Bpf_filter not working?

billzy · May 9, 2017, 2:33am

hello ,

Lately I upgrade to use packetbeat version 5.x, I found bpf_filter option not working as previously in packetbeat version 2.x, basically if I set this option in configuration file, I can still see packetbeat which is not qualified with this filter syntax coming in .

the configuration I 'm using is as below,
packetbeat.interfaces.bpf_filter: "host 32.3.1.1 and 32.3.18.101 and port 18001"
then I can still receive packetbeat from another IP address like 32.3.1.4 with port 18001

Any ideas ? or did I miss something ?
thanks for your help in advance.

steffens · May 9, 2017, 1:17pm

Can you enable the sniffer debug log with -d "sniffer"? This should print the BPF filter to be installed with the sniffer during setup.

billzy · May 11, 2017, 7:57am

Thanks for the reply I'll make a test and get back here.

steffens · May 11, 2017, 10:29am

which exact packetbeat version are you using? It might be early 5.x releases actually having a bug not correctly applying the filter.

billzy · May 11, 2017, 12:13pm

the version I'm using is 5.2.3, should I update to the latest version ?

steffens · May 11, 2017, 10:08pm

not sure. maybe you want to try with both version.

billzy · May 17, 2017, 3:34am

I made the test and here is the result,

by applying -d "sniffer", I found the bpf_filter config did not take effect, even if I upgrade to packetbeat 5.4.

and also I found memcache's port 11211 was always on no matter if I annotate the 11211 port in configuration file.

steffens · May 17, 2017, 12:35pm

Thanks for testing. This is clearly a bug. Can you report this on github?

system · June 14, 2017, 12:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.