Get a Packet Capture of a GTP Event
Table of Contents
Get a Packet Capture of a GTP Event
Get a packet capture of a GTP event, such as GTP-in-GTP,
to troubleshoot an abnormal GTP packet.
To make it easier to troubleshoot an erroneous General
Packet Radio Service (GPRS) tunneling protocol (GTP) packet, you
can capture a single GTP packet that triggered any of the following
GTP events:
- GTP-in-GTP
- End-user IP address spoofing
- Abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have a missing mandatory Information Element (IE), invalid IE, out-of-order IE, invalid header, or unsupported message type
- Other abnormal GTPv1-C, GTPv2-C, or GTP-U messages
- Enable GTP or confirm that it is already enabled.
- Enable packet capture in a GTP Protection Profile.
- Select and select an existing profile orAdda new profile.
- Select and enable eitherGTPv2-C Stateful InspectionorGTPv1-C Stateful Inspectionto enable the GTP Protection profile.
- SelectOther Log Settingsand enablePacket Capture.
- ClickOK.
- Apply the GTP Protection profile to a Security policy rule that applies to the zone you are protecting.
- Commityour changes.
- If the Application Command Center (ACC) on your firewall indicates a GTP problem that you want to troubleshoot, select and look for the GTP packet capture icon (
) at the beginning
of rows that capture troublesome GTP packets. In those rows you’ll
see the GTP Event Type (such as GTP-in-GTP), the international mobile
subscriber identity (IMSI), source and destination IP address of
the packet, and other information.
- If you want more details to verify the event, click the download icon (
) to download
a packet capture file.
- Exportthe file to readable format and verify that the details support the GTP event type.
In this packet capture example, the packet has two headers titledGPRS Tunneling Protocol; a GTP header inside another GTP header verifies that the GTP-in-GTP event is not a false positive; it’s identified as a GTP-in-GTP attack.