BPF filter seems not working

Question

BPF filter seems not working

githubee opened this issue 7 years ago · 1 comments

Hi,

I have some issues using the BPF filter. My main issue is that I see client and server lookup in the logs mixed (sometimes the packet from resolver is added in log, sometimes the answer to client - which mixes up log format, so I want to use BPF to use only src IP of my host).

I tried -b "src host (my eth0 IP)>" and passivedns started, but I see nothing in passivedns.log. tcpdump shows traffic passing by properly.
I even tried -b "src hosasat foobar" and passivedns started without complaining.
"port 53" works as expected.

Using Debian 9 here.

Edit: By enabling verbose output I was able to see the invalid syntax error on "src hosasat". But still, using "port 53 and src host 1.2.3.4" passivedns doesnt log the DNS traffic. It seems like the packets show up in DNS packets over UDP failed.

Answer 1 · 2017-11-21T16:59:57.000Z

You will have to use BPF that will include both query and response you want to have in the passivedns log, e.g.:
-b "(dst port 53 and dst host 1.2.3.4) or (src port 53 and src host 1.2.3.4)"

Where 1.2.3.4 is IP address of your resolver. Such filter will cover both request and response between the resolver and client but will ignore the communication to upstream nameservers.