jpsnyder
commented
2 years ago From my understanding plugins further down the chain only receive packets that the earlier plugins have not filtered out. This is by design. They are layered.
That's why only the initial bpf filter gets set on the pcapy.Reader. All other bpf filters are manually applied to the packets passed down the chain: https://github.com/USArmyResearchLab/Dshell/blob/master/dshell/core.py#L385
To get what your describing, dshell would need to able to support parallel plugin chains. Although, it would probably be simpler to just do multiple runs of dshell if you are just processing pcap files.
dev195
The only invocation of
setfilter()on the capture device (pcapy.Readerclass) is based on theinitial_bpffrom the first plugin on the chain.Because of this, any efforts to expand the filter are moot. Narrowing of the filter seems effective through manipulating compiled bpf filters on the plugin objects, but only the packets pulled from the wire or file (governed by the
pcapy.Readerfilter) are ever passed to thefeed_plugin_chainfunction.It seems we may need a mechanism to update the Reader filter when bpf filters are changed in the plugin chain. But this is not trivial, because recompiling bpf happens in the plugin object and the instantiated Reader appears only in
decode.py.I initially noticed this because the automatic vlan wrapper wasn't working with any plugin on vlan tagged PCAP files, but it has potential effects also in chained plugins and plugins that dynamically alter their bpf filters.