Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

BPF Tools

Introductory blog posts:

Here you can find a set of tool for analyzing and processing of pcap traffic dumps. The aim of this tool is to help creating BPF rules that will match (and drop) malicious traffic.

To run these scripts you will need:

  • Kernel headers (ideally from a 3.10+ kernel):

     $ sudo apt-get install linux-headers-generic
  • Installed dependencies:

     $ sudo apt-get install python-setuptools libpcap-dev \
                            libreadline-dev binutils-dev bison flex
     $ sudo easy_install pcappy
  • Build the binary tools in linux_tools directory:

     $ make

BPF Tools repository contains a number simple Python scripts, some of them focus on analyzing pcap files, others focus more on the BPF:

  • pcap2hex, hex2pcap
  • parsedns
  • bpfgen
  • filter
  • iptables_bpf, iptables_bpf_chain


The core script is bpfgen which generates the BPF bytecode. For more information please read:

$ ./bpfgen --help
$ ./bpfgen dns -- --help
$ ./bpfgen dns_validate -- --help
$ ./bpfgen suffix -- --help


This script generates a simple bash script that contains iptables rules that drop traffic based on selected parameters.

For example, to generate a script dropping packets exactly to a domain "" you can run:

$ ./iptables_bpf dns --
Generated file ''

If you want commands for IPv6 use -6 flag:

$ ./iptables_bpf -6 dns --
Generated file ''

The rule can match any from a number listed domains:

$ ./iptables_bpf dns --
Generated file ''

If you want to match any subdomain you can use a star '*'. This will only work if star is the only character in a domain part. Valid examples:

$ ./iptables_bpf dns -- *
Generated file ''

$ ./iptables_bpf dns -- *.example.*
Generated file ''

You can run the generated script to apply the rule and match it against one or more flooded ip addresses:

$ sudo ./

To remove the iptable rule simply specify --delete:

$ sudo ./ --delete


BPF Tools - packet analyst toolkit



Code of conduct

Security policy





No releases published


No packages published