Zeek reporting VLAN id's above 4095, bug found?

0x4A6F686E · April 21, 2023, 12:17pm

Hi guys,

we were puzzled by VLAN id’s in the conn.log with values > 4095 (it’s a 12-bit value so 4095 is the maximum). One of the most reported values (in our case) was 16413. After some packet capturing and analysis with Wireshark I found this:
afbeelding

Usually the Priority field is 0, meaning ‘best effort’ but occasionally is it set to a value of 2.
If you now convert the entire 16 bit value (instead of only the last 12 bits) and convert it to decimal, you get this:
$ bc -q
ibase=2
0100000000011101
16413

Zeek version running on that particular system is 5.1.1.

Did I run into a bug?

Friendly regards, John

awelzel · April 21, 2023, 2:53pm

Hello @0x4A6F686E / John,

Did I run into a bug?

are you using AF_PACKET by any chance? If yes, yes, you’ve found a bug. Thanks reporting.

The af-packet source uses the full tp_vlan_tci field instead of just the 12bits that represent the vlan id as you explained.

github.com

zeek/zeek-af_packet-plugin/blob/master/src/AF_Packet.cc#L299


      
          		if ( !ApplyBPFFilter(current_filter, &current_hdr, data) )
          			{
          			++num_discarded;
          			DoneWithPacket();
          			continue;
          			}
          
          		pkt->Init(props.link_type, &current_hdr.ts, current_hdr.caplen, current_hdr.len, data);
          
          		if ( packet->tp_status & TP_STATUS_VLAN_VALID )
          			pkt->vlan = packet->hv1.tp_vlan_tci & 0x0fff;
          
          #if ZEEK_VERSION_NUMBER >= 50100
          		switch ( checksum_mode )
          			{
          			case BifEnum::AF_Packet::CHECKSUM_OFF:
          				{
          				// If set to off, just accept whatever checksum in the packet is correct and
          				// skip checking it here and in Zeek.
          				pkt->l4_checksummed = true;
          				break;

The VLAN parser within Zeek does the right thing and other packet sources have the &FFF also when consuming the AF_PACKET header.

We’ll fix it.

Thanks again,
Arne

0x4A6F686E · April 21, 2023, 3:07pm

Hi Arne,

yes, we are indeed using AF_PACKET. Thanks for your quick response.
Now we are sure we do not have to look for any misconfigurations elsewhere.

Cheers, John

Topic		Replies	Views
zeek and tcpdump packet mismatch Zeek development	5	546	December 25, 2023
Introducing Zeek 5.2 Announcements blog	0	760	March 6, 2023
Capture packet loss discrepancy Zeek	5	240	May 6, 2022
Need some best practices about event tcp_options Zeek development	1	26	December 25, 2024
Help to detect CVE-2019-11479 Zeek	4	92	May 6, 2022

Zeek reporting VLAN id's above 4095, bug found?

Related topics