Wireshark · Ethereal-users: RE: [Ethereal-users] GTP unknown for UDP packets

Ethereal-users: RE: [Ethereal-users] GTP unknown for UDP packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Anders Broman (AL/EAB)" <anders.broman@xxxxxxxxxxxx>

Date: Wed, 9 Nov 2005 09:37:25 +0100

Hi,
I assume the first packets are sent from port 2152 which is the "well known port" of GTP
gtp-user        2152/tcp   GTP-User Plane (3GPP)
gtp-user        2152/udp   GTP-User Plane (3GPP)
Hence ethereal tries to decode this as GTP, you could dissable the GTP protocol or use "decode as" for the protocol actually
Used on top of UDP.

Brg
Anders 

-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Robert Ångström
Sent: den 8 november 2005 21:40
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] GTP unknown for UDP packets

Have a question regarding an observation I made when inspecting multicast traffic.
Rather than seeing the UDP source/destination port do I see "GTP Unknown" [ref below excerpt], now trying to understand why I see this (See the source address ok on the same packets when inspecting the traffic further down streams using snoop so it seems to be an ethereal issue)


root@us01ndadfsniffer01 root]#
/usr/local/bin/tethereal -i eth1 -ta udp|egrep "GTP Unknown"
Capturing on eth1
14:43:46.201231 206.200.6.37 -> 224.0.17.37  GTP Unknown
14:43:46.301233 206.200.6.37 -> 224.0.17.37  GTP Unknown
14:43:46.351391 206.200.6.37 -> 224.0.17.37  GTP Unknown
14:43:46.402134 206.200.6.37 -> 224.0.17.37  GTP Unknown
14:43:46.452912 206.200.6.37 -> 224.0.17.37  GTP Unknown


#expected format

[root@us01ndadfsniffer01 root]#
/usr/local/bin/tethereal -i eth1 -ta udp|egrep "224\.0\.17\.39"
Capturing on eth1
15:03:43.913780 206.200.6.39 -> 224.0.17.39  UDP Source port: 2153  Destination port: 55295
15:03:43.916962 206.200.6.39 -> 224.0.17.39  UDP Source port: 2153  Destination port: 55295
15:03:43.965605 206.200.6.39 -> 224.0.17.39  UDP Source port: 2153  Destination port: 55295
15:03:44.014957 206.200.6.39 -> 224.0.17.39  UDP Source port: 2153  Destination port: 55295

#ethereal version info

root@us01ndadfsniffer01 root]#
/usr/local/bin/tethereal -h
This is GNU tethereal 0.10.4
 (C) 1998-2004 Gerald Combs <gerald@xxxxxxxxxxxx> Compiled with GLib 1.2.10, with libpcap 0.8.3, with libz 1.1.4, without libpcre, without UCD-SNMP or Net-SNMP, without ADNS.
NOTE: this build does not support the "matches"
operator for Ethereal filter
syntax.

Running with libpcap version 0.8.3 on Linux 2.4.20-8.



Regards
Robert

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

Prev by Date: [Ethereal-users] Patching ethereal from 0.10.12-6 to 0.10.13
Next by Date: RE: [Ethereal-users] Is it possible to supress ICQ: Unknown versionmessage?
Previous by thread: [Ethereal-users] GTP unknown for UDP packets
Next by thread: [Ethereal-users] Patching ethereal from 0.10.12-6 to 0.10.13
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$