When troubleshooting NVS issue, sometimes we need to perform packet capture on SD-WAN edge to identify the root cause. It is known that Generic Routing Encapsulation (GRE) tunnel encapsulates packets within other packets, creating a virtual tunnel that allows data to pass through networks. The real production related IP (the IP address we need to troubleshoot) is encapsulated so common "host" option is not helpful when perform vctcpdump. Fortunately the inner IP is plaintext in GRE frame so there is a way to filter the wanted IP.

VMware VeloCloud SD-WAN supported versions

Common "host" option in tcpdump command is not able to filter the inner IP of GRE tunnel

Use IP offset to locate the inner IP in a GRE frame. For common GRE tunnels, the offset of inner source IP is 36 bytes, offset of inner destination IP is 40 bytes, and length of IP address is 4 bytes. Thus the tcpdump command would be:

tcpdump -nni <int> ip[36:4]=HexIP or ip[40:4]=HexIP

HexIP is the IP address in hexadecimal format, for example, if the inner source IP is 10.28.2.171, the hexadecimal format is 0x0A1C02AB.

Thus the command would be:

tcpdump -nni <int> ip[36:4]=0x0A1C02AB or ip[40:4]=0x0A1C02AB

If a engineer needs to filter traffic between two specifc inner IPs, for example 10.28.2.171 and 220.243.154.36, their hexadecimal format is 0x0A1C02AB and 0xDCF39A24, so the command would be:

tcpdump -nni <int> '(ip [36:4]=0x0A1C02AB and ip [40:4]=0xDCF39A24) or (ip [36:4]=0xDCF39A24 and ip [40:4]=0x0A1C02AB)'

Online free IP to Hex Converter:

https://onlinetools.com/hex/convert-ip-to-hex