GTPv2 Plugin

This plugin dissects GTPv2 signaling information (GTP-C) and saves it in dump files as well export the information via NetFlow/IPFIX using the following information elements.

%GTPV2_REQ_MSG_TYPE               GTPv2 Request Msg Type
%GTPV2_RSP_MSG_TYPE               GTPv2 Response Msg Type
%GTPV2_C2S_S1U_GTPU_TEID          GTPv2 Client->Svr S1U GTPU TEID
%GTPV2_C2S_S1U_GTPU_IP            GTPv2 Client->Svr S1U GTPU IP
%GTPV2_S2C_S1U_GTPU_TEID          GTPv2 Srv->Client S1U GTPU TEID
%GTPV2_S2C_S1U_GTPU_IP            GTPv2 Srv->Client S1U GTPU IP
%GTPV2_END_USER_IMSI              GTPv2 End User IMSI
%GTPV2_APN_NAME                   GTPv2 APN Name
%GTPV2_ULI_MCC                    GTPv2 Mobile Country Code
%GTPV2_ULI_MNC                    GTPv2 Mobile Network Code
%GTPV2_ULI_CELL_TAC               GTPv2 Tracking Area Code
%GTPV2_ULI_CELL_ID                GTPv2 Cell Identifier
%GTPV2_RESPONSE_CAUSE             GTPv2 Cause of Operation

The plugin supports the following command line options that are used to specify where the (optional) GTP log file is saved. As previously described for -P, dumps are nested in directories. It is possible to instruct nProbe to execute a command when a directory (not a log file) if fully dumped (i.e. nProbe has moved to the next directory in time order).

--gtpv2-dump-dir <dump dir> Directory where GTP logs will be dumped
--gtpv2-exec-cmd <cmd>    Command executed whenever a directory has been dumped

Please note that GTP-U is not handled by this plugin but rather by the nProbe core when the –tunnel option is used.


As this plugin dissects traffic packets, it is only available when nProbe is used in probe mode.