From 03c71cf5889bbb536e01e988ebb0d53a8fdf6820 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 18 Jan 2016 14:25:09 -0500 Subject: [PATCH] Create a proper ICMP only BPF filter --- CHANGELOG.asciidoc | 1 + packetbeat/protos/protos.go | 5 +++-- packetbeat/protos/protos_test.go | 10 ++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index dc1d4a196bb..957bf12552d 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -37,6 +37,7 @@ https://github.com/elastic/beats/compare/1.0.0...master[Check the HEAD diff] *Packetbeat* - Fix setting direction to out and use its value to decide when dropping events if ignore_outgoing is enabled {pull}557[557] - Allow PF_RING sniffer type to be configured using pf_ring or pfring {pull}671[671] +- Create a proper BPF filter when ICMP is the only enabled protocol {issue}757[757] *Topbeat* diff --git a/packetbeat/protos/protos.go b/packetbeat/protos/protos.go index f3530f8e38b..b122e4eb0e9 100644 --- a/packetbeat/protos/protos.go +++ b/packetbeat/protos/protos.go @@ -219,10 +219,11 @@ func (protocols ProtocolsStruct) BpfFilter(with_vlans bool, with_icmp bool) stri } } - filter := strings.Join(expressions, " or ") if with_icmp { - filter = fmt.Sprintf("%s or icmp or icmp6", filter) + expressions = append(expressions, "icmp", "icmp6") } + + filter := strings.Join(expressions, " or ") if with_vlans { filter = fmt.Sprintf("%s or (vlan and (%s))", filter, filter) } diff --git a/packetbeat/protos/protos_test.go b/packetbeat/protos/protos_test.go index 19b250339f7..b95926eec78 100644 --- a/packetbeat/protos/protos_test.go +++ b/packetbeat/protos/protos_test.go @@ -114,6 +114,16 @@ func newProtocols() Protocols { return p } +func TestBpfFilterWithoutVlanOnlyIcmp(t *testing.T) { + p := ProtocolsStruct{} + p.all = make(map[Protocol]ProtocolPlugin) + p.tcp = make(map[Protocol]TcpProtocolPlugin) + p.udp = make(map[Protocol]UdpProtocolPlugin) + + filter := p.BpfFilter(false, true) + assert.Equal(t, "icmp or icmp6", filter) +} + func TestBpfFilterWithoutVlanWithoutIcmp(t *testing.T) { p := newProtocols() filter := p.BpfFilter(false, false)