[Oisf-users] BPF filter for a mid/high traffic throughput
Carlos Lopez
clopmz at outlook.com
Wed Dec 19 06:43:26 UTC 2018
Hi all,
I need to monitor a network with a 4-5GiB traffic throughout per media with one Suricata 4.1.0 (under CentOS 7.6) sensor installed in a host with 64GB RAM and 16 phys cores. To avoid losing packets and/or CPU power analyzing large packets, I am thinking to capture all client traffic, SYN/FIN packets and the first packet of server responses (for all protocols). For example, for http requests a BPF filter that seems to work is:
(tcp dst port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))))
Is this approach correct? But If I would do the same for all tcp and udp ports, is this bpf filter ok:
(tcp and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)) or udp) ?
Regards,
C. L. Martinez
More information about the Oisf-users
mailing list