tcpdump command doesn't have a direct way to filter based on the inner IP addresses inside a GRE tunnel using simple syntax. This is because tcpdump works primarily with the outer headers when dealing with GRE encapsulation. However, you can use some tricks to filter and inspect the encapsulated IP headers within a GRE tunnel by leveraging ip[] expressions.

The GRE tunnel introduces some complexity when trying to filter based on the inner IP address because the inner packet (the one being encapsulated) is inside the GRE header and the outer IP header.

GRE packet has the following structure:

1. Outer IP Header – The standard IP header that gets routed over the network (with source and destination IPs for the tunnel).
2. GRE Header – The header used to encapsulate the packet.
3. Encapsulated Original Packet – This could be any protocol, such as another IP packet, which includes its own source/destination IPs, protocol, and data.

To filter based on the encapsulated IP addresses (i.e., the inner IP packet), you need to look at the byte offset in the GRE encapsulated packet. Specifically:

• ip[36:4]: This points to the source IP of the original packet inside the GRE tunnel.
• ip[40:4]: This points to the destination IP of the original packet inside the GRE tunnel.
• ip[33]: This specifies the protocol of the encapsulated packet (e.g., 0x06 for TCP).

You can use tcpdump with the following approach:

Examples:

1. Filter GRE packets with a specific source IP (inner IP): To capture GRE packets where the source IP of the encapsulated packet is 10.120.0.111:

    

   tcpdump.sh -enni eth0 'proto gre and ip[36:4] = 0x0a78006f'

   Explanation:

   • ip[36:4] = 0x0a78006f matches the source IP 10.120.0.111 (converted to hex 0x0a78006f).

2. Filter GRE packets with a specific destination IP (inner IP): To capture GRE packets where the destination IP of the encapsulated packet is 10.120.0.111:

    

   tcpdump.sh -ni eth0 'proto gre and ip[40:4] = 0x0a78006f'

   Explanation:

   • ip[40:4] = 0x0a78006f  matches the destination IP 10.120.0.111 (converted to hex 0x0a78006f).

3. Filter GRE packets for specific protocol types (e.g., TCP inside GRE): To capture GRE packets that encapsulate TCP packets (where protocol 0x06 is TCP):

    

   tcpdump.sh -ni eth0 'proto gre and ip[33] = 0x06'

4. Filter GRE packets for a specific source IP inside GRE (combining source IP and protocol): To capture GRE packets with a specific source IP 10.120.0.111 and protocol TCP:

   tcpdump.sh -ni eth0 'proto gre and ip[36:4] = 0x0a78006f and ip[33] = 0x06'
    

5. Filter GRE packets for a specific IP inside GRE (Two way traffic): To capture GRE packets with a specific IP 10.120.0.111:

    

   tcpdump.sh -ni eth0 'proto gre and (ip[36:4] = 0x0a78006f or ip[40:4] = 0x0a78006f'

Converting IP Addresses:

To use in tcpdump, you need to convert the IP addresses into hexadecimal format:

• 192.168.1.1 → 0xc0a80101
• 10.1.1.1 → 0x0a010101

Convert each octet of the IP to its hexadecimal form and join them together.

• • 192 → c0, 168 → a8, 1 → 01, 1 → 01, so 192.168.1.1 becomes 0xc0a80101.