gre capture filter

Dk_Jack · August 1, 2019, 1:43am

Hi,
I am trying to write a capture filter to filter GRE traffic based on the inside IP of a GRE packet. Based on the advice given in the link below:

http://novalidhostsfound.blogspot.com/2015/03/how-to-filter-ip-addresses-inside-gre.html

I wrote my capture filter (see at end of the email). With the capture filter, I am getting the following error:

“Invalid capture_filter named ‘inside_ip’ - ‘proto gre and (ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)’”

when I use the same filter with tcpdump i.e. ‘tcpdump -r <filter’, it doesn’t produce any output. However, it doesn’t complain about the filter being incorrect either. I’ve attached the pcap I am using. Any help is appreciated.

Thanks.
Dk.

redef capture_filters += {
[“inside_ip”] = “proto gre and (ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)”
};

event bro_init()
{
print “Hello, World!”;
}

event bro_done()
{
print “Goodbye, World!”;
}

gre-sample2.pcap (7.22 KB)

JustinAzoff · August 1, 2019, 2:35pm

Looks like offsets 50 and 54 are from the ethernet layer, not ip

tcpdump -r gre-sample2.pcap ‘proto gre and (ether[50:4]=0xac1c0203 or ether[54:4]=0xac1c0203)’

works, as does

tcpdump -r gre-sample2.pcap “proto gre and (ip[36:4]=0xac1c0203 or ip[40:4]=0xac1c0203)”

I started working this out, but then just brute forced it:

for x in seq 1 80;do echo offset: $x $(tcpdump -r gre-sample2.pcap “(ip[$x:4]=0xac1c0203)” 2> /dev/null|wc -l) pkts ;done|grep -v ‘0 pkts’

outputs
offset: 36 16 pkts
offset: 40 18 pkts
offset: 68 2 pkts

in theory newer bpf supports ‘protochain gre and host 172.28.2.3’ but while that generates a huge bpf program it doesn’t actually work.

Dk_Jack · August 1, 2019, 9:14pm

Thanks Justin,
Your suggestion works for tcpdump. However, bro is still complaining when I put in the filter.
Any idea on how to get around that?

JustinAzoff · August 1, 2019, 9:23pm

What message are you getting? I just tried this now and it appeared to work:

redef capture_filters += {
[“inside_ip”] = “proto gre and (ip[36:4]=0xac1c0203 or ip[40:4]=0xac1c0203)”
};

it may matter if you are using a different packet source plugin though like pf_ring or af_packet.

Dk_Jack · August 1, 2019, 11:36pm

Looks like I may have had a typo. It seems to work now. Thanks for the help.

Topic		Replies	Views
help for adding new packet filter Zeek	3	81	May 6, 2022
Protosig question, round 2 Zeek	9	115	May 6, 2022
giving IPv6 capture filter support Zeek	2	114	May 6, 2022
PacketFilter Zeek	14	121	May 6, 2022
restrict_filters not preventing logging of selected IP addresses Zeek	2	95	May 6, 2022

gre capture filter

Related topics