This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filters with GTP encapsulated UDP packets

0

Hi all,

When I want to trace my Gn (SGSN-GGSN) or IuPS (SGSN-RNC) interfaces using Wireshark, I'd like to use Capture Filter (instead of Display Filter) as I have a lot of traffic going on these interfaces. GTP protocol is used on those interface. So "inner IP" are encapsulated

See an example here of a GTP pcap : http://goo.gl/ZdFSvu

So if I want to only filter this particular inner IP (10.145.254.1) using "host 10.145.254.1" or "net 10.145.0.0/16", I don't see any packets on my wireshark as "Capture filter" is filtering with the "outer IP" (that is 10.152.10.89 or 10.152.12.101).

With which capture filter string can I achieve this ?

Thanks, Thierry

asked 08 Apr '14, 18:35

tkennes's gravatar image

tkennes
16114
accept rate: 0%

edited 08 Apr '14, 21:33

Hi Quadratic,

Yes I actually need to be selective on a specific UE, or at least on a specific subnet such as 10.145.0.0/16 The problem if using 'udp port 2152' only is that I will still have too much packets so my wireshark will starting bugging because my PC doesn't have enough memory.

Thanks,

(08 Apr '14, 21:32) tkennes

I also tried with something like : ip[12:4]=0x0a91fe01 but with no luck as this filter is done on the "outer IP"

Can you please pinpoint me how can I achieve this ?

Thanks

(09 Apr '14, 18:02) tkennes
1

Hmm... one method would be like you're saying, except write the offset all the way into the packet's inner IP.

Other possibilities that come to mind:

  • If you're using a tap aggregator, unless you need the tunnel header info most aggregators I've worked with support GTP header stripping as a feature.

  • If possible, Gi interface is much easier for user-plane tracing since the GTP encapsulation is gone at that point.

  • It will take a lot of disk space possibly, but you could write all packets to disk first with something like dumpcap, then use "tshark -r dumpcap-created-file.pcap -R ip.addr==xxxx -w user-specific-file.pcap'", which will allow you to use a display filter to search for the inner IP.

(09 Apr '14, 18:53) Quadratic

How to write the offset all the way into the packet's inner IP ? as using proto ip[x:x] seems to only "search" into the outer IP.

  • Unfortunately I'm not using tap aggregator, I'm only mirroring ports on a switch.

  • Yes about Gi interface, in most cases it is enough to get traces The thing here is that we have some kind of TCP packets loss/buffering/disorder but we're not completely sure if this is SGSN, GGSN or RNC having problems. That's why we want to trace on IuPS and Gn interface, so unfortunately GTP-U is used on these interface. And as it is in a live traffic, there are really lots of packets.

  • Thanks, will try this if I can't find a way via the offset, unless you have an idea ?

Thanks

(09 Apr '14, 23:28) tkennes

Hi,

is there a way to do capture filter for IPv6?

(ip[64:16]==0x2a008a00200000350000000000000011) or (ip6[64:16]==0x2a008a00200000350000000000000011)

I tried both, don't seem to work.

Thanks! Joseph

(02 Mar '16, 15:25) joseph75074

@eusjosw, this question has been asked and answered. Please post a new question.

(02 Mar '16, 20:12) cmaynard ♦♦
showing 5 of 6 show 1 more comments

One Answer:

0

For the gtp_tunnel_ftp.pcap capture file you provided, if you want to filter on the inner IP address of 10.145.254.1, then assuming all headers are fixed sizes (which they appear to be), then you can use a capture filter like so:

"((ip[48:4]==0x0a91fe01) or (ip[52:4]==0x0a91fe01)) or (vlan and ((ip[48:4]==0x0a91fe01) or (ip[52:4]==0x0a91fe01)))"

Explanation:

  • First, the offsets of 48 and 52: The outer IP header is 20 bytes, the UDP header is 8 bytes, the GTP header is also 8 bytes, and the offset to the inner source IP address and inner destination IP address wihtin the encapsulated IP header is 12 bytes and 16 bytes, respectively. Adding those numbers up gives you the offsets to the 2 fields you're interested in, namely the iner source and destination IP addresses.
  • The field length: Both fields are 4 bytes.
  • VLAN: This would normally be the end of it, but packet #4 has an 802.1Q VLAN tag, so you need to repeat the entire filter preceded by the vlan primitive so that the offsets work for 802.1Q tagged frames too.

I tested the above filter after replaying the capture file using playcap and it worked in my test.

See also:

answered 10 Apr '14, 07:37

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thanks it's working perfectly !

(10 Apr '14, 11:57) tkennes

That helped me, I was trying to capture ranap only in IuPS trace, I managed to do it vida display filter after capturing the complete file separately, let me know if you think there is any pcaplib( capture filter for ranap) also

Thanks

Regards, Usama

(07 Nov '14, 01:40) Usama Khan