[Oisf-users] pfring bpf-filter not working, bug?

Victor Julien lists at inliniac.net
Fri Feb 23 07:29:54 UTC 2018 

On 22-02-18 08:54, Zhou Li wrote:
> suricata 4.0.4 + pfring 6.4.1
> 
> #suricata ... --pfring-int eth0 -F /root/bpf
> 
> #cat /root/bpf
> 
> udp
> 
> #cat /proc/net/pf_ring/22481-eth0.115
> 
> Bound Device(s)    : eth0
> Active             : 1
> Breed              : Standard
> Appl. Name         : mdg
> Socket Mode        : RX+TX
> Capture Direction  : RX+TX
> Sampling Rate      : 1
> IP Defragment      : No
> BPF Filtering      : Enabled
> Sw Filt Hash Rules : 0
> Sw Filt WC Rules   : 0
> Hw Filt Rules      : 0
> Sw Filt Hash Match : 0
> Sw Filt Hash Miss  : 0
> Poll Pkt Watermark : 128
> Num Poll Calls     : 46041
> Channel Id Mask    : 0xFFFFFFFFFFFFFFFF
> Cluster Id         : 10
> Slot Version       : 16 [6.4.1]
> Min Num Slots      : 65538
> Bucket Len         : 1548
> Slot Len           : 1600 [bucket+header]
> Tot Memory         : 104869888
> Tot Packets        : 3087154
> Tot Pkt Lost       : 0
> Tot Insert         : 3087154
> Tot Read           : 3087097
> Insert Offset      : 9215496
> Remove Offset      : 9199056
> Num Free Slots     : 65481
> TX: Send Ok        : 0
> TX: Send Errors    : 0
> Reflect: Fwd Ok    : 0
> Reflect: Fwd Errors: 0
> 
>   I wish suricata watching udp data only, but it didn't work, the tcp
> data is copy into suricata and trigger http log.
> 
> tail -f .../http.log
> 
> 02/22/2018-15:43:27.291247
> 47.97.226.148[**]/heartbeat/device/3C06309PBQGDCB9[**]<useragent
> unknown>[**]218.241.86.18:45455 -> 47.97.226.148:8682
> 02/22/2018-15:43:27.312451
> luyin.porient.com[**]/Heartbeat/default/index/sn/A9618151115A400862[**]<useragent
> unknown>[**]39.85.142.204:58921 -> 218.241.82.83:80
> 02/22/2018-15:43:27.320363 tip.f.360.cn[**]/pagetip/req=0[**]Mozilla/5.0
> (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/55.0.2883.87 Safari/537.36 QIHU 360SE[**]218.241.86.90:30790 ->
> 1.192.137.255:80

Are you monitoring a network with vlans? If so, that might be the issue.
See
https://taosecurity.blogspot.nl/2008/12/bpf-for-ip-or-vlan-traffic.html
on how to use bpf with vlans.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list