[Oisf-devel] pfring bpf-filter not working, bug?

[Zhou Li]

suricata 4.0.4 + (pfring 6.4.1 or pfring 7.0.0)

#suricata ... --pfring-int eth0 -F /root/bpf

#cat /root/bpf

udp

#cat /proc/net/pf_ring/22481-eth0.115

Bound Device(s)    : eth0
Active             : 1
Breed              : Standard
Appl. Name         : mdg
Socket Mode        : RX+TX
Capture Direction  : RX+TX
Sampling Rate      : 1
IP Defragment      : No
BPF Filtering      : Enabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules   : 0
Hw Filt Rules      : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss  : 0
Poll Pkt Watermark : 128
Num Poll Calls     : 46041
Channel Id Mask    : 0xFFFFFFFFFFFFFFFF
Cluster Id         : 10
Slot Version       : 16 [6.4.1]
Min Num Slots      : 65538
Bucket Len         : 1548
Slot Len           : 1600 [bucket+header]
Tot Memory         : 104869888
Tot Packets        : 3087154
Tot Pkt Lost       : 0
Tot Insert         : 3087154
Tot Read           : 3087097
Insert Offset      : 9215496
Remove Offset      : 9199056
Num Free Slots     : 65481
TX: Send Ok        : 0
TX: Send Errors    : 0
Reflect: Fwd Ok    : 0
Reflect: Fwd Errors: 0

   with the bpf-filter rule, I wish suricata watching udp data only, but 
it didn't work, the tcp data is copy into suricata and trigger http log.

tail -f .../http.log

02/22/2018-15:43:27.291247 
47.97.226.148[**]/heartbeat/device/3C06309PBQGDCB9[**]<useragent 
unknown>[**]218.241.86.18:45455 -> 47.97.226.148:8682
02/22/2018-15:43:27.312451 
luyin.porient.com[**]/Heartbeat/default/index/sn/A9618151115A400862[**]<useragent 
unknown>[**]39.85.142.204:58921 -> 218.241.82.83:80
02/22/2018-15:43:27.320363 tip.f.360.cn[**]/pagetip/req=0[**]Mozilla/5.0 
(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/55.0.2883.87 Safari/537.36 QIHU 360SE[**]218.241.86.90:30790 -> 
1.192.137.255:80

bug or wrong config?