[Zeek] gre capture filter

Dk Jack dnj0496 at gmail.com
Thu Aug 1 14:14:54 PDT 2019 

Thanks Justin,
Your suggestion works for tcpdump. However, bro is still complaining when I
put in the filter.
Any idea on how to get around that?

On Thu, Aug 1, 2019 at 7:35 AM Justin Azoff <justin at corelight.com> wrote:

> Looks like offsets 50 and 54 are from the ethernet layer, not ip
>
> tcpdump  -r  gre-sample2.pcap  'proto gre and (ether[50:4]=0xac1c0203 or
> ether[54:4]=0xac1c0203)'
>
> works, as does
>
> tcpdump  -r  gre-sample2.pcap  "proto gre and (ip[36:4]=0xac1c0203 or
> ip[40:4]=0xac1c0203)"
>
> I started working this out, but then just brute forced it:
>
> for x in `seq 1 80`;do echo offset: $x $(tcpdump  -r  gre-sample2.pcap
>  "(ip[$x:4]=0xac1c0203)" 2> /dev/null|wc -l) pkts  ;done|grep -v '0 pkts'
> outputs
> offset: 36 16 pkts
> offset: 40 18 pkts
> offset: 68 2 pkts
>
> in theory newer  bpf supports 'protochain gre and host 172.28.2.3' but
> while that generates a huge bpf program it doesn't actually work.
>
> On Wed, Jul 31, 2019 at 9:51 PM Dk Jack <dnj0496 at gmail.com> wrote:
>
>> Hi,
>> I am trying to write a capture filter to filter GRE traffic based on the
>> inside IP of a GRE packet. Based on the advice given in the link below:
>>
>>
>> http://novalidhostsfound.blogspot.com/2015/03/how-to-filter-ip-addresses-inside-gre.html
>>
>> I wrote my capture filter (see at end of the email). With the capture
>> filter, I am getting the following error:
>>
>> "Invalid capture_filter named 'inside_ip' - 'proto gre and
>> (ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)'"
>>
>> when I use the same filter with tcpdump i.e. 'tcpdump -r <pcap-file>
>> <filter', it doesn't produce any output. However, it doesn't complain about
>> the filter being incorrect either. I've attached the pcap I am using. Any
>> help is appreciated.
>>
>> Thanks.
>> Dk.
>>
>> redef capture_filters += {
>>        ["inside_ip"] = "proto gre and (ip[50:4]=0xac1c0203 or
>> ip[54:4]=0xac1c0203)"
>> };
>>
>> event bro_init()
>> {
>>         print "Hello, World!";
>> }
>>
>> event bro_done()
>> {
>> print "Goodbye, World!";
>> }
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190801/08e1cb00/attachment.html

More information about the Zeek mailing list