Requirement:
To Decrypt the GRE payload to find out the specific traffic that it is carrying
Example , let us see how to find out an ARP packet inside the GRE ,
We have to do pattern matching on GRE payload with the Client MAC and the eth type ARP. An ARP request packet from client can be confirmed by GRE payload size of 60.
We can use the below filter to decrypt the GRE on the Controller Uplink capture taken
let us consider "8B:CD" to be last two octets of the client's MAC address for whom we are trying to see the ARP packets
Filter: data.data matches "\x08\x06" && data.data matches "\x8B\xCD" --> This is the format for packet matching
"\x08\x06" – matches for 0806 i.e. ARP Protocol
Put the filter in the capture and look for the packet which has the payload of 60 bytes , Go to the Data inside the GRE and copy the value
Now open a browser and go to www.packetor.com --> This is one of the site which helps us to decode the information
Paste the value inside the box and hit "Decode Packet", this will give the information as seen below, we can click the + button marked against the ARP to see the details
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.