (ether dst 01:00:0c:cc:cc:cd and ether=0x80) or (vlan and ether dst 01:00:0c:cc:cc:cd and ether=0x80)</code></td>
</tr>
<tr>
<td><strong>RSTP (0x02)</strong></td>
<td><code>(ether dst 01:80:c2:00:00:00 and ether=0x02) or (ether dst 01:00:0c:cc:cc:cd and ether=0x02) or (vlan and ether dst 01:00:0c:cc:cc:cd and ether=0x02)</code></td>
</tr>
</tbody>
</table>
<hr />
<h4>1.2.1.2 <strong>CDP</strong> (Cisco Discovery Protocol)</h4>
<pre><code class="language-text">ether dst 01:00:0c:cc:cc:cc and ether = 0x2000
</code></pre>
<hr />
<h4>1.2.1.3 <strong>LLDP</strong> (Link Layer Discovery Protocol)</h4>
<pre><code class="language-text">ether proto 0x88cc
</code></pre>
<hr />
<h4>1.2.1.4 <strong>IS-IS</strong></h4>
<pre><code class="language-text">isis
</code></pre>
<p><strong>子类型</strong>:</p>
<table>
<thead>
<tr>
<th>子类型</th>
<th>PDU 类型</th>
<th>BPF 表达式</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Hello</strong></td>
<td>15/16/17</td>
<td><code>isis and ((ether & 0x1f) = 15 or (ether & 0x1f) = 16 or (ether & 0x1f) = 17)</code></td>
</tr>
<tr>
<td><strong>LSP</strong></td>
<td>18/20</td>
<td><code>isis and ((ether & 0x1f) = 18 or (ether & 0x1f) = 20)</code></td>
</tr>
<tr>
<td><strong>CSNP</strong></td>
<td>24/25</td>
<td><code>isis and ((ether & 0x1f) = 24 or (ether & 0x1f) = 25)</code></td>
</tr>
<tr>
<td><strong>PSNP</strong></td>
<td>26/27</td>
<td><code>isis and ((ether & 0x1f) = 26 or (ether & 0x1f) = 27)</code></td>
</tr>
</tbody>
</table>
<hr />
<h4>1.2.1.5 <strong>802.1Q</strong> (VLAN)</h4>
<pre><code class="language-text">vlan
</code></pre>
<hr />
<h3>1.2.2 2.2 IGP 协议</h3>
<h4>1.2.2.1 <strong>OSPF</strong></h4>
<pre><code class="language-text"># IPv4
ip proto 89
# IPv6
ip6 proto 89
</code></pre>
<p><strong>子类型</strong>:</p>
<table>
<thead>
<tr>
<th>子类型</th>
<th>类型字节</th>
<th>IPv4 BPF</th>
<th>IPv6 BPF</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Hello</strong></td>
<td>1</td>
<td><code>ip proto 89 and ip[((ip&0xf)<<2)+1]=1</code></td>
<td><code>ip6 proto 89 and ip6=1</code></td>
</tr>
<tr>
<td><strong>DBD</strong></td>
<td>2</td>
<td><code>ip proto 89 and ip[((ip&0xf)<<2)+1]=2</code></td>
<td><code>ip6 proto 89 and ip6=2</code></td>
</tr>
<tr>
<td><strong>LSR</strong></td>
<td>3</td>
<td><code>ip proto 89 and ip[((ip&0xf)<<2)+1]=3</code></td>
<td><code>ip6 proto 89 and ip6=3</code></td>
</tr>
<tr>
<td><strong>LSU</strong></td>
<td>4</td>
<td><code>ip proto 89 and ip[((ip&0xf)<<2)+1]=4</code></td>
<td><code>ip6 proto 89 and ip6=4</code></td>
</tr>
<tr>
<td><strong>LSAck</strong></td>
<td>5</td>
<td><code>ip proto 89 and ip[((ip&0xf)<<2)+1]=5</code></td>
<td><code>ip6 proto 89 and ip6=5</code></td>
</tr>
</tbody>
</table>
