Tshark doesn't have built-in support for GTP but we can use offset to capture it.
Here is the example:
tshark -i p1p2 -f "((ip[48:4]==0x0AE0262E) or (ip[52:4]==0x0AE0262E)) and ip[58:2]==0x50" -w a.cap
Following offsets are for reference:
48:4 source IP
52:4 dest IP
56:2 src port
58:2 dst port
I got this from this link:
https://ask.wireshark.org/questions/31649/capture-filters-with-gtp-encapsulated-udp-packets
No comments:
Post a Comment