[Oisf-users] BPF filter for a mid/high traffic throughput

Carlos Lopez clopmz at outlook.com
Wed Dec 19 06:43:26 UTC 2018

Hi all,

I need to monitor a network with a 4-5GiB traffic throughout per media with one Suricata 4.1.0 (under CentOS 7.6) sensor installed in a host with 64GB RAM and 16 phys cores. To avoid losing packets and/or CPU power analyzing large packets, I am thinking to capture  all client traffic, SYN/FIN packets and the first packet of server responses (for all protocols). For example, for http requests a BPF filter that seems to work is:

(tcp dst port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))))

Is this approach correct? But If I would do the same for all tcp and udp ports, is this bpf filter ok:
(tcp and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)) or udp) ?

C. L. Martinez

More information about the Oisf-users mailing list