Export for %GTPV2_REQ_MSG_TYPE and %GTPV2_RSP_MSG_TYPE not working in v9.5 and v9.7

dnotivol commented 3 years ago

Hello,

We've upgraded recently nprobe in a server, moving from v.8.7.181005 (r6312) to v.9.5.210716 (r7377) (and later to v9.7.210803 (r7412)). With this change, we've detected the information in the fields %GTPV2_REQ_MSG_TYPE and %GTPV2_RSP_MSG_TYPE stopped getting populated.

Listening to the same trace in releases 9.5 and 9.7 and previous releases (8.6, 8.7, 9.4) results in a different output, being blank (0) for these 2 fields in 9.7 release.

In the nprobe help I don't find the name of the fields have changed, and there's no warnings for them in the logs. Is there any config adjustment we'd need to do for these releases? Thanks.

Below you can find the configuration and output for a test. We can provide the pcap for the tests as well.

The configuration for the tests:

-n=none
-i=/var/tmp/20210803.pcap
--flow-templ="%IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_PKTS %IN_BYTES %OUT_PKTS %OUT_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %PROTOCOL %L7_PROTO_NAME %SRC_IP_COUNTRY %DST_IP_COUNTRY %SSL_SERVER_NAME %UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID %UNTUNNELED_IPV4_SRC_ADDR %UNTUNNELED_IPV4_DST_ADDR %GTPV2_REQ_MSG_TYPE %GTPV2_RSP_MSG_TYPE %GTPV2_C2S_S1U_GTPU_TEID %GTPV2_C2S_S1U_GTPU_IP %GTPV2_S2C_S1U_GTPU_TEID %GTPV2_S5_S8_GTPC_TEID %GTPV2_S2C_S1U_GTPU_IP %GTPV2_C2S_S5_S8_GTPU_TEID %GTPV2_S2C_S5_S8_GTPU_TEID %GTPV2_C2S_S5_S8_GTPU_IP %GTPV2_S2C_S5_S8_GTPU_IP %GTPV2_END_USER_IMSI %GTPV2_END_USER_MSISDN %GTPV2_APN_NAME %GTPV2_ULI_MCC %GTPV2_ULI_MNC %GTPV2_ULI_CELL_TAC %GTPV2_ULI_CELL_ID %GTPV2_RESPONSE_CAUSE %GTPV2_RAT_TYPE %GTPV2_PDN_IP %GTPV2_END_USER_IMEI %GTPV2_C2S_S5_S8_GTPC_IP %GTPV2_S2C_S5_S8_GTPC_IP %GTPV2_C2S_S5_S8_SGW_GTPU_TEID %GTPV2_S2C_S5_S8_SGW_GTPU_TEID %GTPV2_C2S_S5_S8_SGW_GTPU_IP %GTPV2_S2C_S5_S8_SGW_GTPU_IP"
-P=/media/data1/nprobe/flows-test
-D=t 
--tunnel
-b=1

Output excerpt in 9.7.210803-7412:

