help for adding new packet filter

Bindiya_V_S · February 19, 2007, 10:22am

Hi guys,

I am trying to integrate GRE protocol in BRO. When I tried
adding pcap filter for the protocol - by adding the following
lines in the bro file in site directory
redef capture_filters = { ["tcp"]= "tcp", ["udp"] = "udp", ["icmp"] = "icmp", ["gre"] = "gre" };

it is giving the following run-time error.

line 1: run-time error: precompile_pcap_filter: pcap_compile((((gre) or (udp)) or (tcp)) or (icmp)): parse error
can't compile filter (((gre) or (udp)) or (tcp)) or (icmp)

When using 1.1, I was able to use empty capture filter - by adding the following line in the hostname.bro file -
redef capture_filters = { };
and get all the packets captured. The same is not working for
1.2 version.

Somebody please help me out.

Thanks,
Bindiya V S

Vern · February 19, 2007, 6:38pm

line 1: run-time error: precompile_pcap_filter: pcap_compile((((gre) or (udp)) or (tcp)) or (icmp)): parse error
can't compile filter (((gre) or (udp)) or (tcp)) or (icmp)

The problem is that tcpdump (at least my version) doesn't have a "gre"
keyword. So, to specify that you want to capture GRE traffic, you'll need
to describe it dirctly in terms of the IP "protocol" field (e.g., "tcp"
is the same as "ip proto 6").

Vern

Bindiya_V_S · February 20, 2007, 3:22am

Thanks
That fixed it

Topic		Replies	Views
gre capture filter Zeek	5	118	May 6, 2022
giving IPv6 capture filter support Zeek	2	114	May 6, 2022
Adding options to bro managed by broctl Zeek	4	81	May 6, 2022
Bro 0.8 and vlans Zeek	1	67	May 6, 2022
Bro restrict filters question Zeek	4	114	May 6, 2022

help for adding new packet filter

Related topics