[Oisf-users] AF_Packet + Multiple interfaces + BPF oddities
Andrew Thrift
andrew at networklabs.co.nz
Mon Aug 29 03:13:36 UTC 2016
Hi List,
I have Suricata 3.1.1 on Ubuntu Xenial. I have successfully
configured Suricata to use AF_Packet and to listen on multiple
interfaces, however when I enable BPF filtering on multiple
interfaces, it seems to stop reception of packets on enp2s0, enp3s0
and enp4s0.
e.g. with the following configuration:
#10Gigabit port1
- interface: enp1s0
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
bpf-filter: vlan 12
#10Gigabit port2
- interface: enp2s0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
bpf-filter: vlan 12
#1Gbit port1
- interface: enp3s0
cluster-id: 100
cluster-type: cluster_flow
defrag: yes
bpf-filter: vlan 11
#1Gbit port2
- interface: enp4s0
cluster-id: 101
cluster-type: cluster_flow
defrag: yes
bpf-filter: vlan 11
Suricata will receive traffic on vlan 12 on enp1s0, but all later
interfaces will NOT "see" packets.
If I remove the BPF filter from enp3s0 and enp4s0 they will start to
receive all packets (including on vlan11), but enp2s0 will NOT see
packets on vlan12.
Is this expected behaviour ?
Thank you,
Andrew Thrift
More information about the Oisf-users
mailing list