0

I´m using libjpcap to capture packets from the network and handle them in my application. Currently, we can use filters so that we capture only from a certain destination. For example, src host 10.159.2.3 will only capture traffic from that endpoint.

Recently we´ve added GRE packet support, but filters are not working as the user expected. In our case, the GRE packet´s payload is an IPv4 packet.

Is there a way to enter a filter that will filter packets based on the src and/or dst of the contained IPv4 packet ? I'm aware that Wireshark will handle the case, so I'm trying to include it here.

Community
  • 1
  • 1
Tom
  • 43,810
  • 29
  • 138
  • 169

1 Answers1

0

I found a way to do this. Using pcap filter expresions we can filter by an offset and length. By using wireshark we inspected the .pcap capture and determined that the src address on the payload ip packet (the one inside GRE) has a byte offset of 54 from the header of the outer ip packet. The dst address of the payload ip packet has a byte offset of 58.

So we included this expression as a filter 

(ip[54:4] = 0X0ac004ef) or (ip[58:4] = 0X0ac004ef)

where the hex number represents the concatenated octets converted to hex. of the ip we want to filter by.

Tom
  • 43,810
  • 29
  • 138
  • 169