Hello,
Recently I was troubleshooting some flows, and I needed to know what went trough a GRE tunnel. After reading some tutorials, especially including Wireshark (which did not work) I found the perfect tool to help you de-encapsulate your packet : ipdecap ( website - github )
1) Install
In theory, installation is simple. In practice, you will need to tweak a bit :
Packages needed = autoconf, automake, libtool, openssl, libpcap, libpcap-devel
Install procedure =
wget https://loicpefferkorn.net/ipdecap/ipdecap-0.7.tar.gz
tar xvzf ipdecap-0.7.tar.gz
cd ipdecap-0.7
sh autogen.sh
./configure
make
make installBut you might encounter errors such as :
ipdecap.c:28:45: fatal error: pcap/dlt.h: No such file or directory
I could not find the requested file on my server, so I went ahead in the src/ipdecap.c file and deleted the line. Afterwards it worked fine.
2) Use
It is relatively easy to use
- Remove GREP encapsulation from packets located in gre.cap file, and write them in output.cap
$ ipdecap -i gre.cap -o output.cap - If you have multiple tunnels encapsulated, just repeat the previous step.
- Remove ESP encapsulation, configuration in esp.conf
$ ipdecap -i esp.cap -o output.cap -c esp.conf
Merci a loicpefferkorn pour ce package !
No comments:
Post a Comment