This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Gre Decapsulation

0

Is there a version of wireshark that can decapsulate a gre tunnel?

I've set up a gre tunnel between two endpoint and traversing a middle box. I am trying to sniffer at the middle box and inspect the data stream.

The version of wireshark suggested on the "wishes" wiki. 0.10.8 does not work, the data within the gre frame is not decoded.

the data is stacked, application/ip/ppp/gre/ip/enet

It would also be great if I could decode what was within the ppp frame as well.

asked 23 Feb '11, 12:24

kylewh's gravatar image

kylewh
1111
accept rate: 0%


One Answer:

0

Where is this really old version suggested? I think the current version of Wireshark (1.4.3 stable or 1.5.0 development) will be able to display all layers correctly. If not, are you able to share a small capture file with these packets?

answered 23 Feb '11, 12:27

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

http://wiki.wireshark.org/WishList

this page mentions in the dissector details section that version 0.10.8 would decapsulate gre, but i've tried version 0.10.8 and it does not decapsulate GRE.

I've tried with the latest version of wireshark as well, and the data within the gre packets is not detailed.

Unfortunately I cannot share a file capture in this forum.

(24 Feb '11, 06:57) kylewh

Is it possible for you to share some kind of screenshot (preferably with 1.4.3 or 1.5 version? )

I feel you need to decode packets to GRE. Try it and let us know...

(24 Feb '11, 08:23) Vijay Gharge

As the wishlist says, there is a dissector for GRE encapsulation type 0x8881 (is that what you are using too?), but it is not complete as reassembly is not implemented.

A screenshot showing the GRE details or the hex data of one or two packets would make it easier to see what's going on in your situation.

(24 Feb '11, 09:22) SYN-bit ♦♦