Using Argus 3.0 ra to show packet details inside GRE

Carter Bullard carter at qosient.com
Tue Apr 15 11:54:21 EDT 2008


Hey Richard,
argus-3.0 will parse through the GRE and get to the IP traffic
that is in the tunnel, if there is any, automatically.  All you should
see in the standard output that indicates GRE is a 'G' in the
encapsulation fields.

If its not doing this, then you may not be doing a classic GRE tunnel,
or there is a problem.  If you think there is a problem, if you could
grab a few packets, I'll look to see why argus is having trouble.

Carter


On Apr 15, 2008, at 11:36 AM, Richard Bejtlich wrote:

> Hello everyone,
>
> I am using Argus 3.0 with RC70 clients (yes, plan to update soon) on a
> link that sees basically nothing but GRE traffic.  I noticed Tcpdump
> can decode GRE on the wire -- it shows the GRE IP headers and then the
> encapsulated IP traffic within.  (I haven't figured out how to use BPF
> syntax on this GRE traffic to, say, show dest port 445 traffic,
> however.)
>
> Is there a way for Argus 3.0 to decode GRE?  I can see the GRE IP
> headers using ra but I'd rather see the encapsulated IP traffic.
>
> I feel like I am missing something.
>
> Thank you,
>
> Richard
>








More information about the argus mailing list