AF_Packet: Discard OUTGOING packets on loopback

...we'll see them as incoming again and only pass them up to Zeek once this way. libpcap is doing it similarly, though supporting V2 and V3. Fixes #53
zeek · Mar 29, 2023 · 588d4aa · 588d4aa
1 parent bad9d89
commit 588d4aa
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/src/AF_Packet.cc b/src/AF_Packet.cc
@@ -292,6 +292,24 @@ bool AF_PacketSource::ExtractNextPacket(zeek::Packet* pkt)
 		if ( ! rx_ring->GetNextPacket(&packet) )
 			return false;
 
+		// If this is a loopback interface and we're seeing an outgoing
+		// packet, drop it as it'll show up as incoming as well. Previously
+		// this would've caused Zeek to see all packets twice on loopback
+		// interfaces when compared to the normal libpcap based souce.
+		//
+		// The tpacket3_hdr is directly followed by a sockaddr_ll structure
+		// from where we can get the OUTGOING information about the packet.
+		//
+		// https://github.com/the-tcpdump-group/libpcap/blob/244080f5f9d4f17340041d1f5a3efd278ff08d7b/pcap-linux.c#L1173-L1181
+		if ( is_loopback )
+			{
+			const struct sockaddr_ll *sll = (struct sockaddr_ll*)
+				((uint8_t *)packet + TPACKET_ALIGN(sizeof(struct tpacket3_hdr)));
+
+			if ( sll->sll_pkttype == PACKET_OUTGOING )
+				continue;
+			}
+
 		current_hdr.ts.tv_sec = packet->tp_sec;
 		current_hdr.ts.tv_usec = packet->tp_nsec / 1000;
 		current_hdr.caplen = packet->tp_snaplen;