asked 2020-06-26 22:00:08 +0000

Dudi gravatar image

updated 2020-06-27 03:57:47 +0000

I have a big file with a lot of gtpv2 messages. This is a few seconds snapshot from a mobile core network. The file include multiple subscribers and various messages like "Create Session Request", "Modify Bearer Request", responses etc.

My target is to create a IMSI MATE filter, so each frame in the file will be enhanced with IMSI.

The IMSI appears only in the first message "Create Session Request".
I was able to create a GOP based on gtpv2.seq number, so i have the IMSI now also in the 2nd packet "Create Session Response".

The problem start on the next packets, the sequence is new and the IMSI is not there anymore, so MATE mark this as a new GOP.
The GTP session correlation is based on tunnel id (TEID) .
Packet#1 include gtpv2.teid as 0000, multiple gtpv2.f_teid_gre_key and the imsi.
Packet#2 include gtpv2.teid as one of the gtpv2.f_teid_gre_key from P#1, and multiple gtpv2.f_teid_gre_key.
Packets 1 and 2 have the same sequence so they are in the same GOP.

Packet#3 include gtpv2.teid as one of the gtpv2.f_teid_gre_key from P#2 and new value of gtpv2.f_teid_gre_key.

   ip.src ==
   ip.dst ==
   gtpv2.teid == 0x00000000
   gtpv2.seq == 0x003c7c73
   e212.imsi == "525010780024874"
   gtpv2.f_teid_gre_key == 0x67800005
   gtpv2.f_teid_gre_key == 0xc842c0a1
   gtpv2.f_teid_gre_key == 0x000ad605

   ip.src ==
   ip.dst ==
   gtpv2.teid == 0x67800005
   gtpv2.seq == 0x003c7c73
   gtpv2.f_teid_gre_key == 0x8aa0802c
   gtpv2.f_teid_gre_key == 0x8aaa61f0

   ip.src ==
   ip.dst ==
   gtpv2.teid == 0x8aaa61f0
   gtpv2.seq == 0x003c7c72
   gtpv2.f_teid_gre_key == 0xbc639b69

   ip.src ==
   ip.dst ==
   gtpv2.teid == 0x67800005
   gtpv2.seq == 0x003c7c72
   gtpv2.f_teid_gre_key == 0x8aa0802c

How can add the IMSI to all packets ?

This is what i did till now:

 / A Wireshark MATE configuration file to identify GTPv2 transactions.

 // Create a "gtpv2_pdu" that contains various pieces of the processed GTPv2
 // message.
 Pdu gtpv2_pdu Proto gtpv2 Transport ip {
    Extract seq From gtpv2.seq;
    Extract teid From gtpv2.teid;
    Extract teid_gre From gtpv2.f_teid_gre_key;
    Extract imsi From e212.imsi;


  // Then create a GOP (Group Of Pdus) where the each GOP contains all the PDUs
  // (msgs) that whose sequence match.
  Gop gtpv2_transaction On gtpv2_pdu Match (seq) {

    // Store the IMSI in the GOP

edit retag flag offensive close merge delete