Remove the GRE header from pcap packets and respect ip fragmentation. Only the payload of packets with GRE headers will be saved to the output file.
Currently we only process IP protocol 47 as GRE type. See https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.
Because original pcap packets can be transported over GRE which it self is transported over ip it can happen that the new packet size will be bigger than the specifief MTU, most of the time 1500 bytes, so the original pcpa packet payload is then fragmented over two new ip packets.
Most of the tools used to remove the GRE header only remove the first 38 bytes of the pcap packet but do not respect the ip fragmentation information resulting in broken data.
Example (non fragmented ip)
Before
pcap-packet-header
|-> ethernet header (14 bytes)
|-> ip header (20 bytes)
|-> GRE header (4 bytes)
|-> ethernet header (original packet, 14 bytes)
|-> ip header (original packet, 20 bytes)
|-> TCP/UDP/ICMP packet (original packet, xx bytes)
After
pcap-packet-header
|-> ethernet header (original packet, 14 bytes)
|-> ip header (original packet, 20 bytes)
|-> TCP/UDP/ICMP packet (original packet, xx bytes)
Example (fragmented ip)
Before
pcap-packet-header (fragment part 1)
|-> ethernet header (14 bytes)
|-> ip header (20 bytes, flag "More fragments" is set)
|-> GRE header (4 bytes)
|-> ethernet header (original packet, 14 bytes)
|-> ip header (original packet, 20 bytes, flag "Don't fragment" set)
|-> TCP/UDP/ICMP packet (original packet, only first 1428 bytes of original 1466 bytes)
pcap-packet-header (fragment part 2)
|-> ethernet header (14 bytes)
|-> ip header (20 bytes, flag "Fragment offset" is set)
|-> GRE header (4 bytes)
|-> data (rest of TCP/UDP/ICMP payload original packet, 38 bytes)
After
pcap-packet-header
|-> ethernet header (original packet, 14 bytes)
|-> ip header (original packet, 20 bytes)
|-> TCP/UDP/ICMP packet (original packet, 1466 bytes)
Requirements:
- NodeJS (v14.6.0 or higher)
Remove the file '.npmrc' if you are not working in the Dutch National Police network.
This programm also exists on the online NPM repository. Install from there with 'npm install @todle/removegre -g
'. This will install de program 'removeGRE
' globally.
To install the checkedout git repository version use the command 'npm install -g
' will install the program 'removeGRE
' globally.
node ./removeGRE.js [options]
Show this help message
--help
Path to pcap file to write to
-o, --output <value> (required)
Path to pcap file to read
-i, --input <value> (required)
./removeGRE.js -i file_with_gre.pcap -o file_without_gre.pcap
cat file_with_gre.pcap | ./removeGRE.js -i - -o - > file_wihtout_gre.pcap