Get a Packet Capture of a GTP Event

Get a packet capture of a GTP event, such as GTP-in-GTP, to troubleshoot an abnormal GTP packet.
To make it easier to troubleshoot an erroneous General Packet Radio Service (GPRS) tunneling protocol (GTP) packet, you can capture a single GTP packet that triggered any of the following GTP events:
  • GTP-in-GTP
  • End-user IP address spoofing
  • Abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have a missing mandatory Information Element (IE), invalid IE, out-of-order IE, invalid header, or unsupported message type
  • Other abnormal GTPv1-C, GTPv2-C, or GTP-U messages
  1. Enable GTP or confirm that it is already enabled.
  2. Enable packet capture in a GTP Protection Profile.
    1. Select
      Objects
      Security Profiles
      GTP Protection
      and select an existing profile or
      Add
      a new profile.
    2. Select
      GTP Inspection
      GTP-C
      and enable either
      GTPv2-C Stateful Inspection
      or
      GTPv1-C Stateful Inspection
      to enable the GTP Protection profile.
    3. Select
      Other Log Settings
      and enable
      Packet Capture
      .
    4. Click
      OK
      .
  3. Apply the GTP Protection profile to a Security policy rule that applies to the zone you are protecting.
  4. Commit
    your changes.
  5. If the Application Command Center (ACC) on your firewall indicates a GTP problem that you want to troubleshoot, select
    Monitor
    Logs
    GTP
    and look for the GTP packet capture icon ( ) at the beginning of rows that capture troublesome GTP packets. In those rows you’ll see the GTP Event Type (such as GTP-in-GTP), the international mobile subscriber identity (IMSI), source and destination IP address of the packet, and other information.
  6. If you want more details to verify the event, click the download icon ( ) to download a packet capture file.
  7. Export
    the file to readable format and verify that the details support the GTP event type.
    In this packet capture example, the packet has two headers titled
    GPRS Tunneling Protocol
    ; a GTP header inside another GTP header verifies that the GTP-in-GTP event is not a false positive; it’s identified as a GTP-in-GTP attack.

Recommended For You