How to enable NetShark's GPRS Tunneling Protocol (GTP) Decoding Feature

How to enable NetShark's GPRS Tunneling Protocol (GTP) Decoding Feature ?

GPRS Tunneling Protocol (GTP) Decode was added to NetShark in the 10.5 release, GTP is a group of IP-based communications protocols used by mobile operators to carry GSM/GPRS/LTE traffic on IP networks. It is a tunneling protocol that encapsulates IP packets. NetShark decoding identifies GTPv0, GTPv1 and GTPv2 packets and strips the GTP header (GTP-C and GTP-U), making UDP and TCP packets available for analysis by Packet Analyzer Views, indexing, and flow export. There are no new views for GTP, but new fields for GTP are available in the View Editor (see “Reference” below).

GTP registered port numbers are defined in the default port definitions on NetShark and Packet Analyzer:

gtp-control – 2123 (tcp/udp)
gtp-user – 2152 (tcp/udp)
gprs-data - 3386 (udp)
gprs-sig - 3386 (tcp)

These ports are used to identify a GTP packet. If these definitions are changed, GTP decoding will not work.

The parameter, packet_parser.skip_gtp_header has been added to the NetShark Advanced Settings - This parameter controls if the GTP header is stripped or not stripped (default). 

# If packet_parser.skip_gtp_header is set True, the GTP header will be skipped
packet_parser.skip_gtp_header=False

If analyzing local traffic on the Packet Analyzer, packet_parser.skip_gtp_header must be set in Packet Analyzer \Users\<user>\AppData\Roaming\Riverbed\SteelCentral Packet Analyzer\<version>\server\configuration\Pilot.Server.conf

The table below summarizes the results of this parameter’s settings.

 Microflow indexing uses the setting of the GTP parameter: if false, the index is calculated using the GTP header; if true, the index is calculated using the UDP or TCP header.

Reference

Fields about GTP itself

gtp.is_gtp : Indication of whether the packet contains GTP traffic
gtp.header.teid : Tunnel ID in the GTP header
gtp.header.msg_type : Message Type in GTP header
gtp.header.seq_num : Sequence Number in GTP header

Fields about encapsulated IP packet

gtp.encapsulated.bits : Bit count of the encapsulated IP packet
gtp.encapsulated.bytes : Byte count of the encapsulated IP packet
gtp.encapsulated.ip : IP address of the encapsulated IP host
gtp.encapsulated.port : Encapsulated port number of the encapsulated IP packet
gtp.encapsulated.src_ip : IP address of the encapsulated source host
gtp.encapsulated.dst_ip : IP address of the encapsulated destination host
gtp.encapsulated.src_port : source port number of the encapsulated IP packet
gtp.encapsulated.dst_port : destination port number of the encapsulated IP packet
gtp.encapsulated.transport_protocol : transport protocol in the encapsulated IP packet
gtp.encapsulated.port_name : port name in the encapsulated IP packet
gtp.encapsulated.port_group : port group in the encapsulated IP packet

Note: These fields can be used only if packet_parser.skip_gtp_header is set to False.

 NetShark 

Asked for in AR11  via

https://steelcentral.ideas.riverbed.com/ideas/AR-I-151