Project

General

Profile

Actions

Bug #5955

closed

af-packet: duplicate packets when sniffing on loopback interface

Added by Arne Welzel over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I've recently come across this snippet in libpcap:

https://github.com/the-tcpdump-group/libpcap/blob/244080f5f9d4f17340041d1f5a3efd278ff08d7b/pcap-linux.c#L1173-L1181

    if (sll->sll_pkttype == PACKET_OUTGOING) {
        /*
         * Outgoing packet.
         * If this is from the loopback device, reject it;
         * we'll see the packet as an incoming packet as well,
         * and we don't want to see it twice.
         */
        if (sll->sll_ifindex == handlep->lo_ifindex)
            return 0;

Zeek's AF_PACKET is being adapted to contain the same logic, discarding packets from loopback.

I think the same would make sense for Suricata. Currently, if you monitor a "single" HTTP request from `curl http://127.0.0.1`, the stats entries show two syns, two synacks and overlap data.

Actions

Also available in: Atom PDF