Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Javier_Gurfinki
Participant

GAIA: tcpdump filtering with GRE ?

Hello,

I'm trying to come up with the proper syntax to filter a specific IP which is encapsulated within a GRE tunnel. Googling around this seems to be a unique topic, and this the closest I could find:

No valid hosts found - the blog about openstack: How to filter IP addresses inside GRE in tcpdump 

...but I'm having trouble on GAIA: the command is being accepted, but it's filtering zero packets even though I know the traffic is there and passing through the gateway. I suppose the syntax for for the target IP may need to be expressed differently, but it's just a theory at this time. Also thought of using fw monitor for this purpose, but the syntax is even more complicated, at least for my limited scripting abilities.

Any help will be much appreciated!

Thanks,

JG

9 Replies
Maarten_Sjouw
Champion
Champion

tcpdump -ni any proto gre

fw monotor -e "accept ip_p(GRE);"  -m iO

But sometimes to get information out of any of the 2 you need to disable fwaccel first by using:

fwaccel off

Regards, Maarten
0 Kudos
Javier_Gurfinki
Participant

Thanks, but how do I go deeper by 1 layer?

The scenario is: the "outside" IPs of the GRE tunnel are Public Internet and always fixed (of course). The tunnel is transporting a huge amount of data from A to B. That huge amount is comprised of traffic from different Private sources and destinations (e.g. 10.x.x.x) seen on the "inside" of the tunnel.

How can I filter a specific IP from the "inside" of the GRE tunnel, so I can capture only the private IPs I'm looking for?

Thank you

JG

0 Kudos
Maarten_Sjouw
Champion
Champion

Lets say your traffic is towards hosts in the 10.10.10/24 range then you would use:

fw monitor -e "accept net(10.10.10.0,24);" -m iO

For finding all traffic to/from 10.10.10.10:

fw monitor -e "accept host(10.10.10.10);" -m iO

If you need further info look at this site for more examples and how to use fw monitor.

Regards, Maarten
0 Kudos
Javier_Gurfinki
Participant

I used those commands with some variations before, trouble is they only apply to filtering straight packets (in other words, the "outside" of the GRE tunnel in my particular scenario). What I'm looking for here is how to filter the IPs in the "inside" or payload of the GRE tunnel, which happens to contain another set of source and destination IPs (this is the very nature of GRE).

At the end of the day these are encapsulated packets. The difficult bit is filtering based what's in the payload of the GRE tunnel. Even that link you provided suggests it might not be possible. It says: "You will only see a second line if the transport protocol used is known to fw monitor. Known protocols are for example TCP, UDP and ICMP. If the transport protocol is unknown or can not be analyzed because it is encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line is missing."

I'm thinking it could be done by counting offset bytes or something like that? Thoughts?

0 Kudos
Maarten_Sjouw
Champion
Champion

Have you sent this to an output file and open this with WireShark?

Regards, Maarten
0 Kudos
Javier_Gurfinki
Participant

Yes, nothing shows up, that filter syntax does not work in this case due to the IP being inside the encapsulation.

0 Kudos
Maarten_Sjouw
Champion
Champion

see TraceWrangler - Packet Capture Toolkit  

One of the features: Editing packets in batch, especially by removing certain protocol layers like MPLS, GRE or GTP-u, 

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin

tcpdump only gets the first few bytes of the packet by default.

You may have better luck by adding -s 0 to your tcpdump command,which I believe means capture all bytes.

Alex_Schmitt
Participant

Hello Javier,

 

I have the exact same issues, in my case with GRE/ERSPAN traffic where I want to filter a specific IP within the GRE tunnel.

Did you per chance have any success?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events