I used those commands with some variations before, trouble is they only apply to filtering straight packets (in other words, the "outside" of the GRE tunnel in my particular scenario). What I'm looking for here is how to filter the IPs in the "inside" or payload of the GRE tunnel, which happens to contain another set of source and destination IPs (this is the very nature of GRE).
At the end of the day these are encapsulated packets. The difficult bit is filtering based what's in the payload of the GRE tunnel. Even that link you provided suggests it might not be possible. It says: "You will only see a second line if the transport protocol used is known to fw monitor. Known protocols are for example TCP, UDP and ICMP. If the transport protocol is unknown or can not be analyzed because it is encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line is missing."
I'm thinking it could be done by counting offset bytes or something like that? Thoughts?