GTPv2 Plugin

This plugin dissects GTPv2 signaling information (GTP-C) and saves it in dump files as well export the information via NetFlow/IPFIX using the following information elements.

%GTPV2_REQ_MSG_TYPE               GTPv2 Request Msg Type
%GTPV2_RSP_MSG_TYPE               GTPv2 Response Msg Type
%GTPV2_C2S_S1U_GTPU_TEID          GTPv2 Client->Svr S1U GTPU TEID
%GTPV2_C2S_S1U_GTPU_IP            GTPv2 Client->Svr S1U GTPU IP
%GTPV2_S2C_S1U_GTPU_TEID          GTPv2 Srv->Client S1U GTPU TEID
%GTPV2_S2C_S1U_GTPU_IP            GTPv2 Srv->Client S1U GTPU IP
%GTPV2_END_USER_IMSI              GTPv2 End User IMSI
%GTPV2_APN_NAME                   GTPv2 APN Name
%GTPV2_ULI_MCC                    GTPv2 Mobile Country Code
%GTPV2_ULI_MNC                    GTPv2 Mobile Network Code
%GTPV2_ULI_CELL_TAC               GTPv2 Tracking Area Code
%GTPV2_ULI_CELL_ID                GTPv2 Cell Identifier
%GTPV2_RESPONSE_CAUSE             GTPv2 Cause of Operation

The plugin supports the following command line options that are used to specify where the (optional) GTP log file is saved. As previously described for -P, dumps are nested in directories. It is possible to instruct nProbe to execute a command when a directory (not a log file) if fully dumped (i.e. nProbe has moved to the next directory in time order).

--gtpv2-dump-dir <dump dir> Directory where GTP logs will be dumped
--gtpv2-exec-cmd <cmd>    Command executed whenever a directory has been dumped

Please note that GTP-U is not handled by this plugin but rather by the nProbe core when the –tunnel option is used.