From aefa52821c3e11cca4d46bdbf096d4bd0a83475b Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Sat, 22 Apr 2023 12:08:32 +0200
Subject: [PATCH] af_packet: AF_Packet: Fix wrong vlan when PCP or DEI bits are
 set in tp_vlan_tci

A user reported vlan ids > 4095 being logged by Zeek [1]. For populating
packet->vlan, mask away Priority Code Point (PCP) and Drop Eligible
Indicator (DEI) bits from the tp_vlan_tci field, else we're not setting
the correct value on the packet.

Fixes #60

[1] https://community.zeek.org/t/zeek-reporting-vlan-ids-above-4095-bug-found/7000
---
 src/iosource/af_packet/src/AF_Packet.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/iosource/af_packet/src/AF_Packet.cc b/src/iosource/af_packet/src/AF_Packet.cc
index 1813600f78..1d4155b949 100644
--- a/src/iosource/af_packet/src/AF_Packet.cc
+++ b/src/iosource/af_packet/src/AF_Packet.cc
@@ -295,7 +295,7 @@ bool AF_PacketSource::ExtractNextPacket(zeek::Packet* pkt)
         pkt->Init(props.link_type, &current_hdr.ts, current_hdr.caplen, current_hdr.len, data);
 
 		if ( packet->tp_status & TP_STATUS_VLAN_VALID )
-			pkt->vlan = packet->hv1.tp_vlan_tci;
+			pkt->vlan = packet->hv1.tp_vlan_tci & 0x0fff;
 
 #if ZEEK_VERSION_NUMBER >= 50100
 		switch ( checksum_mode )