Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
1
Replies

GRE traffic via FP module & Wireshark decoder for the dataplane traffic

niko
Level 1
Level 1

‎10-07-2016 07:03 AM - edited ‎03-12-2019 06:09 AM

Hi,

Given the situation where GRE traffic traverses ASA and traffic is passed to the Firepower module via MPF - what does happen further with that traffic? From what I see - FP module decapsulate the GRE traffic and real addresses are used for further processing from the packet. In the ASA connection table I see the connection entries for the GRE tunnel, but within the FMC I can see the connections events for the traffic passing via that tunnel with the original IP addresses and AC rules applied to it.

Basically the question - does FP decapsulate GRE traffic passed to it automatically and is this behavior manageable? 

And one bonus question - while digging this, I got the capture of asa_dataplane traffic, but when exporting it to PCAP and viewing with Wireshark it has some additional headers attached to it (for the internal communication of the ASA/FP) and Wireshark does not have decoder to handle it, so I cannot decode the inner/real headers of the traffic. 

I googled around, found one script that was used for similar purpose https://github.com/SillaRizzoli/asa_dataplane_protocol/blob/master/README.TXT and a few possible advices, but none of them worked out of the box. So is there a common solution for this? Otherwise will have to wait for the inspiration to dig this deeper. :)

Cheers!

Labels:
0 Helpful
1 Reply 1

Peter Koltl
Level 7
Level 7

‎10-12-2016 12:45 PM

The outer header can be removed with editcap tool. You just need to specify how many bytes are to be chopped from the packet beginning.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card