Snort mailing list archives

Re: Snort for report GTp statistics

From: Vinayak Malshetty <Vinayak_Malshetty () mindtree com>
Date: Thu, 5 Jul 2012 16:16:20 +0000

Hi Hui,
Many Thanks for your reply, I did try by disabling GTP decoding and see that below counters get increment

===============================================================================
GTP Preprocessor Statistics
  Total sessions: 2
  Total reserved messages: 0
  Packets with reserved information elements: 0
  Total messages of version 1: 32
===============================================================================

But my requirement is that does snort report GTP-c and GTP-u stats separately, i.e is there any way to  figure out how 
many GTP-c pkts and GTP-u pkts have been received


Regards,
-Vinayak
From: Hui Cao [mailto:hcao () sourcefire com]
Sent: Thursday, July 05, 2012 7:07 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort for report GTp statistics

You can get GTP_U statistics by not enabling GTP decoding (commenting out "config enable_gtp"). After GTP decoding for 
GTP-U, that message will be the actual message when it goes through GTP preprocessor. Therefore, you won't get any type 
of GTP-U pakcets when GTP-U decoding is enabled.

Best,

Hui.

On 07/04/2012 11:53 PM, Vinayak Malshetty wrote:

Hi All,

I am using snort for get GTP packets statistics in my conf file I have enabled GTP decoder and preprocessor. But snort 
is reporting statistics for GTP-c(signaling messages). Is there any way I can configure snort to report both GTP-c and 
GTP-U packets.

My set-up

A1  ------------------------------ A2
                             |
                             |
                             |
                            A3

A1,A2 and A3 are linux machines. A1 and A2 behave as GGSS and SGSN whre GTP pkts(gtp-c and gtp-u) are sent and 
received. I am running snort on A3 to  monitors  GTP packets b/w A1<->A2 and report the GTP statistics. But I am 
getting statistics only for GTP-c pkts and not for GTP-U pkts

Log:
------
===============================================================================
GTP Preprocessor Statistics
  Total sessions: 2
  Total reserved messages: 0
  Packets with reserved information elements: 0
  Total messages of version 1: 12
===============================================================================

Can anyone suggest me is there any-way to report GTP-U statistics. Please do let me know if any more info is needed

Many Thanks,
-Vinayak

________________________________

http://www.mindtree.com/email/disclaimer.html




------------------------------------------------------------------------------

Live Security Virtual Conference

Exclusive live event will cover all the ways today's security and

threat landscape has changed and how IT managers can respond. Discussions

will include endpoint security, mobile security and the latest in malware

threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/




_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort for report GTp statistics Vinayak Malshetty (Jul 04)
- Re: Snort for report GTp statistics Hui Cao (Jul 05)
  - Re: Snort for report GTp statistics Vinayak Malshetty (Jul 05)
    - Re: Snort for report GTp statistics Hui Cao (Jul 09)