lucaderi
commented
8 months ago Please specify an exact 5-tuple flow that has the defect and attach a small pcap that contains some packets of the flow.
Open danthomas98 opened 8 months ago
lucaderi
commented
8 months ago Please specify an exact 5-tuple flow that has the defect and attach a small pcap that contains some packets of the flow.
danthomas98
commented
8 months ago https_over_gtp_sample.zip This is a https conversation tunneled through GTP.
ntopng renders only the TLS flows in this sample and shows as two flows. {srcip: 192.168.56.101, srcport: 54640, dstip: 10.251.97.6, dstport: 443, proto: tcp} {srcip: 10.251.97.6, srcport: 443, dstip: 10.60.0.3, dstport: 54640, proto: tcp}
I'd expect to also see the assocated GTP flow(s) in ntopng {srcip: 10.10.10.3, srcport: 13126, dstip: 192.168.56.101, dstport: 2152, proto: udp} {srcip: 192.168.56.101, srcport: 2152, dstip: 192.168.2.3, dstport: 2152, proto: udp}
The architecture is such that the client is a container (emulated user equipment) within a VM which connects through another container (emulated gNodeB) on the same VM to then pass through a container (UPF) on a different VM, which then pass the https traffic out to a web server on a third VM. I believe this sample was collected from the VM hosting the UPF container.
Environment:
What happened: Loading pcap samples in ntopng using the -i flag, filtering for GTP traffic flows, I see only unidirectional flows and only in one direction. I can see there is bidirectional GTP traffic when this pcap is viewed in wireshark.
How did you reproduce it? Yes, I've seen this both in my test and production environment.
Debug Information:
pcap sample was provided on Telegram community support channel.