BPF stands for Berkeley Packet Filter. From https://en.wikipedia.org/wiki/Berkeley_Packet_Filter:

BPF supports filtering packets, allowing a userspace process to supply a filter program that specifies which packets it wants to receive. For example, a tcpdump process may want to receive only packets that initiate a TCP connection. BPF returns only packets that pass the filter that the process supplies. This avoids copying unwanted packets from the operating system kernel to the process, greatly improving performance.


You can modify your BPF configuration by going to Administration –> Configuration –> bpf. You can apply BPF configuration to Stenographer, Suricata, or Zeek.


Multiple Conditions

If your BPF contains multiple conditions you can join them with a logical and or logical or.

Here’s an example of joining conditions with a logical and:

not host and not host

Here’s an example of joining conditions with a logical or:

host or host


If you have traffic that has VLAN tags, you can craft a BPF as follows:

<your filter> or (vlan and <your filter>)

Notice that you must include your filter on both sides of the vlan tag.

For example:

(not (host or host or host or (vlan and (not (host or host or host


Please note that Stenographer should correctly record traffic on a VLAN but won’t log the actual VLAN tags due to the way that AF-PACKET works:

Adding Comments

Starting in Security Onion 2.4.30, comments can be added to the filters via the SOC UI. For example:

# lab-east
not host and not host &&
# lab-west
not host or not host &&
# lab-central
not host or not host

Troubleshooting BPF using tcpdump

More Information