<p><strong>偏移量计算</strong>:</p>
<ul>
<li><code>ip&0xf</code> = IHL(IP 头长度,低 4 位,单位 4 字节)</li>
<li><code>((ip&0xf)<<2)</code> = IP 头长度(字节)</li>
<li><code>+1</code> = OSPF 类型字段偏移</li>
</ul>
<hr />
<h4>1.2.2.2 <strong>EIGRP</strong></h4>
<pre><code class="language-text"># IPv4
ip proto 88
# IPv6
ip6 proto 88
</code></pre>
<p><strong>子类型</strong> (⚠️ 仅 IPv4):</p>
<table>
<thead>
<tr>
<th>子类型</th>
<th>OpCode</th>
<th>BPF 表达式</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Update</strong></td>
<td>1</td>
<td><code>ip proto 88 and ip[((ip&0xf)<<2)+1]=1</code></td>
</tr>
<tr>
<td><strong>Query</strong></td>
<td>3</td>
<td><code>ip proto 88 and ip[((ip&0xf)<<2)+1]=3</code></td>
</tr>
<tr>
<td><strong>Reply</strong></td>
<td>4</td>
<td><code>ip proto 88 and ip[((ip&0xf)<<2)+1]=4</code></td>
</tr>
<tr>
<td><strong>Hello/Ack</strong></td>
<td>5</td>
<td><code>ip proto 88 and ip[((ip&0xf)<<2)+1]=5</code></td>
</tr>
<tr>
<td><strong>SIA-Query</strong></td>
<td>10</td>
<td><code>ip proto 88 and ip[((ip&0xf)<<2)+1]=10</code></td>
</tr>
<tr>
<td><strong>SIA-Reply</strong></td>
<td>11</td>
<td><code>ip proto 88 and ip[((ip&0xf)<<2)+1]=11</code></td>
</tr>
</tbody>
</table>
<hr />
<h4>1.2.2.3 <strong>RIP</strong></h4>
<pre><code class="language-text"># IPv4
udp port 520
# IPv6 (RIPng)
udp port 521
</code></pre>
<p><strong>子类型</strong> (⚠️ 仅 IPv4):</p>
<table>
<thead>
<tr>
<th>子类型</th>
<th>Command</th>
<th>BPF 表达式</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Request</strong></td>
<td>1</td>
<td><code>udp port 520 and udp=1</code></td>
</tr>
<tr>
<td><strong>Response</strong></td>
<td>2</td>
<td><code>udp port 520 and udp=2</code></td>
</tr>
</tbody>
</table>
<hr />
<h3>1.2.3 2.3 ICMP 协议</h3>
<h4>1.2.3.1 <strong>ICMP</strong></h4>
<pre><code class="language-text"># IPv4
icmp
# IPv6
icmp6
</code></pre>
<p><strong>子类型</strong>:</p>
<table>
<thead>
<tr>
<th>子类型</th>
<th>IPv4 Type</th>
<th>IPv6 Type</th>
<th>IPv4 BPF</th>
<th>IPv6 BPF</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Echo Request</strong></td>
<td>8</td>
<td>128</td>
<td><code>icmp=8</code></td>
<td><code>icmp6 and ip6=128</code></td>
</tr>
<tr>
<td><strong>Echo Reply</strong></td>
<td>0</td>
<td>129</td>
<td><code>icmp=0</code></td>
<td><code>icmp6 and ip6=129</code></td>
</tr>
<tr>
<td><strong>Dest Unreachable</strong></td>
<td>3</td>
<td>1</td>
<td><code>icmp=3</code></td>
<td><code>icmp6 and ip6=1</code></td>
</tr>
<tr>
<td><strong>TTL Exceeded</strong></td>
<td>11</td>
<td>3</td>
<td><code>icmp=11</code></td>
<td><code>icmp6 and ip6=3</code></td>
</tr>
<tr>
<td><strong>Redirect</strong></td>
<td>5</td>
<td>-</td>
<td><code>icmp=5</code></td>
<td>❌</td>
</tr>
</tbody>
