Suricata

Some users want to use Suricata full PCAP on their network but leverage BPFs to enable DPI but not write PCAP for a specific filter.

Example:

Server 1 does a nightly backup of 1TB worth of data to Server 2. Using a separate tool for PCAP we can easily use the BPF not((host server1 and host server2) and port 445)) to not write that traffic to disk. Even though we are not writing PCAP, Suricata is still inspecting the traffic and alerting on things between those hosts.

If we were using Suricata for PCAP and used that same BPF, we would no longer be inspecting that traffic.

Basic BPFs using something similar to the metadata filtering rule lingo would be sufficient.

There is a use case to filter VXLAN traffic filtering. Those BPFs are a little more complex:

Source IP example:
not ether[76:4] = 0x0a000001 (10.0.0.1)

Destination IP example:
not ether[80:4] = 0x0a000001 (10.0.0.1)