capture filter of GRE

How can I set capture filter for the GRE?

I've tried proto GRE but I receive an error unkonwn ip proto 'GRE'.

Following previous question: If I need to filter some udp packet (on port 1234) which is inside the GRE, how can I do that?

As this is a Q&A forum, you should really post that as a separate question. Now we have one question and two answers which will possibly confuse others with the same issue.

grahamb gravatar imagegrahamb ( 2021-08-01 08:03:36 +0000 )edit

answered 2021-07-27 13:16:09 +0000

grahamb gravatar image

Try ip proto 47.

Thanks, this one seems to be OK. I've appended followup question (filter UDP inside GRE)

BMWE gravatar imageBMWE ( 2021-07-31 10:15:45 +0000 )edit

answered 2021-07-31 12:52:42 +0000

André gravatar image

Because the BPF capture filter does not support GRE as a filter, anything on top of that can only be filtered by checking the data at known positions.

So with the layers IP (20) / GRE (4) / IP (20) / UDP, the UDP source port is at position 20+4+20 = 44 bytes. Then the filter you can use is:

ip proto 47 and (ip[44:2] == 1234 or ip[46:2] == 1234)

Assuming no IP options used here. It is possible to make a filter that uses the IP-lengths, but is probably not necessary (options rarely used).

