Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicated packets when listening on loopback interface #53

Open
awelzel opened this issue Mar 28, 2023 · 0 comments
Open

Duplicated packets when listening on loopback interface #53

awelzel opened this issue Mar 28, 2023 · 0 comments
Assignees
@awelzel

Comments

@awelzel
Copy link
Contributor

awelzel commented Mar 28, 2023
edited
Loading

When monitoring lo using AF_PACKET apparently all packets are seen twice: Once as incoming and once as outgoing packets.

I ran into this monitoring local HTTP traffic using curl/nginx just now and being a bit surprised by the history field.

$ docker run -d --name nginx --network=host nginx
$ curl http://localhost:80

The zeek -Ci lo LogAscii::use_json=T invocation produces the following conn.log:

{
  "ts": 1680017486.109133,
  "uid": "CEZrEO3CIBpBDh3IQc",
  "id.orig_h": "::1",
  "id.orig_p": 58810,
  "id.resp_h": "::1",
  "id.resp_p": 80,
  "proto": "tcp",
  "service": "http",
  "duration": 0.0011889934539794922,
  "orig_bytes": 73,
  "resp_bytes": 853,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": true,
  "missed_bytes": 0,
  "history": "ShADadFf",
  "orig_pkts": 7,
  "orig_ip_bytes": 585,
  "resp_pkts": 5,
  "resp_ip_bytes": 1221
}

The zeek -Ci af_packet::lo LogAscii::use_json=T invocation instead twice as many packets and bytes and retransmissions in the history:

{
  "ts": 1680017535.588589,
  "uid": "CQ4XZJ3ISHNAL7p2oe",
  "id.orig_h": "::1",
  "id.orig_p": 58824,
  "id.resp_h": "::1",
  "id.resp_p": 80,
  "proto": "tcp",
  "service": "http",
  "duration": 0.0012431144714355469,
  "orig_bytes": 73,
  "resp_bytes": 853,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": true,
  "missed_bytes": 0,
  "history": "ShADTadtFf",
  "orig_pkts": 14,
  "orig_ip_bytes": 1170,
  "resp_pkts": 10,
  "resp_ip_bytes": 2442
}

The libpcap code has the following tweak to remove one direction of loopback interface packets:

https://github.com/the-tcpdump-group/libpcap/blob/244080f5f9d4f17340041d1f5a3efd278ff08d7b/pcap-linux.c#L1173-L1181

Found through here.

It would be nice if the packet source would do the same. Monitoring lo might not be a common case, but not overly exotic either.
@awelzel awelzel self-assigned this Mar 29, 2023
awelzel added a commit that referenced this issue Mar 29, 2023
@awelzel
AF_Packet: Discard OUTGOING packets on loopback
bf4206c 
...we'll see them as incoming again and only pass them up to
Zeek once this way. libpcap is doing it similarly, though
supporting V2 and V3.

Fixes #53
@awelzel awelzel mentioned this issue Mar 29, 2023
Closed
@awelzel awelzel linked a pull request Mar 29, 2023 that will close this issue
Interface down message and de-duplicated loopback packets #54
Closed
awelzel added a commit that referenced this issue Mar 29, 2023
@awelzel
AF_Packet: Discard OUTGOING packets on loopback
588d4aa 
...we'll see them as incoming again and only pass them up to
Zeek once this way. libpcap is doing it similarly, though
supporting V2 and V3.

Fixes #53
awelzel added a commit that referenced this issue Mar 29, 2023
@awelzel
AF_Packet: Discard OUTGOING packets on loopback
08719aa 
...we'll see them as incoming again and only pass them up to
Zeek once this way. libpcap is doing it similarly, though
supporting V2 and V3.

Fixes #53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@awelzel awelzel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Interface down message and de-duplicated loopback packets zeek/zeek-af_packet-plugin
1 participant
@awelzel