Have a question regarding an observation I made when
inspecting multicast traffic.
Rather than seeing the UDP source/destination port do
I see "GTP Unknown" [ref below excerpt], now trying to
understand why I see this
(See the source address ok on the same packets when
inspecting the traffic further down streams using
snoop so it seems to be an ethereal issue)
root@us01ndadfsniffer01 root]#
/usr/local/bin/tethereal -i eth1 -ta udp|egrep "GTP
Unknown"
Capturing on eth1
14:43:46.201231 206.200.6.37 -> 224.0.17.37 GTP
Unknown
14:43:46.301233 206.200.6.37 -> 224.0.17.37 GTP
Unknown
14:43:46.351391 206.200.6.37 -> 224.0.17.37 GTP
Unknown
14:43:46.402134 206.200.6.37 -> 224.0.17.37 GTP
Unknown
14:43:46.452912 206.200.6.37 -> 224.0.17.37 GTP
Unknown
#expected format
[root@us01ndadfsniffer01 root]#
/usr/local/bin/tethereal -i eth1 -ta udp|egrep
"224\.0\.17\.39"
Capturing on eth1
15:03:43.913780 206.200.6.39 -> 224.0.17.39 UDP
Source port: 2153 Destination port: 55295
15:03:43.916962 206.200.6.39 -> 224.0.17.39 UDP
Source port: 2153 Destination port: 55295
15:03:43.965605 206.200.6.39 -> 224.0.17.39 UDP
Source port: 2153 Destination port: 55295
15:03:44.014957 206.200.6.39 -> 224.0.17.39 UDP
Source port: 2153 Destination port: 55295
#ethereal version info
root@us01ndadfsniffer01 root]#
/usr/local/bin/tethereal -h
This is GNU tethereal 0.10.4
(C) 1998-2004 Gerald Combs <gerald@xxxxxxxxxxxx>
Compiled with GLib 1.2.10, with libpcap 0.8.3, with
libz 1.1.4, without libpcre,
without UCD-SNMP or Net-SNMP, without ADNS.
NOTE: this build does not support the "matches"
operator for Ethereal filter
syntax.
Running with libpcap version 0.8.3 on Linux 2.4.20-8.
Regards
Robert