How can we see the packets tunneled inside the GRE tunnel?

By Arunkumar posted Jul 11, 2014 12:39 PM


Environment  : This article is valid for all Aruba controllers, and software versions.


Symptoms : We can see the GRE encapsulated in the wireshark but we cannot decrypt the contents.



Cause : By default, Aruba uses GRE mode 0 which doesn't allow wireshark to decrypt the contents.


Solution : Set the GRE mode to 25944 on both the ends of the tunnel:


interface tunnel 2
        description "Tunnel Interface"
        tunnel source
      tunnel mode gre 25944
        tunnel destination
        tunnel keepalive 5 3
        tunnel vlan 2



After this, the contents of the GRE are visible in the Wireshark:



Here we can see the contents in the wireshark as ICMP.


Related Links :



Jul 23, 2014 09:40 PM


...and after some head-scratching here is the magic incantation for teaching wireshark to love the 0x8100-0x8104 gre.proto selectors.  Put this in your ~/.wireshark/decode_as_entries.  And save an extra copy of it, because Wireshark likes to stomp on it.


decode_as_entry: gre.proto,33024,(none),Ethernet

decode_as_entry: gre.proto,33025,(none),Ethernet

decode_as_entry: gre.proto,33026,(none),Ethernet

decode_as_entry: gre.proto,33027,(none),Ethernet



Jul 23, 2014 06:46 PM


Here's another tip.  GRE tunnels from Aruba will contain a secondary ethertype of 0x9000, or 0x8100 through 0x8103.


To see the 0x8100 through 0x8103 packets in tshark, you can do this:


tshark -d gre.proto==33024:4,eth -r input.pcap | less


I haven't figured out how to get that same thing to work in wireshark yet, as the ~/.wireshark/decode_as_entries file has a different syntax, and it doesn't work on the 0x9000 traffic which has a different format.