7 files changed, 156 insertions, 25 deletions

diff --git a/example/reader_util.c b/example/reader_util.c
index 678b454b7..76e54900f 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1791,6 +1791,74 @@ static inline u_int ndpi_skip_vxlan(u_int16_t ip_offset, u_int16_t ip_len){
   return ip_offset + ip_len + sizeof(struct ndpi_udphdr) + sizeof(struct ndpi_vxlanhdr);
 }
 
+static uint32_t ndpi_is_valid_gre_tunnel(const struct pcap_pkthdr *header, 
+                const u_char *packet, const u_int16_t ip_offset, 
+                const u_int16_t ip_len) {
+  if(header->caplen < ip_offset + ip_len + sizeof(struct ndpi_gre_basehdr))
+    return 0; /* Too short for GRE header*/
+  uint32_t offset = ip_offset + ip_len;
+  struct ndpi_gre_basehdr *grehdr = (struct ndpi_gre_basehdr*)&packet[offset];
+  offset += sizeof(struct ndpi_gre_basehdr);
+  /*
+    rfc-1701
+    The GRE flags are encoded in the first two octets.  Bit 0 is the
+    most significant bit, bit 15 is the least significant bit.  Bits
+    13 through 15 are reserved for the Version field.  Bits 5 through
+    12 are reserved for future use and MUST be transmitted as zero.
+  */
+  if(NDPI_GRE_IS_FLAGS(grehdr->flags))
+    return 0;
+  if(NDPI_GRE_IS_REC(grehdr->flags))
+    return 0;
+  /*GRE rfc 2890 that update 1701*/
+  if(NDPI_GRE_IS_VERSION_0(grehdr->flags)) {
+    if(NDPI_GRE_IS_CSUM(grehdr->flags)) {
+      if(header->caplen < offset + 4)
+        return 0;
+      /*checksum field and offset field*/
+      offset += 4;
+    }
+    if(NDPI_GRE_IS_KEY(grehdr->flags)) {
+      if(header->caplen < offset + 4)
+        return 0;
+      offset += 4;
+    }
+    if(NDPI_GRE_IS_SEQ(grehdr->flags)) {
+      if(header->caplen < offset + 4)
+        return 0;
+      offset += 4;
+    }
+  } else if(NDPI_GRE_IS_VERSION_1(grehdr->flags)) { /*rfc-2637 section 4.1 enhanced gre*/
+    if(NDPI_GRE_IS_CSUM(grehdr->flags))
+      return 0;
+    if(NDPI_GRE_IS_ROUTING(grehdr->flags))
+      return 0;
+    if(!NDPI_GRE_IS_KEY(grehdr->flags))
+      return 0;
+    if(NDPI_GRE_IS_STRICT(grehdr->flags))
+      return 0;
+    if(grehdr->protocol != NDPI_GRE_PROTO_PPP) 
+      return 0;
+    /*key field*/
+    if(header->caplen < offset + 4)
+      return 0;
+    offset += 4;
+    if(NDPI_GRE_IS_SEQ(grehdr->flags)) {
+      if(header->caplen < offset + 4)
+        return 0;
+      offset += 4;
+    }
+    if(NDPI_GRE_IS_ACK(grehdr->flags)) {
+      if(header->caplen < offset + 4)
+        return 0;
+      offset += 4;
+    }
+  } else { /*support only ver 0, 1*/
+    return 0;
+  }
+  return offset;
+}
+
 /* ****************************************************** */
 
 struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
@@ -2295,6 +2363,26 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
 	      goto datalink_check;
       }
     }
+  } else if(workflow->prefs.decode_tunnels && (proto == IPPROTO_GRE)) {
+    if(header->caplen < ip_offset + ip_len + sizeof(struct ndpi_gre_basehdr))
+      return(nproto); /* Too short for GRE header*/
+    u_int32_t offset = 0;
+    if((offset = ndpi_is_valid_gre_tunnel(header, packet, ip_offset, ip_len))) {
+      tunnel_type = ndpi_gre_tunnel;
+      struct ndpi_gre_basehdr *grehdr = (struct ndpi_gre_basehdr*)&packet[ip_offset + ip_len];
+      if(grehdr->protocol == ntohs(ETH_P_IP) || grehdr->protocol == ntohs(ETH_P_IPV6)) { 
+        ip_offset = offset;
+        goto iph_check; 
+      } else if(grehdr->protocol ==  NDPI_GRE_PROTO_PPP) {  // ppp protocol
+        ip_offset = offset + NDPI_PPP_HDRLEN; 
+        goto iph_check;
+      } else {
+        eth_offset = offset;
+        goto datalink_check;
+      }
+    } else {
+      return(nproto);
+    }
   }
 
   /* process the packet */
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index a5b1175bc..6fa9d5581 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -53,6 +53,7 @@ typedef enum {
   ndpi_tzsp_tunnel,
   ndpi_l2tp_tunnel,
   ndpi_vxlan_tunnel,
+  ndpi_gre_tunnel,
 } ndpi_packet_tunnel;
 
 /*
@@ -536,6 +537,41 @@ struct ndpi_vxlanhdr {
   u_int8_t reserved;
 } PACK_OFF;
 
