Add GPRS Tunnelling Protocol (GTPv1) decapsulation.

This currently supports automatic decapsulation of GTP-U packets on UDP port 2152. The GTPv1 headers for such tunnels can be inspected by handling the "gtpv1_g_pdu_packet" event, which has a parameter of type "gtpv1_hdr". Analyzer and test cases are derived from submissions by Carsten Langer. Addresses #690.
2025-10-17 22:18:20 +00:00 · 2012-10-19 14:02:35 -05:00 · 2012-10-19 14:02:35 -05:00 · 9edbf3e53c
commit 9edbf3e53c
parent 2915e04db4
52 changed files with 670 additions and 2 deletions
--- a/scripts/base/frameworks/tunnels/main.bro
+++ b/scripts/base/frameworks/tunnels/main.bro
@ -88,7 +88,10 @@ redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] };
 const teredo_ports = { 3544/udp };
 redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] };

-redef likely_server_ports += { ayiya_ports, teredo_ports };
+const gtpv1u_ports = { 2152/udp };
+redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1u_ports] };
+
+redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1u_ports };

 event bro_init() &priority=5
 	{