 | 1 | initial version |
Because the BPF capture filter does not support GRE as a filter, anything on top of that can only be filtered by checking the data at known positions.
So with the layers IP (20) / GRE (4) / IP (20) / UDP, the UDP source port is at position 20+4+20 = 44 bytes. Then the filter you can use is:
ip proto 47 and (ip[44:2] == 1234 or ip[46:2] == 1234)
Assuming no IP options used here. It is possible to make a filter that uses the IP-lengths, but is probably not necessary (options rarely used).