+#ifndef IPPROTO_GRE
+#define IPPROTO_GRE 47
+#endif
+
+#define NDPI_GRE_CSUM        ntohs(0x8000)
+#define NDPI_GRE_ROUTING     ntohs(0x4000)
+#define NDPI_GRE_KEY         ntohs(0x2000)
+#define NDPI_GRE_SEQ         ntohs(0x1000)
+#define NDPI_GRE_STRICT      ntohs(0x0800)
+#define NDPI_GRE_REC         ntohs(0x0700)
+#define NDPI_GRE_ACK         ntohs(0x0080)
+#define NDPI_GRE_FLAGS       ntohs(0x00f8)
+#define NDPI_GRE_VERSION     ntohs(0x0007)
+
+#define NDPI_GRE_IS_CSUM(f)		((f) & NDPI_GRE_CSUM)
+#define NDPI_GRE_IS_ROUTING(f)	((f) & NDPI_GRE_ROUTING)
+#define NDPI_GRE_IS_KEY(f)		((f) & NDPI_GRE_KEY)
+#define NDPI_GRE_IS_SEQ(f)		((f) & NDPI_GRE_SEQ)
+#define NDPI_GRE_IS_STRICT(f)	((f) & NDPI_GRE_STRICT)
+#define NDPI_GRE_IS_REC(f)		((f) & NDPI_GRE_REC)
+#define NDPI_GRE_IS_FLAGS(f)		((f) & NDPI_GRE_FLAGS)
+#define NDPI_GRE_IS_ACK(f)		((f) & NDPI_GRE_ACK)
+#define NDPI_GRE_IS_VERSION_0(f) (((f) & NDPI_GRE_VERSION) == ntohs(0x0000))
+#define NDPI_GRE_IS_VERSION_1(f) (((f) & NDPI_GRE_VERSION) == ntohs(0x0001))
+
+#define NDPI_GRE_PROTO_PPP ntohs(0x880b)
+#define NDPI_PPP_HDRLEN	4	/* octets for standard ppp header */
+
+/* +++++++++++++++++++++++ GRE basic header +++++++++++++++++++++++ */
+PACK_ON
+struct ndpi_gre_basehdr {
+	uint16_t flags;
+	uint16_t protocol;
+} PACK_OFF;
+
 /* ************************************************************ */
 
 /**
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 5976de3d4..8f89ef7bf 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1645,6 +1645,10 @@ const char* ndpi_tunnel2str(ndpi_packet_tunnel tt) {
   case ndpi_vxlan_tunnel:
     return("VXLAN");
     break;
+
+  case ndpi_gre_tunnel:
+    return("GRE");
+    break;
   }
 
   return("");
diff --git a/tests/pcap/gre.pcap b/tests/pcap/gre.pcap
new file mode 100644
index 000000000..a8cd42a8b
--- /dev/null
+++ b/tests/pcap/gre.pcap
diff --git a/tests/pcap/gre_no_options.pcapng b/tests/pcap/gre_no_options.pcapng
deleted file mode 100644
index 10ccd46a2..000000000
--- a/tests/pcap/gre_no_options.pcapng
+++ /dev/null
diff --git a/tests/result/gre.pcap.out b/tests/result/gre.pcap.out
new file mode 100644
index 000000000..9c22b40c6
--- /dev/null
+++ b/tests/result/gre.pcap.out
@@ -0,0 +1,28 @@
+Guessed flow protos:	0
+
+DPI Packets (UDP):	1	(1.00 pkts/flow)
+DPI Packets (other):	1	(1.00 pkts/flow)
+Confidence DPI              : 2 (flows)
+Num dissector calls: 2 (1.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   4/0 (search/found)
+Patricia risk:        2/0 (search/found)
+Patricia protocols:   4/0 (search/found)
+
+ICMP	2	276	1
+SIP	1	506	1
+
+	1	UDP 212.83.179.0:5097 -> 192.200.144.148:5060 [VLAN: 1][proto: GRE:100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/506 bytes -> 0 pkts/0 bytes][Goodput ratio: 81/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (OPTIONS sip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	ICMP 10.1.2.1:0 <-> 10.1.2.2:0 [proto: GRE:81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/138 bytes <-> 1 pkts/138 bytes][Goodput ratio: 52/52][0.00 sec][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/gre_no_options.pcapng.out b/tests/result/gre_no_options.pcapng.out
deleted file mode 100644
index c7bc721c6..000000000
--- a/tests/result/gre_no_options.pcapng.out
+++ /dev/null
@@ -1,25 +0,0 @@
-Guessed flow protos:	0
-
-DPI Packets (other):	1	(1.00 pkts/flow)
-Confidence DPI              : 1 (flows)
-Num dissector calls: 1 (1.00 diss/flow)
-LRU cache ookla:      0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/0/0 (insert/search/found)
-LRU cache zoom:       0/0/0 (insert/search/found)
-LRU cache stun:       0/0/0 (insert/search/found)
-LRU cache tls_cert:   0/0/0 (insert/search/found)
-LRU cache mining:     0/0/0 (insert/search/found)
-LRU cache msteams:    0/0/0 (insert/search/found)
-LRU cache stun_zoom:  0/0/0 (insert/search/found)
-Automa host:          0/0 (search/found)
-Automa domain:        0/0 (search/found)
-Automa tls cert:      0/0 (search/found)
-Automa risk mask:     0/0 (search/found)
-Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   2/0 (search/found)
-Patricia risk:        2/0 (search/found)
-Patricia protocols:   2/0 (search/found)
-
-GRE	2	276	1
-
-	1	GRE 203.0.113.1:0 <-> 192.0.2.2:0 [proto: 80/GRE][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/138 bytes <-> 1 pkts/138 bytes][Goodput ratio: 0/0][0.00 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]