capture filter of GRE

CaptureFilter
retag add tags

Hi,

How can I set capture filter for the GRE?

I've tried proto GRE but I receive an error unkonwn ip proto 'GRE'.

Following previous question: If I need to filter some udp packet (on port 1234) which is inside the GRE, how can I do that?

BMWE

asked 2021-07-27 13:07:55 +0000, updated 2021-07-31 10:14:27 +0000

edit flag offensive 0 remove flag close merge delete

Comments

As this is a Q&A forum, you should really post that as a separate question. Now we have one question and two answers which will possibly confuse others with the same issue.

grahamb (2021-08-01 08:03:36 +0000) edit

add a comment see more comments

2 Answers

Sort by

Try ip proto 47.

grahamb

answered 2021-07-27 13:16:09 +0000

edit flag offensive 0 remove flag delete link

Comments

Thanks, this one seems to be OK. I've appended followup question (filter UDP inside GRE)

BMWE (2021-07-31 10:15:45 +0000) edit

add a comment see more comments

Because the BPF capture filter does not support GRE as a filter, anything on top of that can only be filtered by checking the data at known positions.

So with the layers IP (20) / GRE (4) / IP (20) / UDP, the UDP source port is at position 20+4+20 = 44 bytes. Then the filter you can use is:

ip proto 47 and (ip[44:2] == 1234 or ip[46:2] == 1234)

Assuming no IP options used here. It is possible to make a filter that uses the IP-lengths, but is probably not necessary (options rarely used).

176

André

answered 2021-07-31 12:52:42 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

capture filter of GRE edit

Comments

2 Answers

Comments

Comments