IPV4_SRC_ADDR|IPV4_DST_ADDR|IN_PKTS|IN_BYTES|OUT_PKTS|OUT_BYTES|FIRST_SWITCHED|LAST_SWITCHED|L4_SRC_PORT|L4_DST_PORT|PROTOCOL|L7_PROTO_NAME|SRC_IP_COUNTRY|DST_IP_COUNTRY|UPSTREAM_TUNNEL_ID|DOWNSTREAM_TUNNEL_ID|UNTUNNELED_IPV4_SRC_ADDR|UNTUNNELED_IPV4_DST_ADDR|GTPV2_REQ_MSG_TYPE|GTPV2_RSP_MSG_TYPE|GTPV2_C2S_S1U_GTPU_TEID|GTPV2_C2S_S1U_GTPU_IP|GTPV2_S2C_S1U_GTPU_TEID|GTPV2_S5_S8_GTPC_TEID|GTPV2_S2C_S1U_GTPU_IP|GTPV2_C2S_S5_S8_GTPU_TEID|GTPV2_S2C_S5_S8_GTPU_TEID|GTPV2_C2S_S5_S8_GTPU_IP|GTPV2_S2C_S5_S8_GTPU_IP|GTPV2_END_USER_IMSI|GTPV2_END_USER_MSISDN|GTPV2_APN_NAME|GTPV2_ULI_MCC|GTPV2_ULI_MNC|GTPV2_ULI_CELL_TAC|GTPV2_ULI_CELL_ID|GTPV2_RESPONSE_CAUSE|GTPV2_RAT_TYPE|GTPV2_PDN_IP|GTPV2_END_USER_IMEI|GTPV2_C2S_S5_S8_GTPC_IP|GTPV2_S2C_S5_S8_GTPC_IP|GTPV2_C2S_S5_S8_SGW_GTPU_TEID|GTPV2_S2C_S5_S8_SGW_GTPU_TEID|GTPV2_C2S_S5_S8_SGW_GTPU_IP|GTPV2_S2C_S5_S8_SGW_GTPU_IP
172.25.95.229|10.10.248.34|1|51|0|0|1627986552|1627986552|2123|2123|17|GTP||CG|01A01F06|00000000|172.25.95.229|10.10.248.34|0|0|0|0.0.0.0|0|00000000,00000000|0.0.0.0|0|0|0.0.0.0|0.0.0.0||||0|0|0|0|16|0|0.0.0.0||0.0.0.0|0.0.0.0|0|0|0.0.0.0|0.0.0.0
172.25.95.229|10.10.248.34|1|51|0|0|1627986552|1627986552|2123|2123|17|GTP||CG|01A01F06|00000000|172.25.95.229|10.10.248.34|0|0|0|0.0.0.0|0|00000000,00000000|0.0.0.0|0|0|0.0.0.0|0.0.0.0||||0|0|0|0|16|0|0.0.0.0||0.0.0.0|0.0.0.0|0|0|0.0.0.0|0.0.0.0
172.25.95.229|10.10.248.34|1|96|0|0|1627986552|1627986552|2123|2123|17|GTP||CG|07172107|00000000|172.25.95.229|10.10.248.34|0|0|0|0.0.0.0|0|00000000,00000000|172.25.95.249|0|0|0.0.0.0|0.0.0.0||||0|0|0|0|16|0|0.0.0.0||0.0.0.0|0.0.0.0|0|0|0.0.0.0|0.0.0.0
172.25.95.229|10.10.248.34|1|96|0|0|1627986552|1627986552|2123|2123|17|GTP||CG|07172107|00000000|172.25.95.229|10.10.248.34|0|0|0|0.0.0.0|0|00000000,00000000|172.25.95.249|0|0|0.0.0.0|0.0.0.0||||0|0|0|0|16|0|0.0.0.0||0.0.0.0|0.0.0.0|0|0|0.0.0.0|0.0.0.0

Output excerpt in 9.4.210609-7145 release:

IPV4_SRC_ADDR|IPV4_DST_ADDR|IN_PKTS|IN_BYTES|OUT_PKTS|OUT_BYTES|FIRST_SWITCHED|LAST_SWITCHED|L4_SRC_PORT|L4_DST_PORT|PROTOCOL|L7_PROTO_NAME|SRC_IP_COUNTRY|DST_IP_COUNTRY|UPSTREAM_TUNNEL_ID|DOWNSTREAM_TUNNEL_ID|UNTUNNELED_IPV4_SRC_ADDR|UNTUNNELED_IPV4_DST_ADDR|GTPV2_REQ_MSG_TYPE|GTPV2_RSP_MSG_TYPE|GTPV2_C2S_S1U_GTPU_TEID|GTPV2_C2S_S1U_GTPU_IP|GTPV2_S2C_S1U_GTPU_TEID|GTPV2_S5_S8_GTPC_TEID|GTPV2_S2C_S1U_GTPU_IP|GTPV2_C2S_S5_S8_GTPU_TEID|GTPV2_S2C_S5_S8_GTPU_TEID|GTPV2_C2S_S5_S8_GTPU_IP|GTPV2_S2C_S5_S8_GTPU_IP|GTPV2_END_USER_IMSI|GTPV2_END_USER_MSISDN|GTPV2_APN_NAME|GTPV2_ULI_MCC|GTPV2_ULI_MNC|GTPV2_ULI_CELL_TAC|GTPV2_ULI_CELL_ID|GTPV2_RESPONSE_CAUSE|GTPV2_RAT_TYPE|GTPV2_PDN_IP|GTPV2_END_USER_IMEI|GTPV2_C2S_S5_S8_GTPC_IP|GTPV2_S2C_S5_S8_GTPC_IP|GTPV2_C2S_S5_S8_SGW_GTPU_TEID|GTPV2_S2C_S5_S8_SGW_GTPU_TEID|GTPV2_C2S_S5_S8_SGW_GTPU_IP|GTPV2_S2C_S5_S8_SGW_GTPU_IP
172.25.95.229|10.10.248.34|1|51|0|0|1627987725|1627987725|2123|2123|17|GTP||CG|01A01F06|00000000|172.25.95.229|10.10.248.34|0x00|0x25|0x00000000|0.0.0.0|0x00000000|00000000,00000000|0.0.0.0|0x00000000|0x00000000|0.0.0.0|0.0.0.0||||0|0|0|0|16|0|0.0.0.0||0.0.0.0|0.0.0.0|0x00000000|0x00000000|0.0.0.0|0.0.0.0
172.25.95.229|10.10.248.34|1|51|0|0|1627987725|1627987725|2123|2123|17|GTP||CG|01A01F06|00000000|172.25.95.229|10.10.248.34|0x00|0x25|0x00000000|0.0.0.0|0x00000000|00000000,00000000|0.0.0.0|0x00000000|0x00000000|0.0.0.0|0.0.0.0||||0|0|0|0|16|0|0.0.0.0||0.0.0.0|0.0.0.0|0x00000000|0x00000000|0.0.0.0|0.0.0.0
172.25.95.229|10.10.248.34|1|96|0|0|1627987725|1627987725|2123|2123|17|GTP||CG|07172107|00000000|172.25.95.229|10.10.248.34|0x00|0x23|0x00000000|0.0.0.0|0x00C46B3D|00000000,00000000|172.25.95.249|0x00000000|0x00000000|0.0.0.0|0.0.0.0||||0|0|0|0|16|0|0.0.0.0||0.0.0.0|0.0.0.0|0x00000000|0x00000000|0.0.0.0|0.0.0.0
172.25.95.229|10.10.248.34|1|96|0|0|1627987725|1627987725|2123|2123|17|GTP||CG|07172107|00000000|172.25.95.229|10.10.248.34|0x00|0x23|0x00000000|0.0.0.0|0x00C46B3D|00000000,00000000|172.25.95.249|0x00000000|0x00000000|0.0.0.0|0.0.0.0||||0|0|0|0|16|0|0.0.0.0||0.0.0.0|0.0.0.0|0x00000000|0x00000000|0.0.0.0|0.0.0.0

dnotivol commented 3 years ago

Hello,

Just in case it may help, problem persists in current release 9.7.210824-7437. In fact, checking better the fields, it doesn't only affect the GTPV2_REQ_MST_TYPE and GTPV2_RSP_MST_TYPE. Some other GTPV2 fields are also blank (or zero) in this release, at least: GTPV2_C2S_S1U_GTPU_TEID, GTPV2_S2C_S1U_GTPU_TEID.

dnotivol commented 3 years ago

Hello, Please let me know if you'd need any pcap trace to reproduce this scenario. I can send them to you if needed. Thanks.

lucaderi commented 3 years ago

Fixed in today's version

dnotivol commented 3 years ago

Thanks Luca, I just upgraded the system and we're already seeing the GTPv2 fields being populated.

However, we've seeing a change in GTPV2_REQ_MSG_TYPE and GTPV2_RSP_MSG_TYPE, as they are not in hexadecimal any more, they're now in decimal format. Is this change final?

ntop / nProbe

Export for %GTPV2_REQ_MSG_TYPE and %GTPV2_RSP_MSG_TYPE not working in v9.5 and v9.7 #503