gre capture filter

I am trying to write a capture filter to filter GRE traffic based on the inside IP of a GRE packet. Based on the advice given in the link below:

I wrote my capture filter (see at end of the email). With the capture filter, I am getting the following error:

“Invalid capture_filter named ‘inside_ip’ - ‘proto gre and (ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)’”

when I use the same filter with tcpdump i.e. ‘tcpdump -r <filter’, it doesn’t produce any output. However, it doesn’t complain about the filter being incorrect either. I’ve attached the pcap I am using. Any help is appreciated.


redef capture_filters += {
[“inside_ip”] = “proto gre and (ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)”

event bro_init()
print “Hello, World!”;

event bro_done()
print “Goodbye, World!”;

gre-sample2.pcap (7.22 KB)

Looks like offsets 50 and 54 are from the ethernet layer, not ip

tcpdump -r gre-sample2.pcap ‘proto gre and (ether[50:4]=0xac1c0203 or ether[54:4]=0xac1c0203)’

works, as does

tcpdump -r gre-sample2.pcap “proto gre and (ip[36:4]=0xac1c0203 or ip[40:4]=0xac1c0203)”

I started working this out, but then just brute forced it:

for x in seq 1 80;do echo offset: $x $(tcpdump -r gre-sample2.pcap “(ip[$x:4]=0xac1c0203)” 2> /dev/null|wc -l) pkts ;done|grep -v ‘0 pkts’

offset: 36 16 pkts
offset: 40 18 pkts
offset: 68 2 pkts

in theory newer bpf supports ‘protochain gre and host’ but while that generates a huge bpf program it doesn’t actually work.

Thanks Justin,
Your suggestion works for tcpdump. However, bro is still complaining when I put in the filter.
Any idea on how to get around that?

What message are you getting? I just tried this now and it appeared to work:

redef capture_filters += {
[“inside_ip”] = “proto gre and (ip[36:4]=0xac1c0203 or ip[40:4]=0xac1c0203)”

it may matter if you are using a different packet source plugin though like pf_ring or af_packet.

Looks like I may have had a typo. It seems to work now. Thanks for the help.