Zeek reporting VLAN id's above 4095, bug found?

Hi guys,

we were puzzled by VLAN id’s in the conn.log with values > 4095 (it’s a 12-bit value so 4095 is the maximum). One of the most reported values (in our case) was 16413. After some packet capturing and analysis with Wireshark I found this:

Usually the Priority field is 0, meaning ‘best effort’ but occasionally is it set to a value of 2.
If you now convert the entire 16 bit value (instead of only the last 12 bits) and convert it to decimal, you get this:
$ bc -q

Zeek version running on that particular system is 5.1.1.

Did I run into a bug?

Friendly regards, John

Hello @0x4A6F686E / John,

Did I run into a bug?

are you using AF_PACKET by any chance? If yes, yes, you’ve found a bug. Thanks reporting.

The af-packet source uses the full tp_vlan_tci field instead of just the 12bits that represent the vlan id as you explained.

The VLAN parser within Zeek does the right thing and other packet sources have the &FFF also when consuming the AF_PACKET header.

We’ll fix it.

Thanks again,

Hi Arne,

yes, we are indeed using AF_PACKET. Thanks for your quick response.
Now we are sure we do not have to look for any misconfigurations elsewhere.

Cheers, John

1 Like