</table>
<hr />
<h4>1.2.3.2 <strong>Ping (Echo)</strong></h4>
<pre><code class="language-text"># IPv4
icmp = 8 or icmp = 0
# IPv6
icmp6 and (ip6 = 128 or ip6 = 129)
</code></pre>
<hr />
<h3>1.2.4 2.4 EGP 协议</h3>
<h4>1.2.4.1 <strong>BGP</strong></h4>
<pre><code class="language-text">tcp port 179
</code></pre>
<p><strong>子类型</strong> (⚠️ 仅 IPv4):</p>
<table>
<thead>
<tr>
<th>子类型</th>
<th>消息类型</th>
<th>BPF 表达式</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>OPEN</strong></td>
<td>1</td>
<td><code>tcp port 179 and tcp[((tcp&0xf0)>>2)+18]=1</code></td>
</tr>
<tr>
<td><strong>UPDATE</strong></td>
<td>2</td>
<td><code>tcp port 179 and tcp[((tcp&0xf0)>>2)+18]=2</code></td>
</tr>
<tr>
<td><strong>NOTIFICATION</strong></td>
<td>3</td>
<td><code>tcp port 179 and tcp[((tcp&0xf0)>>2)+18]=3</code></td>
</tr>
<tr>
<td><strong>KEEPALIVE</strong></td>
<td>4</td>
<td><code>tcp port 179 and tcp[((tcp&0xf0)>>2)+18]=4</code></td>
</tr>
</tbody>
</table>
<p><strong>偏移量计算</strong>:</p>
<ul>
<li><code>tcp&0xf0</code> = TCP 数据偏移(高 4 位,单位 4 字节)</li>
<li><code>((tcp&0xf0)>>2)</code> = TCP 头长度(字节)</li>
<li><code>+18</code> = BGP 消息头的 Type 字段偏移</li>
</ul>
<hr />
<h3>1.2.5 2.5 Overlay 协议</h3>
<h4>1.2.5.1 <strong>VXLAN</strong></h4>
<pre><code class="language-text"># 基础匹配
udp port 4789
</code></pre>
<p><strong>VNI 匹配</strong>:</p>
<table>
<thead>
<tr>
<th>写法</th>
<th>表达式</th>
<th>说明</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>3 字节比对</strong>(Pro 7.8+)</td>
<td><code>ether == 0xVVVVVV</code></td>
<td>简洁,EVE-NG Pro 78 支持</td>
</tr>
<tr>
<td><strong>2+1 字节拆分</strong>(通用)</td>
<td><code>ether == 0xXXXX and ether == 0xXX</code></td>
<td>兼容性最好</td>
</tr>
</tbody>
</table>
<p><strong>VNI 速查</strong>:</p>
<table>
<thead>
<tr>
<th>VNI</th>
<th>十六进制</th>
<th>3 字节写法</th>
<th>2+1 字节写法</th>
</tr>
</thead>
<tbody>
<tr>
<td>10000</td>
<td>0x002710</td>
<td><code>ether == 0x002710</code></td>
<td><code>ether == 0x0027 and ether == 0x10</code></td>
</tr>
<tr>
<td>20000</td>
<td>0x004E20</td>
<td><code>ether == 0x004E20</code></td>
<td><code>ether == 0x004E and ether == 0x20</code></td>
</tr>
<tr>
<td>5001</td>
<td>0x001389</td>
<td><code>ether == 0x001389</code></td>
<td><code>ether == 0x0013 and ether == 0x89</code></td>
</tr>
<tr>
<td>90000</td>
<td>0x015F90</td>
<td><code>ether == 0x015F90</code></td>
<td><code>ether == 0x015F and ether == 0x90</code></td>
</tr>
<tr>
<td>91000</td>
<td>0x016378</td>
<td><code>ether == 0x016378</code></td>
<td><code>ether == 0x0163 and ether == 0x78</code></td>
</tr>
</tbody>
</table>
<p><strong>完整示例</strong> (VXLAN + VLAN + 源网络):</p>
<pre><code class="language-text"># VXLAN VNI 90000,Tenant-A 网络 172.16.0.0/16
(src net 172.16.0.0/16 and icmp) or
