Bug #5955: af-packet: duplicate packets when sniffing on loopback interface - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #5955

closed

af-packet: duplicate packets when sniffing on loopback interface

Added by Arne Welzel over 2 years ago. Updated over 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Arne Welzel

Target version:

7.0.0-rc2

Affected Versions:

Effort:

Difficulty:

Label:

Description

I've recently come across this snippet in libpcap:

https://github.com/the-tcpdump-group/libpcap/blob/244080f5f9d4f17340041d1f5a3efd278ff08d7b/pcap-linux.c#L1173-L1181

    if (sll->sll_pkttype == PACKET_OUTGOING) {
        /*
         * Outgoing packet.
         * If this is from the loopback device, reject it;
         * we'll see the packet as an incoming packet as well,
         * and we don't want to see it twice.
         */
        if (sll->sll_ifindex == handlep->lo_ifindex)
            return 0;

Zeek's AF_PACKET is being adapted to contain the same logic, discarding packets from loopback.

I think the same would make sense for Suricata. Currently, if you monitor a "single" HTTP request from `curl http://127.0.0.1`, the stats entries show two syns, two synacks and overlap data.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #5955

af-packet: duplicate packets when sniffing on loopback interface

Updated by Victor Julien over 2 years ago

Updated by Shivani Bhardwaj over 2 years ago