|Applies To||RSA NetWitness NextGen|
RSA NetWitness Decoder
RSA NetWitness Investigator
|Issue||BPF is not filtering the expected traffic on RSA NetWitness decoders due to VLAN tagging.|
A tcpdump or windump filter is not producing the expected output while testing a potential Libpcap filter or BPF.
A Libpcap filter or BPF has been implemented in a decoder's capture configuration but you're still seeing the sessions in RSA NetWitness Investigator.
|Cause||Per System-level (BPF) packet filtering best practices and examples for RSA NetWitness decoders, BPF filters should be tested using tcpdump or windump prior to implementation to ensure they provide the expected behavior. In certain instances and on some networks, you might encounter issues where the variables supplied to tcpdump are not presenting the expected output. This might be due to instances where the network being sniffed is segmented into several VLAN's and the packets are being tagged with a VLAN ID. We'll use the Libpcap filter entered into Image 1-1 in the below examples:|
Using the below tcpdump variables, you would expect to see traffic to or from the host 10.20.10.12. When the packets being sniffed are tagged with VLAN ID's, the below tcpdump statement will yield ZERO results despite traffic originating from or destined to 10.20.10.12:
tcpdump host 10.20.10.12
Therefore, in an adverse query, you would expect to see no results containing 10.20.10.12 with the below tcpdump statement. As previously mentioned, if the packets being sniffed are tagged with VLAN ID's, the above statement will NOT filter out the traffic and you will see activity to and from 10.20.10.12
tcpdump not (host 10.20.10.12)
In these instances, you should try combining the current tcpdump variables with the vlan variable to correctly identify this traffic. Modifying the above queries to the below syntax, tcpdump will filter the traffic and ouput the expected results:
For example, if you want to block 18.104.22.168/16 traffic which is VLAN 710 tagged, you can use the following bpf rule to achieve this:
!((vlan 710) && (src net 22.214.171.124/16 && dst net 126.96.36.199/16))
|Legacy Article ID||a58789|