This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Berkeley Packet Filter (BPF) is not filtering the expected traffic on RSA NetWitness Platform decoders due to VLAN tagging

Article Number

000001797

Applies To

RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7

Issue

Berkeley Packet Filter or BPF is not filtering the expected traffic on RSA Security Analytics or NetWitness decoders due to VLAN tagging.
A tcpdump or windump filter is not producing the expected output while testing a potential BPF.

BPF has been implemented in Decoder Configuration from ADMIN (for NW11) or Administration (for SA10)->Services-Config for the decoder->General but you're still seeing the sessions in RSA Security Analytics or NetWitness Investigation.

Cause

Per System-level (BPF) packet filtering best practices and examples for RSA NetWitness decoders or the User Guide, BPF filters should be tested using tcpdump or windump prior to implementation to ensure they provide the expected behavior.  In certain instances and on some networks, you might encounter issues where the variables supplied to tcpdump are not presenting the expected output.  This might be due to instances where the network being sniffed is segmented into several VLAN's and the packets are being tagged with a VLAN ID. 

Using the below tcpdump variables, you would expect to see traffic to or from the host 10.20.10.12.  When the packets being sniffed are tagged with VLAN ID's, the below tcpdump statement will yield ZERO results despite traffic originating from or destined to 10.20.10.12:

tcpdump host 10.20.10.12

Therefore, in an adverse query, you would expect to see no results containing 10.20.10.12 with the below tcpdump statement.  As previously mentioned, if the packets being sniffed are tagged with VLAN ID's, the above statement will NOT filter out the traffic and you will see activity to and from 10.20.10.12

tcpdump not (host 10.20.10.12)

 

Resolution

In these instances, you should try combining the current tcpdump variables with the vlan variable to correctly identify this traffic. Modifying the above queries to the below syntax, tcpdump will filter the traffic and output the expected results:

tcpdump (vlan and host 10.20.10.12)
or
tcpdump not (vlan and host 10.20.10.12) 

For example, if you want to block 150.175.0.0/16 traffic which is VLAN 710 tagged, you can use the following bpf rule to achieve this:

!((vlan 710) && (src net 150.175.0.0/16 && dst net 150.175.0.0/16))


Please reference the aforementioned System-level (BPF) packet filtering best practices and examples for RSA NetWitness decoders or the User Guide when creating Berkeley Packet Filters. Should you have any questions or need additional assistance, please contact RSA Support and reference this article ID.

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 01:12 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.