<div dir="ltr">What message are you getting? I just tried this now and it appeared to work:<div><br></div><div>redef capture_filters += {<br> ["inside_ip"] = "proto gre and (ip[36:4]=0xac1c0203 or ip[40:4]=0xac1c0203)"<br>};<br></div><div><br></div><div>it may matter if you are using a different packet source plugin though like pf_ring or af_packet.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 1, 2019 at 5:15 PM Dk Jack <<a href="mailto:dnj0496@gmail.com">dnj0496@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks Justin,<div>Your suggestion works for tcpdump. However, bro is still complaining when I put in the filter.</div><div>Any idea on how to get around that? </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 1, 2019 at 7:35 AM Justin Azoff <<a href="mailto:justin@corelight.com" target="_blank">justin@corelight.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Looks like offsets 50 and 54 are from the ethernet layer, not ip<div><br></div><div>tcpdump -r gre-sample2.pcap 'proto gre and (ether[50:4]=0xac1c0203 or ether[54:4]=0xac1c0203)'<br></div><div><br></div><div>works, as does</div><div><br></div><div>tcpdump -r gre-sample2.pcap "proto gre and (ip[36:4]=0xac1c0203 or ip[40:4]=0xac1c0203)"<br></div><div><br></div><div>I started working this out, but then just brute forced it:</div><div><br></div><div>for x in `seq 1 80`;do echo offset: $x $(tcpdump -r gre-sample2.pcap "(ip[$x:4]=0xac1c0203)" 2> /dev/null|wc -l) pkts ;done|grep -v '0 pkts'<br></div><div>outputs</div><div>offset: 36 16 pkts<br>offset: 40 18 pkts<br>offset: 68 2 pkts<br></div><div><br></div><div>in theory newer bpf supports 'protochain gre and host 172.28.2.3' but while that generates a huge bpf program it doesn't actually work.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jul 31, 2019 at 9:51 PM Dk Jack <<a href="mailto:dnj0496@gmail.com" target="_blank">dnj0496@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi,<div>I am trying to write a capture filter to filter GRE traffic based on the inside IP of a GRE packet. Based on the advice given in the link below:</div><div><br></div><div><a href="http://novalidhostsfound.blogspot.com/2015/03/how-to-filter-ip-addresses-inside-gre.html" target="_blank">http://novalidhostsfound.blogspot.com/2015/03/how-to-filter-ip-addresses-inside-gre.html</a><br></div><div><br></div><div>I wrote my capture filter (see at end of the email). With the capture filter, I am getting the following error:</div><div><br></div><div>"<span style="color:rgb(0,0,0)">Invalid capture_filter named 'inside_ip' - 'proto gre and (ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)'"</span> </div><div><br></div><div>when I use the same filter with tcpdump i.e. 'tcpdump -r <pcap-file> <filter', it doesn't produce any output. However, it doesn't complain about the filter being incorrect either. I've attached the pcap I am using. Any help is appreciated.</div><div><br></div><div>Thanks.</div><div>Dk.</div><div><div><br></div><div><font face="courier new, monospace">redef capture_filters += {</font></div><div><font face="courier new, monospace"> ["inside_ip"] = "proto gre and (ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)"</font></div><div><font face="courier new, monospace">};</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">event bro_init()</font></div><div><font face="courier new, monospace">{</font></div><div><font face="courier new, monospace"> print "Hello, World!";</font></div><div><font face="courier new, monospace">}</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">event bro_done()</font></div><div><font face="courier new, monospace">{</font></div><div><font face="courier new, monospace"><span class="gmail-m_1861473973340435131gmail-m_2740488358253406308gmail-m_-5651080639956176686gmail-Apple-tab-span" style="white-space:pre-wrap">        </span>print "Goodbye, World!";</font></div><div><font face="courier new, monospace">}</font></div></div><div><br></div></div></div></div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail-m_1861473973340435131gmail-m_2740488358253406308gmail_signature"><div dir="ltr">Justin</div></div>
</blockquote></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Justin</div></div>