This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Javier_Gurfinki
Participant
‎2018-08-13 01:11 PM

GAIA: tcpdump filtering with GRE ?

Hello,

I'm trying to come up with the proper syntax to filter a specific IP which is encapsulated within a GRE tunnel. Googling around this seems to be a unique topic, and this the closest I could find:

No valid hosts found - the blog about openstack: How to filter IP addresses inside GRE in tcpdump 

...but I'm having trouble on GAIA: the command is being accepted, but it's filtering zero packets even though I know the traffic is there and passing through the gateway. I suppose the syntax for for the target IP may need to be expressed differently, but it's just a theory at this time. Also thought of using fw monitor for this purpose, but the syntax is even more complicated, at least for my limited scripting abilities.

Any help will be much appreciated!

Thanks,

JG

9 Replies
Maarten_Sjouw
Champion
Champion
‎2018-08-14 02:02 PM

tcpdump -ni any proto gre

fw monotor -e "accept ip_p(GRE);"  -m iO

But sometimes to get information out of any of the 2 you need to disable fwaccel first by using:

fwaccel off

Regards, Maarten
0 Kudos
Javier_Gurfinki
Participant
‎2018-08-15 06:09 AM
In response to Maarten_Sjouw

Thanks, but how do I go deeper by 1 layer?

The scenario is: the "outside" IPs of the GRE tunnel are Public Internet and always fixed (of course). The tunnel is transporting a huge amount of data from A to B. That huge amount is comprised of traffic from different Private sources and destinations (e.g. 10.x.x.x) seen on the "inside" of the tunnel.

How can I filter a specific IP from the "inside" of the GRE tunnel, so I can capture only the private IPs I'm looking for?

Thank you

JG

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-08-15 07:30 AM
In response to Javier_Gurfinki

Lets say your traffic is towards hosts in the 10.10.10/24 range then you would use:

fw monitor -e "accept net(10.10.10.0,24);" -m iO

For finding all traffic to/from 10.10.10.10:

fw monitor -e "accept host(10.10.10.10);" -m iO

If you need further info look at this site for more examples and how to use fw monitor.

Regards, Maarten
0 Kudos
Javier_Gurfinki
Participant
‎2018-08-15 11:29 AM
In response to Maarten_Sjouw

I used those commands with some variations before, trouble is they only apply to filtering straight packets (in other words, the "outside" of the GRE tunnel in my particular scenario). What I'm looking for here is how to filter the IPs in the "inside" or payload of the GRE tunnel, which happens to contain another set of source and destination IPs (this is the very nature of GRE).

At the end of the day these are encapsulated packets. The difficult bit is filtering based what's in the payload of the GRE tunnel. Even that link you provided suggests it might not be possible. It says: "You will only see a second line if the transport protocol used is known to fw monitor. Known protocols are for example TCP, UDP and ICMP. If the transport protocol is unknown or can not be analyzed because it is encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line is missing."

I'm thinking it could be done by counting offset bytes or something like that? Thoughts?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-08-15 09:39 PM
In response to Javier_Gurfinki

Have you sent this to an output file and open this with WireShark?

Regards, Maarten
0 Kudos
Javier_Gurfinki
Participant
‎2018-08-16 09:18 AM
In response to Maarten_Sjouw

Yes, nothing shows up, that filter syntax does not work in this case due to the IP being inside the encapsulation.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-08-16 02:33 PM
In response to Javier_Gurfinki

see TraceWrangler - Packet Capture Toolkit  

One of the features: Editing packets in batch, especially by removing certain protocol layers like MPLS, GRE or GTP-u, 

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-17 08:27 AM

tcpdump only gets the first few bytes of the packet by default.

You may have better luck by adding -s 0 to your tcpdump command,which I believe means capture all bytes.

Alex_Schmitt
Participant
‎2023-09-07 02:03 AM

Hello Javier,

 

I have the exact same issues, in my case with GRE/ERSPAN traffic where I want to filter a specific IP within the GRE tunnel.

Did you per chance have any success?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events