Project

General

Profile

Actions
Copy link

Bug #5955

closed

af-packet: duplicate packets when sniffing on loopback interface

Added by Arne Welzel about 1 year ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Arne Welzel
Target version:
7.0.0-rc2
Affected Versions:
Effort:
Difficulty:
Label:

Description

I've recently come across this snippet in libpcap:

https://github.com/the-tcpdump-group/libpcap/blob/244080f5f9d4f17340041d1f5a3efd278ff08d7b/pcap-linux.c#L1173-L1181

    if (sll->sll_pkttype == PACKET_OUTGOING) {
        /*
         * Outgoing packet.
         * If this is from the loopback device, reject it;
         * we'll see the packet as an incoming packet as well,
         * and we don't want to see it twice.
         */
        if (sll->sll_ifindex == handlep->lo_ifindex)
            return 0;

Zeek's AF_PACKET is being adapted to contain the same logic, discarding packets from loopback.

I think the same would make sense for Suricata. Currently, if you monitor a "single" HTTP request from `curl http://127.0.0.1`, the stats entries show two syns, two synacks and overlap data.

Actions
Copy link
 #1

Updated by Victor Julien about 1 year ago

  • Subject changed from Duplicated packets when sniffing on loopback interface to af-packet: duplicate packets when sniffing on loopback interface
Actions
Copy link
 #2

Updated by Shivani Bhardwaj 10 months ago

  • Status changed from New to Closed
  • Target version changed from TBD to 7.0.0-rc2
Actions
Copy link

Also available in: Atom PDF