Hi,
I am trying to write a capture filter to filter GRE traffic based on the
inside IP of a GRE packet. Based on the advice given in the link below:
http://novalidhostsfound.blogspot.com/2015/03/how-to-filter-ip-addresses-in…
I wrote my capture filter (see at end of the email). With the capture
filter, I am getting the following error:
"Invalid capture_filter named 'inside_ip' - 'proto gre and
(ip[50:4]=0xac1c0203 or ip[54:4]=0xac1c0203)'"
when I use the same filter with tcpdump i.e. 'tcpdump -r <pcap-file>
<filter', it doesn't produce any output. However, it doesn't complain about
the filter being incorrect either. I've attached the pcap I am using. Any
help is appreciated.
Thanks.
Dk.
redef capture_filters += {
["inside_ip"] = "proto gre and (ip[50:4]=0xac1c0203 or
ip[54:4]=0xac1c0203)"
};
event bro_init()
{
print "Hello, World!";
}
event bro_done()
{
print "Goodbye, World!";
}
Hi Zeke,
Are you coming to Ohio for the Off-Site?
Thanks,
~Amber
--
*Amber Graner*
Director of Community
Corelight, Inc
828.582.9469
* Ask me about how you can participate in the Zeek (formerly Bro)
community.
* Remember - ZEEK AND YOU SHALL FIND!!
