GRE Tunnel & Deduplication
Accurate traffic stats on GRE-tunneled interfaces
When GRE Dedup Is Needed
GRE (Generic Routing Encapsulation, IP protocol 47) tunnels wrap each packet in an additional IP + GRE header layer. On servers receiving traffic through GRE tunnels, the same traffic appears at multiple layers. Without deduplication, bandwidth and PPS stats are inflated by 10-25% due to the header overhead, and attack detection thresholds become inaccurate.
Common scenarios that require GRE dedup:
- DDoS scrubbing providers that deliver clean traffic via GRE tunnels
- Hosting providers using GRE for customer traffic isolation
- VPN and overlay networks (IPsec over GRE, VXLAN over GRE)
- Data center interconnects using GRE tunnels
How It Works
The GRE decapsulator strips outer IP + GRE headers from packets for stats calculation only. The original packet with all encapsulation layers is always preserved in PCAP forensic captures.
Decapsulation Process
- Check if the packet has a GRE layer (IP protocol 47)
- Parse the GRE header flags (checksum, key, sequence number) to determine header length
- Extract the inner payload (the actual customer packet)
- Use the inner packet length for BPS calculations
- Repeat for nested GRE (up to
gre_max_depthlayers, default 3)
BPS Correction
Each tick, the decapsulator tracks outer bytes vs inner bytes. The overhead ratio is computed as:
PPS is not adjusted because one outer GRE packet always contains exactly one inner packet.
Configuration
GRE deduplication is controlled by the gre_mode setting in /etc/ftagent/config.json:
| Setting | Type | Default | Description |
|---|---|---|---|
| gre_mode | string | "auto" | "auto" = detect GRE interface on startup, enable if found. "enabled" = always strip GRE headers. "disabled" = never strip (use for bare-metal interfaces). |
| gre_max_depth | int | 3 | Maximum nested GRE layers to strip. Handles double/triple GRE encapsulation. |
Example config.json
Auto-Detection
When gre_mode is "auto", the agent runs ip -d link show on the monitored interface at startup. If the interface type contains "gre", "gretap", "ip6gre", or "ip6gretap", GRE dedup is enabled automatically.
The agent also runs ip tunnel show on startup to enumerate all GRE tunnels on the system and reports them to the dashboard (remote IP, local IP, tunnel type).
Performance Impact
- Scapy mode: Negligible overhead. Decapsulation is a simple layer traversal on the existing parsed packet.
- tcpdump mode: Raw byte parsing without Scapy. The decapsulator parses IP headers and GRE flags directly from bytes, which adds ~50 nanoseconds per packet.
- Memory: No additional memory. Stats are computed in place using the inner packet reference.
Hypervisor Mode
When both GRE dedup and "hypervisor_mode": true are active, the agent tracks the inner destination IP after stripping GRE headers. This lets you see per-VM traffic breakdowns on a hypervisor that receives all customer traffic through a single GRE tunnel.
Configure VM labels for human-readable names:
Per-VM stats (PPS, BPS, protocol breakdown, source IP count) are pushed to the dashboard every 5 seconds and visible in the node detail view.
Troubleshooting
GRE dedup is enabled but stats still look inflated
- Check that
gre_modeis not"disabled"in your config - Run
ftagent --debugand look for "GRE dedup: enabled" in the startup output - Verify with
ip -d link show <interface>that the interface is recognized as a GRE tunnel - If using tcpdump mode, the BPS correction relies on sampling. Ensure the agent's packet ring buffer is not dropping samples.
Agent does not detect the GRE interface
- Some hosting providers use kernel modules that do not expose GRE metadata via iproute2. Set
"gre_mode": "enabled"explicitly. - If the GRE tunnel is on a different interface than the monitored one, set
"interface"to the GRE tunnel interface name.
Nested GRE not being stripped
- Increase
gre_max_depthif you have more than 3 layers of GRE encapsulation (rare but possible in complex overlay networks).