Network Sensor Berkeley Packet Filter (BPF) syntax

graeme_hamilton · May 29, 2023, 11:27am

Hello,

I’m looking for some advice on how to use the Berkeley Packet Filter (BPF) configuration option for a Network Sensor to stop certain network traffic being processed by the sensor and appearing in Log Search.

The sensor is a virtual machine in VMware (let’s say its IP address is 192.168.1.10, which it uses to communicate with the Rapid7 Platform) and is configured for the ERSPAN traffic type. The ERSPAN session is configured on a switch in a different building and is monitoring traffic for the subnet 192.168.128.0/24, with the ERSPAN destination set to 192.168.1.10.

What I’d like is for Log Search for this sensor to only show the network traffic for the subnet 192.168.128.0/24, but I’m also seeing network traffic for the subnet 192.168.1.0/24, including things like the traffic between the sensor and the Rapid7 Platform. Is it possible to use the BPF setting to filter out this “local” traffic and if so, does anyone have any examples of how to do this?

Thanks,
Graeme

darragh_delaney2 · May 29, 2023, 12:44pm

Hi Graeme, Sensor engineering are going to check this. Will get back to you shortly

darragh_delaney2 · May 30, 2023, 9:32am

Hi @graeme_hamilton

Sensor team looked at this and it would appear the management interface on the sensor is used for both management and ERSPAN capture. Could you bring up the second interface on this system and assign it an IP address. Change you ERSPAN session to send to this and then change the capture interface in sensor management.

If you still have an issue you could then add “proto gre” in the BPF filter field

graeme_hamilton · May 30, 2023, 4:25pm

Hi @darragh_delaney2, thanks for that - I must admit I was trying to be a bit too minimalist and efficient by trying to do both things on a single interface. I’ve now done as you’ve suggested and moved the management interface to the other NIC and this almost completely eliminated the unexpected traffic appearing in Log Search, although I still saw broadcast traffic to 192.168.1.255.

However, your comment about the BPF filter was enough to confirm for me how to use that feature, so I added a filter and this has now stopped the broadcast traffic from appearing in Log Search. The Network Sensor configuration page gave me a syntax error when I tried “proto gre”, but it accepted “proto 47” instead.

Thanks again for your help,
Graeme