Cross CPU

BPF (Berkley Packet Filter) is a very powerful packet matching tool to quickly identify certain payload patterns. For example, a BPF could be created to ONLY allow TLS 1.2 request passing through while blocking all other lower version traffics. It takes several tries to finally figure out a filter working for most scenarios and here it is   tcp[tcp[12]/16*4+5]==0x01 and tcp[tcp[12]/16*4+9:2]!=0x0303 Explanations: 1 Since TCP header size could vary between 20 and 60 bytes (although most widely seen are 20 and 32), the exact offset to match the TLS version is different and need to locate based on the TCP header size. 2 tcp[12] is the TCP header size. 3 tcp[12]/16*4 will convert the TCP header length from HEX to decimal. For example. 0x50 results in 20 bytes while 0x80 results as 32 bytes. 4 offset + 5 will match the Client Hello (1) location and we need this to avoid accidentally match other handshake protocol types, such as client key exchange etc. 5 offset + 9...