[Zeek] gre capture filter

Justin Azoff justin at corelight.com
Thu Aug 1 14:23:21 PDT 2019


What message are you getting?  I just tried this now and it appeared to
work:

redef capture_filters += {
       ["inside_ip"] = "proto gre and (ip[36:4]=0xac1c0203 or
ip[40:4]=0xac1c0203)"
};

it may matter if you are using a different packet source plugin though like
pf_ring or af_packet.


On Thu, Aug 1, 2019 at 5:15 PM Dk Jack <dnj0496 at gmail.com> wrote:

> Thanks Justin,
> Your suggestion works for tcpdump. However, bro is still complaining when
> I put in the filter.
> Any idea on how to get around that?
>
> On Thu, Aug 1, 2019 at 7:35 AM Justin Azoff <justin at corelight.com> wrote:
>
>> Looks like offsets 50 and 54 are from the ethernet layer, not ip
>>
>> tcpdump  -r  gre-sample2.pcap  'proto gre and (ether[50:4]=0xac1c0203 or
>> ether[54:4]=0xac1c0203)'
>>
>> works, as does
>>
>> tcpdump  -r  gre-sample2.pcap  "proto gre and (ip[36:4]=0xac1c0203 or
>> ip[40:4]=0xac1c0203)"
>>
>> I started working this out, but then just brute forced it:
>>
>> for x in `seq 1 80`;do echo offset: $x $(tcpdump  -r  gre-sample2.pcap
>>  "(ip[$x:4]=0xac1c0203)" 2> /dev/null|wc -l) pkts  ;done|grep -v '0 pkts'
>> outputs
>> offset: 36 16 pkts
>> offset: 40 18 pkts
>> offset: 68 2 pkts
>>
>> in theory newer  bpf supports 'protochain gre and host 172.28.2.3' but
>> while that generates a huge bpf program it doesn't actually work.
>>
>> On Wed, Jul 31, 2019 at 9:51 PM Dk Jack <dnj0496 at gmail.com> wrote:
>>
>>> Hi,
>>> I am trying to write a capture filter to filter GRE traffic based on the
>>> inside IP of a GRE packet. Based on the advice given in the link below:
>>>
>>>
>>> http://novalidhostsfound.blogspot.com/2015/03/how-to-filter-ip-addresses-inside-gre.html
>>>
>>> I wrote my capture filter (see at end of the email). With the capture
>>> filter, I am getting the following error:
>>>
>>> "Invalid capture_filter named 'inside_ip' - 'proto gre and
>>> (ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)'"
>>>
>>> when I use the same filter with tcpdump i.e. 'tcpdump -r <pcap-file>
>>> <filter', it doesn't produce any output. However, it doesn't complain about
>>> the filter being incorrect either. I've attached the pcap I am using. Any
>>> help is appreciated.
>>>
>>> Thanks.
>>> Dk.
>>>
>>> redef capture_filters += {
>>>        ["inside_ip"] = "proto gre and (ip[50:4]=0xac1c0203 or
>>> ip[54:4]=0xac1c0203)"
>>> };
>>>
>>> event bro_init()
>>> {
>>>         print "Hello, World!";
>>> }
>>>
>>> event bro_done()
>>> {
>>> print "Goodbye, World!";
>>> }
>>>
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>> --
>> Justin
>>
>

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190801/6c479f67/attachment.html 


More information about the Zeek mailing list