cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

GAIA: tcpdump filtering with GRE ?

Hello,

I'm trying to come up with the proper syntax to filter a specific IP which is encapsulated within a GRE tunnel. Googling around this seems to be a unique topic, and this the closest I could find:

No valid hosts found - the blog about openstack: How to filter IP addresses inside GRE in tcpdump 

...but I'm having trouble on GAIA: the command is being accepted, but it's filtering zero packets even though I know the traffic is there and passing through the gateway. I suppose the syntax for for the target IP may need to be expressed differently, but it's just a theory at this time. Also thought of using fw monitor for this purpose, but the syntax is even more complicated, at least for my limited scripting abilities.

Any help will be much appreciated!

Thanks,

JG

8 Replies

Re: GAIA: tcpdump filtering with GRE ?

tcpdump -ni any proto gre

fw monotor -e "accept ip_p(GRE);"  -m iO

But sometimes to get information out of any of the 2 you need to disable fwaccel first by using:

fwaccel off

Regards, Maarten
0 Kudos

Re: GAIA: tcpdump filtering with GRE ?

Thanks, but how do I go deeper by 1 layer?

The scenario is: the "outside" IPs of the GRE tunnel are Public Internet and always fixed (of course). The tunnel is transporting a huge amount of data from A to B. That huge amount is comprised of traffic from different Private sources and destinations (e.g. 10.x.x.x) seen on the "inside" of the tunnel.

How can I filter a specific IP from the "inside" of the GRE tunnel, so I can capture only the private IPs I'm looking for?

Thank you

JG

0 Kudos

Re: GAIA: tcpdump filtering with GRE ?

Lets say your traffic is towards hosts in the 10.10.10/24 range then you would use:

fw monitor -e "accept net(10.10.10.0,24);" -m iO

For finding all traffic to/from 10.10.10.10:

fw monitor -e "accept host(10.10.10.10);" -m iO

If you need further info look at this site for more examples and how to use fw monitor.

Regards, Maarten
0 Kudos

Re: GAIA: tcpdump filtering with GRE ?

I used those commands with some variations before, trouble is they only apply to filtering straight packets (in other words, the "outside" of the GRE tunnel in my particular scenario). What I'm looking for here is how to filter the IPs in the "inside" or payload of the GRE tunnel, which happens to contain another set of source and destination IPs (this is the very nature of GRE).

At the end of the day these are encapsulated packets. The difficult bit is filtering based what's in the payload of the GRE tunnel. Even that link you provided suggests it might not be possible. It says: "You will only see a second line if the transport protocol used is known to fw monitor. Known protocols are for example TCP, UDP and ICMP. If the transport protocol is unknown or can not be analyzed because it is encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line is missing."

I'm thinking it could be done by counting offset bytes or something like that? Thoughts?

0 Kudos

Re: GAIA: tcpdump filtering with GRE ?

Have you sent this to an output file and open this with WireShark?

Regards, Maarten
0 Kudos

Re: GAIA: tcpdump filtering with GRE ?

Yes, nothing shows up, that filter syntax does not work in this case due to the IP being inside the encapsulation.

0 Kudos

Re: GAIA: tcpdump filtering with GRE ?

see TraceWrangler - Packet Capture Toolkit  

One of the features: Editing packets in batch, especially by removing certain protocol layers like MPLS, GRE or GTP-u, 

Regards, Maarten
0 Kudos
Admin
Admin

Re: GAIA: tcpdump filtering with GRE ?

tcpdump only gets the first few bytes of the packet by default.

You may have better luck by adding -s 0 to your tcpdump command,which I believe means capture all bytes.

0 Kudos