GTP: GPRS Tunneling Protocol
Contents
Introduction
This tutorial discusses the plugin gtpDecode.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow gtpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: gtp.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing GTP traffic!
gtpDecode
Let’s look at the plugin configuration first:
gtpDecode
vi src/gtpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
/* No configuration flags available for gtpDecode */
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Run t2 on the supplied pcap.
t2 -r ~/data/ -w ~/results/ -s
So the aggregated gtpStat currently has only one bit which states, there is GTP.
The gtpStat column with value 0x01 is to be interpreted as follows:
bit | gtpStat | Description
=============================================================================
0 | 0x01 | Flow is GTP
tcol ~/results/gtp_flows.txt
Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf gtpDecode --reset && t2build gtpDecode
Have fun analyzing GTP traffic!