arp packet found in pcap file on tls -m pcap mode

[chilli13]

Describe the bug
When using tls -m pcap mode, arp packets are found in the obtained pcap file . There is a problem with specifying or not specifying capture filter parameters. Is this a bug?

To Reproduce
./ecapture tls -m pcap -i ens1f0 --pcapfile=all.pcap

# tcpdump -nn -r all.pcap  'arp'
reading from file all.pcap, link-type EN10MB (Ethernet)
dropped privs to tcpdump
15:52:03.990048 ARP, Request who-has 192.168.10.108 tell 192.168.10.1, length 46
15:52:05.003197 ARP, Request who-has 192.168.10.108 tell 192.168.10.1, length 46
15:52:07.003957 ARP, Request who-has 192.168.10.108 tell 192.168.10.1, length 46
15:52:07.324029 ARP, Request who-has 192.168.10.108 tell 192.168.10.1, length 46

os info

# cat /etc/os-release 
NAME="openEuler"
VERSION="22.03 (LTS-SP4)"
ID="openEuler"
VERSION_ID="22.03"
PRETTY_NAME="openEuler 22.03 (LTS-SP4)"
ANSI_COLOR="0;31"

# uname -a
Linux zhm-cd-vm 5.10.0-216.0.0.115.oe2203sp4.x86_64 #1 SMP Thu Jun 27 15:13:44 CST 2024 x86_64 x86_64 x86_64 GNU/Linux

# ecapture -v
eCapture version:	linux_amd64:v0.8.9:6.5.0-1025-azure

[cfc4n]

Sorry, I don't understand. What problem are you referring to?

[chilli13]

ARP has nothing to do with TLS, so why are ARP packets found in pcap files under tls -m pcap? I think this is abnormal.

[cfc4n]

eCapture supports pcapfilter syntax, and by default will capture traffic on all ports of the target network interface. If you only need to capture TLS traffic, please use pcapfilter syntax and set the port to be captured. see ecapture tls --help for more detail.

[chilli13]

Using pcapfilter syntax will also capture arp packets, which should not be an expected behavior. This phenomenon can be easily reproduction. Looking forward to your reply. Thank you

# ecapture tls -m pcap -i ens224np1 tcp and port 443 --pcapfile=tcp-443.pcap
2024-11-27T10:53:17+08:00 INF AppName="eCapture(旁观者)"
2024-11-27T10:53:17+08:00 INF HomePage=https://ecapture.cc
2024-11-27T10:53:17+08:00 INF Repository=https://github.com/gojue/ecapture
2024-11-27T10:53:17+08:00 INF Author="CFC4N <[email protected]>"
2024-11-27T10:53:17+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-11-27T10:53:17+08:00 INF Version=linux_amd64:v0.8.9:6.5.0-1025-azure
2024-11-27T10:53:17+08:00 INF Listen=localhost:28256
2024-11-27T10:53:17+08:00 INF eCapture running logs logger=
2024-11-27T10:53:17+08:00 INF the file handler that receives the captured event eventCollector=
2024-11-27T10:53:17+08:00 WRN ========== module starting. ==========
2024-11-27T10:53:17+08:00 INF Kernel Info=5.10.0 Pid=507814
2024-11-27T10:53:17+08:00 INF listen=localhost:28256
2024-11-27T10:53:17+08:00 INF BTF bytecode mode: CORE. btfMode=0
2024-11-27T10:53:17+08:00 INF https server starting...You can update the configuration file via the HTTP interface.
2024-11-27T10:53:17+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-11-27T10:53:17+08:00 INF Module.Run()
2024-11-27T10:53:17+08:00 INF OpenSSL/BoringSSL version found origin versionKey="OpenSSL 1.1.1wa" versionKeyLower="openssl 1.1.1wa"
2024-11-27T10:53:17+08:00 WRN OpenSSL/BoringSSL version not found from shared library file, used default version OpenSSL Version=linux_default_1_1_1
2024-11-27T10:53:17+08:00 INF HOOK type:Openssl elf ElfType=2 IFindex=3 IFname=ens224np1 PcapFilter="tcp and port 443" binrayPath=/lib64/libssl.so.1.1
2024-11-27T10:53:17+08:00 INF Hook masterKey function Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"]
2024-11-27T10:53:17+08:00 INF target all process.
2024-11-27T10:53:17+08:00 INF target all users.
2024-11-27T10:53:17+08:00 INF setupManagers eBPFProgramType=PcapNG
2024-11-27T10:53:17+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1j_kern_core.o
2024-11-27T10:53:17+08:00 INF packets saved into pcapng file. pcapng path=/home/zhm/ecapture/compile/ecapture/tcp-443.pcap
2024-11-27T10:53:17+08:00 INF perfEventReader created mapSize(MB)=4
2024-11-27T10:53:17+08:00 INF perfEventReader created mapSize(MB)=4
2024-11-27T10:53:17+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
... ...
2024-11-27T10:53:51+08:00 INF packets saved into pcapng file. count=1
^C2024-11-27T10:53:51+08:00 INF module close.
2024-11-27T10:53:51+08:00 INF packets saved into pcapng file. count=7
2024-11-27T10:53:51+08:00 INF Module closed,message recived from Context
2024-11-27T10:53:51+08:00 INF iModule module close
2024-11-27T10:53:51+08:00 INF bye bye.



# tcpdump -nn -r tcp-443.pcap 
reading from file tcp-443.pcap, link-type EN10MB (Ethernet), snapshot length 65535
dropped privs to tcpdump
10:53:43.309295 ARP, Request who-has 1.1.1.5 tell 1.1.1.1, length 46
10:53:44.311450 ARP, Request who-has 1.1.1.5 tell 1.1.1.1, length 46
10:53:45.313377 ARP, Request who-has 1.1.1.5 tell 1.1.1.1, length 46
10:53:47.309863 ARP, Request who-has 1.1.1.5 tell 1.1.1.1, length 46
10:53:48.311396 ARP, Request who-has 1.1.1.5 tell 1.1.1.1, length 46
10:53:49.313379 ARP, Request who-has 1.1.1.5 tell 1.1.1.1, length 46
10:53:51.310647 ARP, Request who-has 1.1.1.5 tell 1.1.1.1, length 46

[blaisewang]

Is this a bug?

This is not a bug; it's expected behavior. By default, all traffic on the specified network interface is captured, including ARP traffic. If you don't want to capture ARP traffic, simply add not arp to your pcap filter.

[yuweizzz]

It does have a bug here. See #680

[yuweizzz]

If you didn't specify a pcap filter, ref this comment.

Is this a bug?

This is not a bug; it's expected behavior. By default, all traffic on the specified network interface is captured, including ARP traffic. If you don't want to capture ARP traffic, simply add not arp to your pcap filter.