(udp port 4789 and ether == 0x015F90 and ether == 1) or
(vlan and src net 172.16.0.0/16 and icmp)
</code></pre>
<hr />
<h4>1.2.5.2 <strong>LISP</strong></h4>
<pre><code class="language-text">udp port 4341 or udp port 4342
</code></pre>
<p><strong>子类型</strong> (⚠️ 仅 IPv4):</p>
<table>
<thead>
<tr>
<th>子类型</th>
<th>消息类型</th>
<th>BPF 表达式</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Map-Request</strong></td>
<td>0x10</td>
<td><code>udp dst port 4342 and (udp&0xf0)=0x10</code></td>
</tr>
<tr>
<td><strong>Map-Reply</strong></td>
<td>0x20</td>
<td><code>udp dst port 4342 and (udp&0xf0)=0x20</code></td>
</tr>
<tr>
<td><strong>Map-Register</strong></td>
<td>0x30</td>
<td><code>udp dst port 4342 and (udp&0xf0)=0x30</code></td>
</tr>
<tr>
<td><strong>Map-Notify</strong></td>
<td>0x40</td>
<td><code>udp dst port 4342 and (udp&0xf0)=0x40</code></td>
</tr>
</tbody>
</table>
<hr />
<h3>1.2.6 2.6 隧道协议</h3>
<h4>1.2.6.1 <strong>GRE</strong></h4>
<pre><code class="language-text"># IPv4
ip proto 47
# IPv6
ip6 proto 47
</code></pre>
<hr />
<h3>1.2.7 2.7 安全协议</h3>
<h4>1.2.7.1 <strong>IPsec</strong></h4>
<pre><code class="language-text"># IPv4
ip proto 50 or ip proto 51 or (ip and udp and (port 500 or port 4500))
# IPv6
ip6 proto 50 or ip6 proto 51 or (ip6 and udp and (port 500 or port 4500))
</code></pre>
<p><strong>子类型</strong>:</p>
<table>
<thead>
<tr>
<th>子类型</th>
<th>协议</th>
<th>IPv4 BPF</th>
<th>IPv6 BPF</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>ESP</strong></td>
<td>50</td>
<td><code>ip proto 50</code></td>
<td><code>ip6 proto 50</code></td>
</tr>
<tr>
<td><strong>AH</strong></td>
<td>51</td>
<td><code>ip proto 51</code></td>
<td><code>ip6 proto 51</code></td>
</tr>
<tr>
<td><strong>ISAKMP/IKE</strong></td>
<td>UDP 500/4500</td>
<td><code>udp and (port 500 or port 4500)</code></td>
<td><code>ip6 and udp and (port 500 or port 4500)</code></td>
</tr>
</tbody>
</table>
<hr />
<h4>1.2.7.2 <strong>RADIUS</strong></h4>
<pre><code class="language-text">udp and (port 1812 or port 1813 or port 1645 or port 1646)
</code></pre>
<p><strong>子类型</strong>:</p>
<table>
<thead>
<tr>
<th>子类型</th>
<th>端口</th>
<th>BPF 表达式</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Auth</strong></td>
<td>1812/1645</td>
<td><code>udp and (port 1812 or port 1645)</code></td>
</tr>
<tr>
<td><strong>Acct</strong></td>
<td>1813/1646</td>
<td><code>udp and (port 1813 or port 1646)</code></td>
</tr>
</tbody>
</table>
<hr />
<h4>1.2.7.3 <strong>TACACS+</strong></h4>
<pre><code class="language-text">tcp port 49
</code></pre>
<hr />
<h2>1.3 三、BPF 表达式构建指南</h2>
<h3>1.3.1 3.1 核心构建模板</h3>
<pre><code class="language-Bash">(核心表达式) and (可选条件1) and (可选条件2) ...
