Add support for GRE decapsulation

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit

http://www.ntop.org

GNU Lesser General Public License v3.0

3.77k stars 891 forks source link

Add support for GRE decapsulation #1442

Open IvanNardi opened 2 years ago

IvanNardi commented 2 years ago

It would be nice to have GRE de-tunneling capability in ndpiReader (like GTP or CAPWAP). Pcap example: gre_sip.zip

leonn commented 2 years ago

Well de-tunneling capability is not hard to implement, but it brings more discussions like:

as GRE tunnels can have many layers, what to do with that info? just get it de-tunneled and discard the inner layers info? thins may lead to less visibility of what is actually happening
well GRE types vary and those have their own implementations to be covered (LCC-SLL/WCCP/ERSPAN etc) to provide a full de-tunneling capability

I think this need to be clarified before we can move forward

torres-miguel commented 1 year ago

Hi, I would like to contribute to this issue. However, I can see that further clarification was needed. Has it been solved somehow by now?

IvanNardi commented 1 year ago

Hi, I would like to contribute to this issue. However, I can see that further clarification was needed. Has it been solved somehow by now?

Let's start simple: try detunneling (i.e strip outer ip header and pass to nDPI the inner one) the trace attached above and gre.zip and gre_erspan.zip. We can add complexity later if/when required/necessary (expecially since this code is in the example and not in the library itself)

IvanNardi commented 1 year ago

Added GRE v0 and v1 on f1193d5 TODO: ERSPAN