Bpf not working with erspan with af_packet or pfring


I’m working with a few erspan flows to various sensors. I recently needed to use a bpf filter to exclude traffic (in addition to a few pass rules, which work to bypass rules just fine with erspan).

I noticed that no bpf rules would not apply (include, exlcude, etc). Upon further investigating, if I strip the erspan header off with rcdcap to a virtual interface suricata monitors, the traffic is filtered correctly through bpf and works. Once erspan header is back, it no longer works.

I sense that bpf is applied before erspan decoder which is why pass rules work but bpf does not. Perhaps a ticket should be entered to have this addressed?

I looked at setting up an erspan decoder interface in Linux, however I haven’t had much success (it won’t pick up packets). I’ll keep trying, however, long term, I’d prefer to keep the header since processing of erspan downstream in suricata decodes just fine.

While great, rcpdcap is not an option for most of the environment I’m using.

Details on what environment I tested in:

  • suricata 5.0.3, 6.03
  • linux 4.19, linux 5.15.2
  • af_packet, pfring
  • type II erspan

Any suggestions or if others have this problem, please post here.

DId you try to create a bpf filter that matches ERSPAN and the traffic within it that you want to exclude? For example this would work for GRE as well like “proto GRE & host”.

1 Like

I will give this a shot and report back. Running tcpdump, I only see GRE and the IP is from Cisco device to target interface IP on the scanner appliance.

No luck with added GRE proto to the bpf unfortantely.

I’ve tried the virtual interface option here: http://vger.kernel.org/lpc_net2018_talks/erspan-linux-presentation.pdf

It will mirror the traffic, however it remains encapsulated on the erspan interface unfortunately. Running Debian kernel 4.19. I’ll see if I can get the ebpf going at some point and post an update.

Seems like this problem has come up before: https://www.reddit.com/r/networking/comments/i2h03w/erspan_decapsulation_on_linux/

Do you see a chance to craft an example pcap to share? Maybe there are some differences in implementations but loading it up in wireshark might help to get an idea how a bpf filter might work

This sounds like the traffic might be ERSPAN Type I – is that possible?

In Suricata 5.0.3, ERSPAN Type II is enabled (by default); Type I is disabled (by default).

Enable with --set decoder.erspan.typeI.enabled = true (command line) or in the Suricata configuration file.

If it is Type 1, are there any stats showing ERSPAN events? See the event.ipv4 node in the stats (eve.json).

Thanks Andreas.

I will work on getting a sample from our lab later this week for a pcap. Unfortunately this traffic is not an option to share, even if I obfuscate it :unamused:

Thank you Jeff, I believe it is type II (will confirm of course), it appears that suricata itself decodes it fine (from Cisco Nexus and Catalyst sources), I believe the bpf magic happens before the decoding in suricata. I will check tomorrow though and get back to you with what I see.

Also, I will do some more exploring with this, testing with latest stable version of suricata in our lab (will also be running 5.15 linux kernel); may be able to pull a pcap for @Andreas_Herz this way too, we’ll see what that gets us.

Thank you both for your help on this! :clap:t2:

Do you have a change to look into the traffic with wireshark/termshark to dig into that?
I have seen setups with traffic coming from those devices, so I would argue it should be possible. I had sucess with bpf filters on some specific lower layer protocols.

Another idea would be to check what NIC you use and what settings are set.

1 Like

My apologies for the lateness, something came up early last week, and then the fun Friday Java stuff :upside_down_face:

I believe it is Type II:

I’m hopefully for some testing tomorrow with latest version of suricata - newer kernel, will keep you posted.

It’s a vnic, emulated Intel in esxi.

I did some more poking today in my test lab, it’s not ignoring the traffic to a test DNS server (by IP in BPF). This is in suricata 6.0.4, and 5.15.11 kernel.

So, to confirm @Andreas_Herz, you are able to get bpf (not eBPF) filters to work with erspan traffic, correct?

I don’t have the system available anymore that had this traffic, so I can’t confirm it 100%
But if you don’t get the ERSPAN traffc if you run tcpdump with proto 0x2f or proto gre it doesn’t seem to work or something else is off.