[Zeek] gre capture filter

Dk Jack dnj0496 at gmail.com
Thu Aug 1 16:36:10 PDT 2019 

Looks like I may have had a typo. It seems to work now. Thanks for the help.

On Thu, Aug 1, 2019 at 2:23 PM Justin Azoff <justin at corelight.com> wrote:

> What message are you getting?  I just tried this now and it appeared to
> work:
>
> redef capture_filters += {
>        ["inside_ip"] = "proto gre and (ip[36:4]=0xac1c0203 or
> ip[40:4]=0xac1c0203)"
> };
>
> it may matter if you are using a different packet source plugin though
> like pf_ring or af_packet.
>
>
> On Thu, Aug 1, 2019 at 5:15 PM Dk Jack <dnj0496 at gmail.com> wrote:
>
>> Thanks Justin,
>> Your suggestion works for tcpdump. However, bro is still complaining when
>> I put in the filter.
>> Any idea on how to get around that?
>>
>> On Thu, Aug 1, 2019 at 7:35 AM Justin Azoff <justin at corelight.com> wrote:
>>
>>> Looks like offsets 50 and 54 are from the ethernet layer, not ip
>>>
>>> tcpdump  -r  gre-sample2.pcap  'proto gre and (ether[50:4]=0xac1c0203 or
>>> ether[54:4]=0xac1c0203)'
>>>
>>> works, as does
>>>
>>> tcpdump  -r  gre-sample2.pcap  "proto gre and (ip[36:4]=0xac1c0203 or
>>> ip[40:4]=0xac1c0203)"
>>>
>>> I started working this out, but then just brute forced it:
>>>
>>> for x in `seq 1 80`;do echo offset: $x $(tcpdump  -r  gre-sample2.pcap
>>>  "(ip[$x:4]=0xac1c0203)" 2> /dev/null|wc -l) pkts  ;done|grep -v '0 pkts'
>>> outputs
>>> offset: 36 16 pkts
>>> offset: 40 18 pkts
>>> offset: 68 2 pkts
>>>
>>> in theory newer  bpf supports 'protochain gre and host 172.28.2.3' but
>>> while that generates a huge bpf program it doesn't actually work.
>>>
>>> On Wed, Jul 31, 2019 at 9:51 PM Dk Jack <dnj0496 at gmail.com> wrote:
>>>
>>>> Hi,
>>>> I am trying to write a capture filter to filter GRE traffic based on
>>>> the inside IP of a GRE packet. Based on the advice given in the link below:
>>>>
>>>>
>>>> http://novalidhostsfound.blogspot.com/2015/03/how-to-filter-ip-addresses-inside-gre.html
>>>>
>>>> I wrote my capture filter (see at end of the email). With the capture
>>>> filter, I am getting the following error:
>>>>
>>>> "Invalid capture_filter named 'inside_ip' - 'proto gre and
>>>> (ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)'"
>>>>
>>>> when I use the same filter with tcpdump i.e. 'tcpdump -r <pcap-file>
>>>> <filter', it doesn't produce any output. However, it doesn't complain about
>>>> the filter being incorrect either. I've attached the pcap I am using. Any
>>>> help is appreciated.
>>>>
>>>> Thanks.
>>>> Dk.
>>>>
>>>> redef capture_filters += {
>>>>        ["inside_ip"] = "proto gre and (ip[50:4]=0xac1c0203 or
>>>> ip[54:4]=0xac1c0203)"
>>>> };
>>>>
>>>> event bro_init()
>>>> {
>>>>         print "Hello, World!";
>>>> }
>>>>
>>>> event bro_done()
>>>> {
>>>> print "Goodbye, World!";
>>>> }
>>>>
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>>
>>>
>>> --
>>> Justin
>>>
>>
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190801/ea165835/attachment-0001.html

More information about the Zeek mailing list