Bpf not working with erspan with af_packet or pfring


I’m working with a few erspan flows to various sensors. I recently needed to use a bpf filter to exclude traffic (in addition to a few pass rules, which work to bypass rules just fine with erspan).

I noticed that no bpf rules would not apply (include, exlcude, etc). Upon further investigating, if I strip the erspan header off with rcdcap to a virtual interface suricata monitors, the traffic is filtered correctly through bpf and works. Once erspan header is back, it no longer works.

I sense that bpf is applied before erspan decoder which is why pass rules work but bpf does not. Perhaps a ticket should be entered to have this addressed?

I looked at setting up an erspan decoder interface in Linux, however I haven’t had much success (it won’t pick up packets). I’ll keep trying, however, long term, I’d prefer to keep the header since processing of erspan downstream in suricata decodes just fine.

While great, rcpdcap is not an option for most of the environment I’m using.

Details on what environment I tested in:

  • suricata 5.0.3, 6.03
  • linux 4.19, linux 5.15.2
  • af_packet, pfring
  • type II erspan

Any suggestions or if others have this problem, please post here.

DId you try to create a bpf filter that matches ERSPAN and the traffic within it that you want to exclude? For example this would work for GRE as well like “proto GRE & host”.

1 Like

I will give this a shot and report back. Running tcpdump, I only see GRE and the IP is from Cisco device to target interface IP on the scanner appliance.

No luck with added GRE proto to the bpf unfortantely.

I’ve tried the virtual interface option here: http://vger.kernel.org/lpc_net2018_talks/erspan-linux-presentation.pdf

It will mirror the traffic, however it remains encapsulated on the erspan interface unfortunately. Running Debian kernel 4.19. I’ll see if I can get the ebpf going at some point and post an update.

Seems like this problem has come up before: https://www.reddit.com/r/networking/comments/i2h03w/erspan_decapsulation_on_linux/

Do you see a chance to craft an example pcap to share? Maybe there are some differences in implementations but loading it up in wireshark might help to get an idea how a bpf filter might work

This sounds like the traffic might be ERSPAN Type I – is that possible?

In Suricata 5.0.3, ERSPAN Type II is enabled (by default); Type I is disabled (by default).

Enable with --set decoder.erspan.typeI.enabled = true (command line) or in the Suricata configuration file.

If it is Type 1, are there any stats showing ERSPAN events? See the event.ipv4 node in the stats (eve.json).

Thanks Andreas.

I will work on getting a sample from our lab later this week for a pcap. Unfortunately this traffic is not an option to share, even if I obfuscate it :unamused:

Thank you Jeff, I believe it is type II (will confirm of course), it appears that suricata itself decodes it fine (from Cisco Nexus and Catalyst sources), I believe the bpf magic happens before the decoding in suricata. I will check tomorrow though and get back to you with what I see.

Also, I will do some more exploring with this, testing with latest stable version of suricata in our lab (will also be running 5.15 linux kernel); may be able to pull a pcap for @Andreas_Herz this way too, we’ll see what that gets us.

Thank you both for your help on this! :clap:t2: