[Packetbeat] bpf_filter setting does not work in packetbeat 8.x.

I am using packetbeat (v8.7.0) in my home network and find that the packetbeat.interfaces.bpf_filter setting in packetbeat.yml does not work.

I read the source code and find that the bpf_filter value is not addressed correctly in packetbeat/sniffer/sniffer.go (even in the latest commit).

The bpf_filter value in packetbeat.yml is loaded to an InterfaceConfig instance in the sniffer.go, and a sniffer instance uses its 'filter' attribute when executing openPcap/openAFPacket functions. However, the InterfaceConfig.BpfFilter value is not copied to the sniffer.filter, so the 'filter' value passed to the openPcap/openAFPacket functions is always an empty string and that's why the bpf_filter setting does not work.

Maybe, just adding one line is enough to fix this bug (I've not run make testsuite, but the fixed packetbeat executable works in my home as I expected).

diff --git a/packetbeat/sniffer/sniffer.go b/packetbeat/sniffer/sniffer.go
index efb12d045a..73b50771b5 100644
--- a/packetbeat/sniffer/sniffer.go
+++ b/packetbeat/sniffer/sniffer.go
@@ -141,6 +141,7 @@ func New(testMode bool, _ string, decoders Decoders, interfaces []config.Interfa
                }
 
                child.config = iface
+               child.filter = iface.BpfFilter
                s.sniffers[i] = child
        }

Could someone fix this?

Hi @md-irohas ,

Welcome to the community! Thank you so much for investigating this issue and proposing a fix. We appreciate the details and the effort taken.

We are always happy to accept contributions from the community to make our solutions better in line with our Contribution guidelines on GitHub! Would you be happy to raise an issue and PR with this fix on the @elastic/beats GitHub repo?

Hi Carly,

Thank you for the reply.
OK, I will

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.