When using WCCP with the ProxySG appliance, many routers require the use of Generic Routing Encapsulation (GRE) to forward the redirected packets to the proxy. 

The GRE router takes the original packet, and encapsulates it inside of another IP packet, using the router’s IP as the source, and the proxy’s IP as the destination.  The proxy also encapsulates the return packet using its IP as the source, and the router’s IP as the destination.

If you are trying to debug an issue on a ProxySG that is using WCCP and GRE, you may need to get a packet capture to aid in troubleshooting.  The ProxySG uses the same command syntax as the Linux ‘tcpdump’ command for filtering in a packet capture.  Since the IP addresses of the GRE packets would be the router and the ProxySG, using the standard ‘host’ filter would not work to capture packets from the true client or destination hosts.

Tcpdump has the ability to specify an offset within the packet so you can search for any part of the packet that you like. 

The format is: “proto[a:b] = c”,

‘proto’ is the protocol within the packet (ether, ip, etc),

‘a’ is the starting byte within that protocol that you want to filter (the first byte of the IP header would be 0)

‘b’ is the number of bytes to count (supported values are 1,2 and 4)

‘c’ is the decimal representation of the hex values that make up the IP address.

Since GRE is part of the IP protocol, the ‘proto’ value would be ‘ip’.

If you view a GRE encapsulated packet in a protocol analyzer like Wireshark, and start counting the bytes from the beginning of the IP header, to the first byte of the GRE encapsulated source IP address, you’ll find that it is the 40^th byte in, so the first number will be 40.  An IP address is 4 bytes, so the second number will be 4.

To get the IP address, you need to convert the IP address into its hexadecimal values.  For example, the IP address 192.168.50.10, would be converted to 0xCO, 0xA8, 0x32, 0x0A.  If you string all 4 hex numbers together, then convert that number to decimal, you will get the third number.  i.e 0xC0A8320A = 3232248330.

Therefore, the filter you would enter into the ProxySG’s capture filter to get GRE encapsulated packets for source host 192.168.50.10 would be ‘ip[40:4] = 3232248330’.

Since the next 4 bytes after the GRE source address is the GRE destination address, to get packets for a GRE destination, use the filter ‘ip[44:4] = ‘

You should include the standard IP address filter so that the packets that are not GRE encapsulated to/from the client are also captured. So the filter should appear as the following example when entered into the capture filter field:

ip[40:4] = 3232248330 or ip[44:4] = 3232248330 or ip host 192.168.50.10

WCCP GRE Filter Calculator is attached to this article for your reference.