</code></pre>
<p><strong>可选条件</strong>:</p>
<ul>
<li><code>src host <IP></code> - 源 IP</li>
<li><code>dst host <IP></code> - 目的 IP</li>
<li><code>src net <CIDR></code> - 源网段</li>
<li><code>dst net <CIDR></code> - 目的网段</li>
<li><code>port <N></code> - 端口</li>
<li><code>tcp</code> / <code>udp</code> / <code>icmp</code> - L4 协议</li>
</ul>
<h3>1.3.2 3.2 VLAN 支持(必须手动添加)</h3>
<p>如果协议可能通过 VLAN 传输,需要手动添加 VLAN 分支:</p>
<pre><code class="language-text"># 基础(无 VLAN)
udp port 4789 and ether == 0x015F90
# 完整(支持 VLAN)
(udp port 4789 and ether == 0x015F90) or (vlan and udp port 4789 and ether == 0x015F90)
</code></pre>
<h3>1.3.3 3.3 OR 表达式中 vlan 必须放最后</h3>
<pre><code class="language-text"># ✅ 正确:vlan 放最后
icmp == 8 or (udp port 4789 and ether == 8) or (vlan and icmp == 8)
# ❌ 错误:vlan 在中间
icmp == 8 or (vlan and icmp == 8) or (udp port 4789 and ether == 8)
</code></pre>
<p><strong>原因</strong>: <code>vlan</code> 关键字会永久改变 BPF 偏移寄存器,导致后续分支基于错误基准点计算。</p>
<hr />
<h2>1.4 四、实战示例</h2>
<h3>1.4.1 4.1 示例 1:OSPF Hello(IPv4,源 IP 10.0.0.1)</h3>
<pre><code class="language-text">(ip proto 89 and ip[((ip&0xf)<<2)+1]=1) and src host 10.0.0.1
</code></pre>
<h3>1.4.2 4.2 示例 2:BGP UPDATE 消息(IPv4)</h3>
<pre><code class="language-text">tcp port 179 and tcp[((tcp&0xf0)>>2)+18]=2
</code></pre>
<h3>1.4.3 4.3 示例 3:VXLAN VNI 5001</h3>
<pre><code class="language-text"># 基础(无 VLAN)
udp port 4789 and ether == 0x001389
# 完整(支持 VLAN)
(udp port 4789 and ether == 0x001389) or (vlan and udp port 4789 and ether == 0x001389)
</code></pre>
<h3>1.4.4 4.4 示例 4:Tenant-A ICMP 流量(VXLAN+VLAN+裸包)</h3>
<pre><code class="language-text"># Tenant-A: VNI 90000, 网络 172.16.0.0/16
(src net 172.16.0.0/16 and icmp) or
(udp port 4789 and ether == 0x015F90 and ether == 1) or
(vlan and src net 172.16.0.0/16 and icmp)
</code></pre>
<h3>1.4.5 4.5 示例 5:RADIUS Auth + Acct</h3>
<pre><code class="language-text">udp and (port 1812 or port 1813 or port 1645 or port 1646)
</code></pre>
<hr />
<h2>1.5 五、缺失协议补充</h2>
<p>以下协议不在预设列表中,可使用自定义 BPF:</p>
<table>
<thead>
<tr>
<th>协议</th>
<th>用途</th>
<th>BPF 表达式</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>ARP</strong></td>
<td>地址解析</td>
<td><code>arp</code>或 <code>ether proto 0x0806</code></td>
</tr>
<tr>
<td><strong>NDP</strong></td>
<td>IPv6 地址解析</td>
<td><code>icmp6 and (ip6=135 or ip6=136)</code></td>
</tr>
<tr>
<td><strong>LDP</strong></td>
<td>MPLS 标签分发</td>
<td><code>udp port 646</code></td>
</tr>
<tr>
<td><strong>RSVP</strong></td>
<td>MPLS TE</td>
<td><code>ip proto 46</code></td>
</tr>
<tr>
<td><strong>BFD</strong></td>
<td>双向转发检测</td>
<td><code>udp port 3784 or udp port 3785</code></td>
</tr>
<tr>
<td><strong>VRRP</strong></td>
<td>虚拟路由器冗余</td>
<td><code>ip proto 112</code></td>
</tr>
<tr>
<td><strong>HSRP</strong></td>
<td>Cisco 热备</td>
<td><code>udp port 1985</code></td>
</tr>
</tbody>
</table>
<hr />
