Environment : This article is valid for all Aruba controllers, and software versions.
Symptoms : We can see the GRE encapsulated in the wireshark but we cannot decrypt the contents.
Cause : By default, Aruba uses GRE mode 0 which doesn't allow wireshark to decrypt the contents.
Solution : Set the GRE mode to 25944 on both the ends of the tunnel:
interface tunnel 2 description "Tunnel Interface" tunnel source 10.1.1.3 tunnel mode gre 25944 tunnel destination 10.1.1.2 tunnel keepalive 5 3 trusted tunnel vlan 2
After this, the contents of the GRE are visible in the Wireshark:
Here we can see the contents in the wireshark as ICMP.
Related Links : http://tools.ietf.org/search/rfc1701
...and after some head-scratching here is the magic incantation for teaching wireshark to love the 0x8100-0x8104 gre.proto selectors. Put this in your ~/.wireshark/decode_as_entries. And save an extra copy of it, because Wireshark likes to stomp on it.
Here's another tip. GRE tunnels from Aruba will contain a secondary ethertype of 0x9000, or 0x8100 through 0x8103.
To see the 0x8100 through 0x8103 packets in tshark, you can do this:
tshark -d gre.proto==33024:4,eth -r input.pcap | less
I haven't figured out how to get that same thing to work in wireshark yet, as the ~/.wireshark/decode_as_entries file has a different syntax, and it doesn't work on the 0x9000 traffic which has a different format.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.