Re: Snort for report GTp statistics

[Hui Cao <hcao () sourcefire com>]

Currently, you can't get it without code change.  Details of messages break
down can be seen when you enable debug messages. We will provide the
statistics for GTP-U separately in the future release.

Hui.

On Thu, Jul 5, 2012 at 12:16 PM, Vinayak Malshetty <
Vinayak_Malshetty () mindtree com> wrote:

>  Hi Hui,****
>
> Many Thanks for your reply, I did try by disabling GTP decoding and see
> that below counters get increment****
>
> ** **
>
>
> ===============================================================================
> ****
>
> GTP Preprocessor Statistics****
>
>   Total sessions: 2****
>
>   Total reserved messages: 0****
>
>   Packets with reserved information elements: 0****
>
>   Total messages of version 1: 32****
>
>
> ===============================================================================
> ****
>
> ** **
>
> But my requirement is that does snort report GTP-c and GTP-u stats
> separately, i.e is there any way to  figure out how many GTP-c pkts and
> GTP-u pkts have been received****
>
> ** **
>
> ** **
>
> Regards,****
>
> -Vinayak****
>
> *From:* Hui Cao [mailto:hcao () sourcefire com]
> *Sent:* Thursday, July 05, 2012 7:07 PM
> *To:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] Snort for report GTp statistics****
>
> ** **
>
> You can get GTP_U statistics by not enabling GTP decoding (commenting out
> "config enable_gtp"). After GTP decoding for GTP-U, that message will be
> the actual message when it goes through GTP preprocessor. Therefore, you
> won't get any type of GTP-U pakcets when GTP-U decoding is enabled.
>
> Best,
>
> Hui.
>
> On 07/04/2012 11:53 PM, Vinayak Malshetty wrote: ****
>
>  ****
>
> Hi All,****
>
>  ****
>
> I am using snort for get GTP packets statistics in my conf file I have
> enabled GTP decoder and preprocessor. But snort is reporting statistics for
> GTP-c(signaling messages). Is there any way I can configure snort to report
> both GTP-c and GTP-U packets.****
>
>  ****
>
> My set-up****
>
>  ****
>
> A1  ------------------------------ A2****
>
>                              |****
>
>                              |****
>
>                              |****
>
>                             A3****
>
>  ****
>
> A1,A2 and A3 are linux machines. A1 and A2 behave as GGSS and SGSN whre
> GTP pkts(gtp-c and gtp-u) are sent and received. I am running snort on A3
> to  monitors  GTP packets b/w A1<->A2 and report the GTP statistics. But I
> am getting statistics only for GTP-c pkts and not for GTP-U pkts****
>
>  ****
>
> Log:****
>
> ------****
>
>
> ===============================================================================
> ****
>
> GTP Preprocessor Statistics****
>
>   Total sessions: 2****
>
>   Total reserved messages: 0****
>
>   Packets with reserved information elements: 0****
>
>   Total messages of version 1: 12****
>
>
> ===============================================================================
> ****
>
>  ****
>
> Can anyone suggest me is there any-way to report GTP-U statistics. Please
> do let me know if any more info is needed ****
>
>  ****
>
> Many Thanks,****
>
> -Vinayak                                                              ****
>
> ** **
>  ------------------------------
>
>
> http://www.mindtree.com/email/disclaimer.html
>
>
>
> ****
>
> ------------------------------------------------------------------------------****
>
> Live Security Virtual Conference****
>
> Exclusive live event will cover all the ways today's security and ****
>
> threat landscape has changed and how IT managers can respond. Discussions ****
>
> will include endpoint security, mobile security and the latest in malware ****
>
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/****
>
>
>
>
> ****
>
> _______________________________________________****
>
> Snort-users mailing list****
>
> Snort-users () lists sourceforge net****
>
> Go to this URL to change user options or unsubscribe:****
>
> https://lists.sourceforge.net/lists/listinfo/snort-users****
>
> Snort-users list archive:****
>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users****
>
> ** **
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!****
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!