Hi all, When I want to trace my Gn (SGSN-GGSN) or IuPS (SGSN-RNC) interfaces using Wireshark, I'd like to use Capture Filter (instead of Display Filter) as I have a lot of traffic going on these interfaces. GTP protocol is used on those interface. So "inner IP" are encapsulated See an example here of a GTP pcap : http://goo.gl/ZdFSvu So if I want to only filter this particular inner IP (10.145.254.1) using "host 10.145.254.1" or "net 10.145.0.0/16", I don't see any packets on my wireshark as "Capture filter" is filtering with the "outer IP" (that is 10.152.10.89 or 10.152.12.101). With which capture filter string can I achieve this ? Thanks, Thierry asked 08 Apr '14, 18:35  tkennes edited 08 Apr '14, 21:33 showing 5 of 6 show 1 more comments |
One Answer:
For the Explanation:
I tested the above filter after replaying the capture file using playcap and it worked in my test. See also:
answered 10 Apr '14, 07:37  cmaynard ♦♦ Thanks it's working perfectly ! (10 Apr '14, 11:57) tkennes That helped me, I was trying to capture ranap only in IuPS trace, I managed to do it vida display filter after capturing the complete file separately, let me know if you think there is any pcaplib( capture filter for ranap) also Thanks Regards, Usama (07 Nov '14, 01:40) Usama Khan |
Hi Quadratic,
Yes I actually need to be selective on a specific UE, or at least on a specific subnet such as 10.145.0.0/16 The problem if using 'udp port 2152' only is that I will still have too much packets so my wireshark will starting bugging because my PC doesn't have enough memory.
Thanks,
I also tried with something like : ip[12:4]=0x0a91fe01 but with no luck as this filter is done on the "outer IP"
Can you please pinpoint me how can I achieve this ?
Thanks
Hmm... one method would be like you're saying, except write the offset all the way into the packet's inner IP.
Other possibilities that come to mind:
If you're using a tap aggregator, unless you need the tunnel header info most aggregators I've worked with support GTP header stripping as a feature.
If possible, Gi interface is much easier for user-plane tracing since the GTP encapsulation is gone at that point.
It will take a lot of disk space possibly, but you could write all packets to disk first with something like dumpcap, then use "tshark -r dumpcap-created-file.pcap -R ip.addr==xxxx -w user-specific-file.pcap'", which will allow you to use a display filter to search for the inner IP.
How to write the offset all the way into the packet's inner IP ? as using proto ip[x:x] seems to only "search" into the outer IP.
Unfortunately I'm not using tap aggregator, I'm only mirroring ports on a switch.
Yes about Gi interface, in most cases it is enough to get traces The thing here is that we have some kind of TCP packets loss/buffering/disorder but we're not completely sure if this is SGSN, GGSN or RNC having problems. That's why we want to trace on IuPS and Gn interface, so unfortunately GTP-U is used on these interface. And as it is in a live traffic, there are really lots of packets.
Thanks, will try this if I can't find a way via the offset, unless you have an idea ?
Thanks
Hi,
is there a way to do capture filter for IPv6?
(ip[64:16]==0x2a008a00200000350000000000000011) or (ip6[64:16]==0x2a008a00200000350000000000000011)
I tried both, don't seem to work.
Thanks! Joseph
@eusjosw, this question has been asked and answered. Please post a new question.