Get a Packet Capture of a GTP Event

Get a packet capture of a GTP event, such as GTP-in-GTP, to troubleshoot an abnormal GTP packet.
To make it easier to troubleshoot an erroneous General Packet Radio Service (GPRS) tunneling protocol (GTP) packet, you can capture a single GTP packet that triggered any of the following GTP events:
  • GTP-in-GTP
  • End-user IP address spoofing
  • Abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have a missing mandatory Information Element (IE), invalid IE, out-of-order IE, invalid header, or unsupported message type
  • Other abnormal GTPv1-C, GTPv2-C, or GTP-U messages
  1. Enable GTP or confirm that it is already enabled.
  2. Enable packet capture in a Mobile Network Protection Profile.
    1. Select
      Objects
      Security Profiles
      Mobile Network Protection
      and select an existing profile or
      Add
      a new profile.
    2. Select
      GTP Inspection
      GTP-C
      and enable either
      GTPv2-C Stateful Inspection
      or
      GTPv1-C Stateful Inspection
      to enable the Mobile Network Protection profile.
    3. Select
      Other Log Settings
      and enable
      Packet Capture
      .
      gtp_packet_capture.png
    4. Click
      OK
      .
  3. Apply the Mobile Network Protection profile to a Security policy rule that applies to the zone you are protecting.
  4. Commit
    your changes.
  5. If the Application Command Center (ACC) on your firewall indicates a GTP problem that you want to troubleshoot, select
    Monitor
    Logs
    GTP
    and look for the GTP packet capture icon ( gtp_pcap_icon.png ) at the beginning of rows that capture troublesome GTP packets. In those rows you’ll see the GTP Event Type (such as GTP-in-GTP), the international mobile subscriber identity (IMSI), source and destination IP address of the packet, and other information.
    gtp_pcap.png
  6. If you want more details to verify the event, click the download icon ( gtp_pcap_icon.png ) to download a packet capture file.
    gtp_pcap_download.png
  7. Export
    the file to readable format and verify that the details support the GTP event type.
    gtp_pcap_exported.png
    In this packet capture example, the packet has two headers titled
    GPRS Tunneling Protocol
    ; a GTP header inside another GTP header verifies that the GTP-in-GTP event is not a false positive; it’s identified as a GTP-in-GTP attack.

Recommended For You