Bpf_filter not working?

Elastic Stack Beats
1

hello ,

Lately I upgrade to use packetbeat version 5.x, I found bpf_filter option not working as previously in packetbeat version 2.x, basically if I set this option in configuration file, I can still see packetbeat which is not qualified with this filter syntax coming in .

the configuration I 'm using is as below,
packetbeat.interfaces.bpf_filter: "host 32.3.1.1 and 32.3.18.101 and port 18001"
then I can still receive packetbeat from another IP address like 32.3.1.4 with port 18001

Any ideas ? or did I miss something ?
thanks for your help in advance.

2

Can you enable the sniffer debug log with -d "sniffer"? This should print the BPF filter to be installed with the sniffer during setup.

3

Thanks for the reply I'll make a test and get back here.

4

which exact packetbeat version are you using? It might be early 5.x releases actually having a bug not correctly applying the filter.

5

the version I'm using is 5.2.3, should I update to the latest version ?

6

not sure. maybe you want to try with both version.

7

I made the test and here is the result,

by applying -d "sniffer", I found the bpf_filter config did not take effect, even if I upgrade to packetbeat 5.4.

and also I found memcache's port 11211 was always on no matter if I annotate the 11211 port in configuration file.

8

Thanks for testing. This is clearly a bug. Can you report this on github?

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.