Network Filter on Encapsulated IP Header
I'm new to Wireshark and hoping to learn. I have a PCAP taken from a VMware source using a GRE / ERSPAN III. I'm trying to filter on the source IP address (this part is fine) and filter to hide the corporate network 10.0.0.0/8 from the inner IP header.
I am able to filter on the destination IP, but when I filter something like "!ip.dst eq 10.0.0.0/8" then there are no packets in my view. My assumption is because this network is used in the parent header to my capture host.
I have seen some examples in my search of how to use an offset to filter on the inner header, but not only have I not been able to get that to work, but I need to filter this whole network range rather than just 1 IP or a list of IPs.
All of my packets have these layers in Wireshark before the 2nd inner IPv4 Header.
- Frame
- Ethernet II
- Internet Protocol Version 4
- Generic Routing Encapsulation (ERSPAN III)
- Encapsulated Remote Switch Packet ANalysis Type III
- Ethernet II
- Internet Protocol Version 4
Can anyone help fill in what I'm missing here?