[Zeek] gre capture filter

Justin Azoff justin at corelight.com
Thu Aug 1 07:35:13 PDT 2019 

Looks like offsets 50 and 54 are from the ethernet layer, not ip

tcpdump  -r  gre-sample2.pcap  'proto gre and (ether[50:4]=0xac1c0203 or
ether[54:4]=0xac1c0203)'

works, as does

tcpdump  -r  gre-sample2.pcap  "proto gre and (ip[36:4]=0xac1c0203 or
ip[40:4]=0xac1c0203)"

I started working this out, but then just brute forced it:

for x in `seq 1 80`;do echo offset: $x $(tcpdump  -r  gre-sample2.pcap
 "(ip[$x:4]=0xac1c0203)" 2> /dev/null|wc -l) pkts  ;done|grep -v '0 pkts'
outputs
offset: 36 16 pkts
offset: 40 18 pkts
offset: 68 2 pkts

in theory newer  bpf supports 'protochain gre and host 172.28.2.3' but
while that generates a huge bpf program it doesn't actually work.

On Wed, Jul 31, 2019 at 9:51 PM Dk Jack <dnj0496 at gmail.com> wrote:

> Hi,
> I am trying to write a capture filter to filter GRE traffic based on the
> inside IP of a GRE packet. Based on the advice given in the link below:
>
>
> http://novalidhostsfound.blogspot.com/2015/03/how-to-filter-ip-addresses-inside-gre.html
>
> I wrote my capture filter (see at end of the email). With the capture
> filter, I am getting the following error:
>
> "Invalid capture_filter named 'inside_ip' - 'proto gre and
> (ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)'"
>
> when I use the same filter with tcpdump i.e. 'tcpdump -r <pcap-file>
> <filter', it doesn't produce any output. However, it doesn't complain about
> the filter being incorrect either. I've attached the pcap I am using. Any
> help is appreciated.
>
> Thanks.
> Dk.
>
> redef capture_filters += {
>        ["inside_ip"] = "proto gre and (ip[50:4]=0xac1c0203 or
> ip[54:4]=0xac1c0203)"
> };
>
> event bro_init()
> {
>         print "Hello, World!";
> }
>
> event bro_done()
> {
> print "Goodbye, World!";
> }
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190801/af7c41b3/attachment-0001.html

More information about the Zeek mailing list