[Snort-users] Snort and GTP encapsulation info

Ana Serrano Mamolar B00315494 at ...17757...
Wed Feb 8 14:54:16 EST 2017

Hi all,

Again with an encapsulation question.

I am trying to understand how Snort manage GTP encapsulation, that I know that is supported. I already enable gtp in my config file by " config enable_gtp".

I run Snort with different pcaps that I have that include GTP and trying to see which info I obtained from Snort with a very silly rule to be sure that is triggerred.

My question is the following: Does somebody know where in the database is stored the TEID ( tunnel identifier ) of the packet that triggered the alert? . I have seen in Snort source code that it's parsed. But then I can not find it in the database.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170208/ffe3d293/attachment.html>

More information about the Snort-users mailing list