How to enable NetShark's GPRS Tunneling Protocol (GTP) Decoding Feature ?
How to enable NetShark's GPRS Tunneling Protocol (GTP) Decoding Feature ?
GPRS Tunneling Protocol (GTP) Decode was added to NetShark in the 10.5 release, GTP is a group of IP-based communications protocols used by mobile operators to carry GSM/GPRS/LTE traffic on IP networks. It is a tunneling protocol that encapsulates IP packets. NetShark decoding identifies GTPv0, GTPv1 and GTPv2 packets and strips the GTP header (GTP-C and GTP-U), making UDP and TCP packets available for analysis by Packet Analyzer Views, indexing, and flow export. There are no new views for GTP, but new fields for GTP are available in the View Editor (see “Reference” below).
GTP registered port numbers are defined in the default port definitions on NetShark and Packet Analyzer:
gtp-control – 2123 (tcp/udp)
gtp-user – 2152 (tcp/udp)
gprs-data - 3386 (udp)
gprs-sig - 3386 (tcp)
These ports are used to identify a GTP packet. If these definitions are changed, GTP decoding will not work.
The parameter, packet_parser.skip_gtp_header has been added to the NetShark Advanced Settings - This parameter controls if the GTP header is stripped or not stripped (default).
# If packet_parser.skip_gtp_header is set True, the GTP header will be skipped
packet_parser.skip_gtp_header=False
If analyzing local traffic on the Packet Analyzer, packet_parser.skip_gtp_header must be set in Packet Analyzer \Users\<user>\AppData\Roaming\Riverbed\SteelCentral Packet Analyzer\<version>\server\configuration\Pilot.Server.conf
The table below summarizes the results of this parameter’s settings.
packet_parser.skip_gtp_header |
GTP Headers |
Packet Analyzer |
NetProfiler Export |
False (default) |
Unchanged |
GTP packets are analyzed |
GTP packets |
True |
Stripped |
UDP/TCP Packets are analyzed |
UDP/TCP packets |
Microflow indexing uses the setting of the GTP parameter: if false, the index is calculated using the GTP header; if true, the index is calculated using the UDP or TCP header.
Reference
Fields about GTP itself
gtp.is_gtp : Indication of whether the packet contains GTP traffic
gtp.header.teid : Tunnel ID in the GTP header
gtp.header.msg_type : Message Type in GTP header
gtp.header.seq_num : Sequence Number in GTP header
Fields about encapsulated IP packet
gtp.encapsulated.bits : Bit count of the encapsulated IP packet
gtp.encapsulated.bytes : Byte count of the encapsulated IP packet
gtp.encapsulated.ip : IP address of the encapsulated IP host
gtp.encapsulated.port : Encapsulated port number of the encapsulated IP packet
gtp.encapsulated.src_ip : IP address of the encapsulated source host
gtp.encapsulated.dst_ip : IP address of the encapsulated destination host
gtp.encapsulated.src_port : source port number of the encapsulated IP packet
gtp.encapsulated.dst_port : destination port number of the encapsulated IP packet
gtp.encapsulated.transport_protocol : transport protocol in the encapsulated IP packet
gtp.encapsulated.port_name : port name in the encapsulated IP packet
gtp.encapsulated.port_group : port group in the encapsulated IP packet
Note: These fields can be used only if packet_parser.skip_gtp_header is set to False.
NetShark
Asked for in AR11 via
https://steelcentral.ideas.riverbed.com/ideas/AR-I-151