Project

General

Profile

Actions

Bug #2289

closed

af-packet bpf filtering failed to select multiple vlan

Added by Julien Bachmann over 6 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Low
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello,

  1. intro
    This issue is not related to Suricata but common to all tools using BPF (ex: tcpdump).
  1. problem
    - we are receiving 8021q traffic on the interface on which suricata is listening
    - we only want to inspect traffic on specific vlan
    - using bpf (af-packet), we tried filtering on 'vlan X or vlan Y' and '(vlan X) or (vlan Y)' but neither worked

We are aware that the problem is due to the bpf code generation which writes it so that Y is supposed to be encapsulated in X. This is documented in several places, including [1]

Still writing this issue after discussing it w/ Eric Leblond @suricon, in case some (e)BPF-fu can solve this :)

[1] https://taosecurity.blogspot.ch/2008/12/bpf-for-ip-or-vlan-traffic.html

Actions

Also available in: Atom PDF