<h2>1.6 六、BPF 语法速查</h2>
<h3>1.6.1 6.1 基本语法</h3>
<table>
<thead>
<tr>
<th>语法</th>
<th>说明</th>
<th>示例</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>host <IP></code></td>
<td>源或目的 IP</td>
<td><code>host 10.0.0.1</code></td>
</tr>
<tr>
<td><code>src host <IP></code></td>
<td>源 IP</td>
<td><code>src host 10.0.0.1</code></td>
</tr>
<tr>
<td><code>dst host <IP></code></td>
<td>目的 IP</td>
<td><code>dst host 10.0.0.2</code></td>
</tr>
<tr>
<td><code>net <CIDR></code></td>
<td>网段</td>
<td><code>net 172.16.0.0/16</code></td>
</tr>
<tr>
<td><code>port <N></code></td>
<td>端口</td>
<td><code>port 179</code></td>
</tr>
<tr>
<td><code>proto <N></code></td>
<td>IP 协议号</td>
<td><code>proto 89</code>(OSPF)</td>
</tr>
<tr>
<td><code>vlan</code></td>
<td>802.1Q 标记</td>
<td><code>vlan and ip</code></td>
</tr>
<tr>
<td><code>and</code>/<code>or</code>/<code>not</code></td>
<td>逻辑运算符</td>
<td><code>ip and tcp and not port 22</code></td>
</tr>
</tbody>
</table>
<h3>1.6.2 6.2 字节匹配</h3>
<table>
<thead>
<tr>
<th>语法</th>
<th>说明</th>
<th>示例</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>ip</code></td>
<td>IPv4 头第 n 字节</td>
<td><code>ip</code>= Version + IHL</td>
</tr>
<tr>
<td><code>ip6</code></td>
<td>IPv6 头第 n 字节</td>
<td><code>ip6</code>= Next Header 后第一个字节</td>
</tr>
<tr>
<td><code>tcp</code></td>
<td>TCP 头第 n 字节</td>
<td><code>tcp</code>= Data Offset + Flags</td>
</tr>
<tr>
<td><code>udp</code></td>
<td>UDP 头第 n 字节</td>
<td><code>udp</code>= LISP Type</td>
</tr>
<tr>
<td><code>ether</code></td>
<td>Ethernet 头第 n 字节</td>
<td><code>ether</code>= VXLAN VNI 高字节</td>
</tr>
<tr>
<td><code>ip</code></td>
<td>从 n 开始取 m 字节</td>
<td><code>ip</code>= Source Address</td>
</tr>
<tr>
<td><code>udp</code></td>
<td>从 n 开始取 m 字节</td>
<td><code>udp</code>= VXLAN 头</td>
</tr>
</tbody>
</table>
<h3>1.6.3 6.3 位运算</h3>
<table>
<thead>
<tr>
<th>语法</th>
<th>说明</th>
<th>示例</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>&</code></td>
<td>按位与</td>
<td><code>ip&0xf</code>= IHL</td>
</tr>
<tr>
<td><code><<</code></td>
<td>左移</td>
<td><code>(ip&0xf)<<2</code>= IP 头长度(字节)</td>
</tr>
<tr>
<td><code>>></code></td>
<td>右移</td>
<td><code>(udp>>8)</code>= VNI 高 24 位</td>
</tr>
</tbody>
</table>
<hr />
<h2>1.7 七、BPF 黄金法则</h2>
<h3>1.7.1 法则 1️⃣:VNI 必须拆分</h3>
<pre><code class="language-text"># ❌ 错误:3 字节比对
ether == 0x002710
# ✅ 正确:拆分为 2+1 字节
ether == 0x0027 and ether == 0x10
</code></pre>
<h3>1.7.2 法则 2️⃣:OR 中 vlan 必须放最后</h3>
<pre><code class="language-text"># ✅ 正确
icmp == 8 or (udp ...) or (vlan and icmp == 8)
# ❌ 错误
vlan and icmp == 8 or icmp == 8 or (udp ...)
</code></pre>
<h3>1.7.3 法则 3️⃣:括号具有作用域隔离</h3>
<pre><code class="language-text"># ✅ 递归嵌套:vlan 指针各自独立
arp or (vlan and (arp or (vlan and arp)))
# ❌ 平铺展开:多 vlan 并列导致偏移混乱
arp or (vlan and arp) or (vlan and vlan and arp)
</code></pre>
<hr />
<p><strong>文档状态</strong>: ✅ 完成</p>
页:
[1]