Skip to content

Use Zeek BPF Filter IPv6 Addresses

Zeek provides the packet-filter framework to allow filtering out network packets by BPF expressions.

There are quite a few examples online, for example 1 and 2, to demonstrate the capability. However, most examples show only ipv4 addresses.

What happen if tries to filter ipv6 addresses?

To figure it out, I did some tests and found that the frame is also able to filter ipv6 addresses.

Test Setup

Use traffic generator to generate mixed network traffic as:

  • http
    • v4 (src): 10.1.1.0/24, 10.1.2.0/24
    • v6 (src): 10:1:1::0/112, 10:1:2::0/112
  • dns
    • v4 (src): 10.1.3.0/24
    • v6 (src): 10:1:3::0/112

Try to use BPF expressions to filter out both v4 10.1.2.0/24 and v6 10:1:2::0/112 addresses. After tests, I found there are two methods to fullfill the same purpose.

Method 1

By redefine the restict_filters as:

@load base/frameworks/packet-filter

redef restrict_filters += [["ignore-traffic"] = "not (ip6 net 10:1:2::/48 or net 10.1.2.0/24)"];

Since we only need to distinguish 10:1:1:: and 10:1:2::, 48 bits will do.

Method 2

By calling the exclude function in the zeek_init event:

@load base/frameworks/packet-filter

event zeek_init()
    {
    PacketFilter::exclude("ignore traffic", "ip6 net 10:1:2::/48 or net 10.1.2.0/24");
    }

In this case, no need to use the not prefix.

Both methods can filter out the targeted traffic without affecting rest network packets, which can be analyzed and logged correctly.

conn, http and dns logs are generated with source addresses of 10.1.1.0/24, 10:1:1::0/112, 10.1.3.0/24, 10:1:3::0/112.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *