[Bro] help for adding new packet filter

Vern Paxson vern at icir.org
Mon Feb 19 10:38:00 PST 2007

> line 1: run-time error: precompile_pcap_filter: pcap_compile((((gre) or (udp)) or (tcp)) or (icmp)): parse error
>  can't compile filter (((gre) or (udp)) or (tcp)) or (icmp)

The problem is that tcpdump (at least my version) doesn't have a "gre"
keyword.  So, to specify that you want to capture GRE traffic, you'll need
to describe it dirctly in terms of the IP "protocol" field (e.g., "tcp"
is the same as "ip proto 6").


