Get a Packet Capture of a GTP Event

Get a packet capture of a GTP event, such as GTP-in-GTP, to troubleshoot an abnormal GTP packet.
To make it easier to troubleshoot an erroneous GTP packet, you can capture a single GTP packet that triggered any of the following GTP events:
  • GTP-in-GTP
  • End user IP address spoofing
  • Abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have a missing mandatory Information Element (IE), invalid IE, out-of-order IE, invalid header, or unsupported message type
  • Other abnormal GTPv1-C, GTPv2-C, and GTP-U messages
  1. Enable GTP if you haven’t already.
  2. Enable packet capture in a GTP Protection Profile.
    1. Select ObjectsSecurity ProfilesGTP Protection and select an existing profile or Add a new profile.
    2. Select GTP InspectionGTP-C and enable either GTPv2-C Stateful Inspection or GTPv1-C Stateful Inspection to enable the GTP Protection profile.
    3. Select Other Log Settings and enable Packet Capture.
      gtp_packet_capture.png
    4. Click OK.
  3. Apply the GTP Protection profile to a Security policy rule that applies to the zone you are protecting.
  4. Commit your changes.
  5. If the Application Command Center (ACC) on your firewall indicates a GTP problem that you want to troubleshoot, select MonitorLogsGTP and look for the GTP packet capture icon ( gtp_pcap_icon.png ) at the beginning of rows that capture troublesome GTP packets. In that row you’ll see the GTP Event Type (such as GTP-in-GTP), the international mobile subscriber identity (IMSI), source and destination IP address of the packet, and other information.
    gtp_pcap.png
  6. If you want more details to verify the event, click on the gtp_pcap_icon.png to download a packet capture file.
    gtp_pcap_download.png
  7. Click Export to export the file to readable format and verify that the details support the GTP event type.
    gtp_pcap_exported.png
    In this packet capture example, the packet has two headers entitled GPRS Tunneling Protocol; a GTP header inside another GTP header verifies that the GTP-in-GTP event is not a false positive; it’s identified as a GTP-in-GTP attack.

Related Documentation