Hello, In the pcap file actual user data is passing through GTP-V1 tunnel.Since the file size is huge (10+GB) Wireshark is not the fastest option. However, when I open the file with other tool, it does not detect any TCP data because it is encapsulated under GTP. So , I am wondering if there are means to extract user data from each packet under GTP and form a separate file. Is it possible? Wajih This question is marked "community wiki". asked 04 Sep '13, 22:15 Wajih Ur Rehman |
2 Answers:
you could use tshark and extract whatever you need. However, with a 10 GByte file, the processing speed will be (kind of) moderate, obviously depending on your system specs.
Please see the Wireshark docs for more/other GTP fields. If that is not what you want/need, please add more details in your question. Regards answered 06 Sep '13, 01:04 Kurt Knochner ♦ showing 5 of 6 show 1 more comments |
For all the TCP-related packets of interest, are the IP and GTP headers all a constant size? IP is probably a fixed 20 bytes, UDP is 8 bytes, but I'm not sure about the GTP header. Anyway, if it does have the same size for all relevant packets, then you can use
... then map DLT user1 to IP in Wireshark using If the other program can't read that file due to its encapsulation, then you can dispense with the Basic steps:
answered 06 Sep '13, 12:24 cmaynard ♦♦ edited 06 Sep '13, 13:45 thank you , I will try that and will let you know if it works (07 Sep '13, 22:14) Wajih Ur Rehman 3 By the way, as of revision 51854, it is now possible to chop bytes from a specified offset, rather than always chopping from either the beginning or end of a packet. By utilizing this new feature, the steps involved are much simpler:
... where If you're running on a platform for which the buildbots generate installers, then you ought to be able to use an automated build with that revision (or later) once the buildbots successfully create the installers. If you're on a platform for which no automated installer exists, then you will have to either build from the automated sources or directly from the repository. Or you can wait until 1.12.0 is released next year. Since this would be considered a new feature, it's not going to be backported to 1.10 or 1.8, since no new features go into stable releases. (08 Sep '13, 20:42) cmaynard ♦♦ Hello, Thank you so much. It worked like a charm :) Just additional value, GTP header was fixed and of length 08 bytes. With new feautre I just needed to set TBD = 36 Wajih (11 Sep '13, 10:33) Wajih Ur Rehman |
Hello Kurt,
Thanks for your help. Please refer to the image below. In each frame we have IP/UDP/GTP ( and in GTP we have IP/TCP which is user data).
I want to analyse blue part and remove red-block and insert blue one over it and form a new pcap file.
Is it possible with some tool or tricks?
Wajih
I think Kurt has already answered a similar question here, suggesting to use bittwiste: http://ask.wireshark.org/questions/9180/strip-off-gtp-headers
I'll also take a look to see if I can add this kind of trace editing to TraceWrangler.
I guess bitwiste suffers from the same limitation as editcap though, namely that you can only delete/chop a specific number of bytes from each packet. This may not always work if you're trying to remove one or more headers/layers whose length can vary from packet to packet. I look forward to that capability in TraceWrangler! ;)
Just uploaded a new version of Tracewrangler at http://www.tracewrangler.com, which can now cut GTP-U including the IP and UDP layer as indicated in the screenshot above. Add your traces to the list and create a new "Edit" task. Then check the "Remove GTP-U layer" checkbox on the "Layers" page. It worked for the sample trace I had, but of course I didn't spend much time testing it. Release often, release early :-)
Edit: TraceWrangler assumes Ethernet as layer 2 when cutting GPT-U, so Linux Cooked Headers do not work at the moment. If someone has a trace with GPT-U over SLL it would help to implement and test cooked headers as well.
Edit2: Now Linux Cooked Headers should work as well, and while I was at it I fixed a couple of bugs and added GRE cutting, which works pretty much the same.
when try to open the trace file, it gives an error "No Start of Standard Time Define"
Is this the latest build you're using? The latest version is "Alpha 0.1.3 build 313", which includes a fix for a bug when the system time zone is set to UTC. For further debugging you can contact me at jasper [ät] packet-foo.com.