Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BPF Filtering fails for certain link types #2132

Closed
timwoj opened this issue May 25, 2022 · 1 comment · Fixed by #2396
Closed

BPF Filtering fails for certain link types #2132

timwoj opened this issue May 25, 2022 · 1 comment · Fixed by #2396
Assignees
@timwoj
Labels
Area: Packet Capture Type: Enhancement
Milestone
5.1.0

Comments

@timwoj
Copy link
Contributor

timwoj commented May 25, 2022

This is a follow-up to #1995. When loading a pcap with certain link types, libpcap will return an error that looks like this:

fatal error in /Users/tim/Desktop/projects/zeek/scripts/base/frameworks/packet-filter/./main.zeek, line 292: cannot compile BPF filter "ip or not ip": pcap_compile(ip or not ip): IEEE 802.15.4 link-layer type filtering not implemented

This isn't necessarily an error though, it's just that libpcap only implements link-layer filtering for certain link types. See the gen_linktype() method in libpcap at https://github.com/the-tcpdump-group/libpcap/blob/64ed5bbd93520ff63ac735d07ef3514ca0dcdd68/gencode.c#L3190 for a list of what is supported and what isn't. Libpcap doesn't return any sort of error codes or anything about why a filter failed to compile, only an error string. Thankfully that string seems to be fairly stable as of the last 20 years or so (I looked), so we can use the presence of "filtering not implemented" in the error string.

Unfortunately, that's the easy part. We still need to propagate that "failed but not failed" state upwards through the call stack to the original call to Pcap::precompile_pcap_filter in PacketFilter::install in script-land so it can exit cleanly instead of just assuming that every return value of false means a hard failure. On top of that, we need to investigate whether this is something that happens on live traffic as well.
@timwoj timwoj added this to the 5.1.0 milestone May 25, 2022
@timwoj
Copy link
Contributor Author

timwoj commented Aug 11, 2022
edited

For the second part of this, I'm going to opt not to break the existing API for PktSrc::PrecompileBPFFilter. Instead I'm planning to add a method that returns either an enum value or a string for the reason for the failure (I haven't decided which yet). I'm leaning towards a string since that would let third-party packet source plugins implement their own error strings. It'll probably actually need to be a pair<bool,string> that indicates whether the error is catastrophic and the reason. Callers of PrecompileBPFFilter and friends can check for the bool result, and then call that new method if the result is false and handle it appropriately.

The above will require similar changes in BPF_Program but all of that code is in the zeek::iosource::detail namespace so it's not beholden to deprecation rules.

@timwoj timwoj self-assigned this Aug 11, 2022
@timwoj timwoj mentioned this issue Aug 23, 2022
Merged
@timwoj timwoj linked a pull request Sep 2, 2022 that will close this issue
Allow BPF filter compiler to determine severity of errors #2396
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timwoj timwoj

Labels
Area: Packet Capture Type: Enhancement
Projects
No open projects
Release 5.1
Status: Done
Milestone
5.1.0
Development

Successfully merging a pull request may close this issue.

Allow BPF filter compiler to determine severity of errors zeek/zeek
1 participant
@timwoj