Get a Packet Capture of a GTP Event
Get a packet capture of a GTP event, such as GTP-in-GTP, to troubleshoot an abnormal GTP packet.
To make it easier to troubleshoot an erroneous GTP packet, you can capture a single GTP packet that triggered any of the following GTP events:
- End user IP address spoofing
- Abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have a missing mandatory Information Element (IE), invalid IE, out-of-order IE, invalid header, or unsupported message type
- Other abnormal GTPv1-C, GTPv2-C, and GTP-U messages
- Enable GTP if you haven’t already.
- Enable packet capture in a GTP Protection Profile.
- Select ObjectsSecurity ProfilesGTP Protection and select an existing profile or Add a new profile.
- Select GTP InspectionGTP-C and enable either GTPv2-C Stateful Inspection or GTPv1-C Stateful Inspection to enable the GTP Protection profile.
- Select Other Log Settings and enable Packet Capture.
- Click OK.
- Apply the GTP Protection profile to a Security policy rule that applies to the zone you are protecting.
- Commit your changes.
- If the Application Command Center (ACC) on your firewall indicates a GTP problem that you want to troubleshoot, select MonitorLogsGTP and look for the GTP packet capture icon ( ) at the beginning of rows that capture troublesome GTP packets. In that row you’ll see the GTP Event Type (such as GTP-in-GTP), the international mobile subscriber identity (IMSI), source and destination IP address of the packet, and other information.
- If you want more details to verify the event, click on the to download a packet capture file.
- Click Export to export the file
to readable format and verify that the details support the GTP event
type.In this packet capture example, the packet has two headers entitled GPRS Tunneling Protocol; a GTP header inside another GTP header verifies that the GTP-in-GTP event is not a false positive; it’s identified as a GTP-in-GTP attack.
GTP Event Packet Capture
Get a packet capture of a single GTP event, such as GTP-in-GTP, end user IP spoofing, or abnormal GTP messages, to help troubleshoot GTP. ...
GPRS Tunneling Protocol (GTP)
The overview page for GTP content including navigation links for everything about GTP. ...
GTP Event Types and Severity
GTP events have categorized by their severity; the firewall generates GTP logs when GTP events occur. ...
GTP Protection Profile
Use these fields to create a GTP Protection profile to define how the firewall inspects, validates, and filters GTP traffic. ...
Configure GTP Stateful Inspection
Enable GTP security, configure a GTP Protection profile, and attach the profile to a Security policy rule to secure GTP traffic. ...
Objects > Security Profiles > GTP Protection
Objects > Security Profiles > GTP Protection The GTP Protection profile enables the firewall to inspect GTP traffic. To view this profile, you must enable ...
Types of Packet Captures
Types of Packet Captures There are different types of packet captures you can enable, depending on what you need to do: Custom Packet Capture —The ...