[Zeek] gre capture filter
Dk Jack
dnj0496 at gmail.com
Wed Jul 31 18:43:01 PDT 2019
Hi,
I am trying to write a capture filter to filter GRE traffic based on the
inside IP of a GRE packet. Based on the advice given in the link below:
http://novalidhostsfound.blogspot.com/2015/03/how-to-filter-ip-addresses-inside-gre.html
I wrote my capture filter (see at end of the email). With the capture
filter, I am getting the following error:
"Invalid capture_filter named 'inside_ip' - 'proto gre and
(ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)'"
when I use the same filter with tcpdump i.e. 'tcpdump -r <pcap-file>
<filter', it doesn't produce any output. However, it doesn't complain about
the filter being incorrect either. I've attached the pcap I am using. Any
help is appreciated.
Thanks.
Dk.
redef capture_filters += {
["inside_ip"] = "proto gre and (ip[50:4]=0xac1c0203 or
ip[54:4]=0xac1c0203)"
};
event bro_init()
{
print "Hello, World!";
}
event bro_done()
{
print "Goodbye, World!";
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190731/d48f7e76/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gre-sample2.pcap
Type: application/octet-stream
Size: 7395 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190731/d48f7e76/attachment.obj
More information about the Zeek
mailing list