Bug #2289: af-packet bpf filtering failed to select multiple vlan - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2289

closed

af-packet bpf filtering failed to select multiple vlan

Added by Julien Bachmann almost 7 years ago. Updated over 5 years ago.

Status:

Closed

Priority:

Low

Assignee:

Eric Leblond

Target version:

TBD

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hello,

intro
This issue is not related to Suricata but common to all tools using BPF (ex: tcpdump).

problem
- we are receiving 8021q traffic on the interface on which suricata is listening
- we only want to inspect traffic on specific vlan
- using bpf (af-packet), we tried filtering on 'vlan X or vlan Y' and '(vlan X) or (vlan Y)' but neither worked

We are aware that the problem is due to the bpf code generation which writes it so that Y is supposed to be encapsulated in X. This is documented in several places, including [1]

Still writing this issue after discussing it w/ Eric Leblond @suricon, in case some (e)BPF-fu can solve this :)

[1] https://taosecurity.blogspot.ch/2008/12/bpf-for-ip-or-vlan-traffic.html

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #2289

af-packet bpf filtering failed to select multiple vlan

Updated by Andreas Herz almost 7 years ago

Updated by Eric Leblond almost 7 years ago

Updated by Julien Bachmann over 6 years ago

Updated by Eric Leblond about 6 years ago

Updated by Victor Julien about 6 years ago

Updated by Eric Leblond almost 6 years ago

Updated by Andreas Herz over 5 years ago