How can we see the packets tunneled inside the GRE tunnel?

Aruba Employee

Environment  : This article is valid for all Aruba controllers, and software versions.

 

Symptoms : We can see the GRE encapsulated in the wireshark but we cannot decrypt the contents.

 

 

Cause : By default, Aruba uses GRE mode 0 which doesn't allow wireshark to decrypt the contents.

 

Solution : Set the GRE mode to 25944 on both the ends of the tunnel:

 

interface tunnel 2
        description "Tunnel Interface"
        tunnel source 10.1.1.3
      tunnel mode gre 25944
        tunnel destination 10.1.1.2
        tunnel keepalive 5 3
        trusted
        tunnel vlan 2

 

 

After this, the contents of the GRE are visible in the Wireshark:

 

rtaImage.png

Here we can see the contents in the wireshark as ICMP.

 

Related Links : http://tools.ietf.org/search/rfc1701

Version history
Revision #:
2 of 2
Last update:
‎07-24-2014 09:19 AM
Updated by:
 
Labels (1)
Comments

 

Here's another tip.  GRE tunnels from Aruba will contain a secondary ethertype of 0x9000, or 0x8100 through 0x8103.

 

To see the 0x8100 through 0x8103 packets in tshark, you can do this:

 

tshark -d gre.proto==33024:4,eth -r input.pcap | less

 

I haven't figured out how to get that same thing to work in wireshark yet, as the ~/.wireshark/decode_as_entries file has a different syntax, and it doesn't work on the 0x9000 traffic which has a different format.

 

 

...and after some head-scratching here is the magic incantation for teaching wireshark to love the 0x8100-0x8104 gre.proto selectors.  Put this in your ~/.wireshark/decode_as_entries.  And save an extra copy of it, because Wireshark likes to stomp on it.

 

decode_as_entry: gre.proto,33024,(none),Ethernet

decode_as_entry: gre.proto,33025,(none),Ethernet

decode_as_entry: gre.proto,33026,(none),Ethernet

decode_as_entry: gre.proto,33027,(none),Ethernet

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: