Port 2152: GTP-U — The Tunnel Under Every Mobile Data Session

Port 2152 (UDP) carries GTP-U, the user-data component of the GPRS Tunneling Protocol. Every mobile data session on 3G, 4G, and 5G passes through a GTP-U tunnel. This port is the plumbing of mobile Internet.

The Problem GTP-U Solves

Your phone moves. That is the defining fact of mobile networking, and it creates a problem that wired networking never had to solve.

When you connect to the Internet over Wi-Fi, your laptop gets an IP address and keeps it. The path from your laptop to the server is stable. Routing works the way routing was designed to work.

But when you're on a highway, your phone is handing off between towers every few minutes. Each tower belongs to a different segment of the carrier's network. A standard IP connection would break every time you handed off — because the IP address your phone was using is no longer reachable at the new location.

GTP-U solves this by wrapping your IP traffic in a tunnel. Your phone gets an IP address assigned by the carrier's gateway. Everything you send gets encapsulated inside GTP-U packets and routed through the cellular core network to that gateway, which then sends it out to the Internet. When you hand off to a new tower, the tunnel endpoint moves — but your IP address doesn't. The session survives. The video keeps playing.

This is the same insight as MPLS and other tunneling protocols, applied to the chaos of mobile networks at massive scale.¹

How It Works

GTP-U runs on UDP, port 2152. Each tunnel is identified by a TEID — a Tunnel Endpoint Identifier, a 32-bit random number assigned when the session is established.²

When you open an app on your phone, the cellular network creates a PDP context (in 3G) or a bearer (in 4G/5G): a logical session with a TEID at each end. Your data travels like this:

[Your phone] → [Radio tower] → [GTP-U tunnel on port 2152] → [Core gateway] → [Internet]

The GTP-U header is minimal — just 8 bytes for the basic header. It carries the TEID and the payload length, then your original IP packet follows inside. The gateway strips the GTP-U wrapper and forwards your real IP packet to the destination. The destination server sees a normal IP packet and has no idea it traveled through a cellular tunnel to get there.

When you hand off to a new tower, the tunnel's endpoint is updated, but the TEID stays the same. Your IP address never changes. The server you're talking to never knows you moved.³

The History

GTP emerged in 1997 as part of 3GPP Release 97, the specification that first defined GPRS — General Packet Radio Service — the technology that brought packet-switched data to 2G GSM networks. Before GPRS, mobile networks carried only circuit-switched voice. GPRS was the first time a phone could be "always on" for data.⁴

The protocol was originally standardized by ETSI (GSM standard 09.60), then absorbed into 3GPP as the organization took over mobile standards. As networks evolved — from 2G to 3G (UMTS) to 4G (LTE) to 5G NR — GTP-U evolved with them, but the basic architecture held: user data tunneled through the core on UDP port 2152.⁵

GTP comes in two flavors:

• GTP-C (control plane): runs on port 2123, handles session establishment and teardown
• GTP-U (user plane): runs on port 2152, carries the actual data

The split between control and user plane in GTP presaged the architectural philosophy that would later define 5G's Service-Based Architecture — separate the signaling from the data flow.

GTP-U in 4G and 5G

In LTE (4G), GTP-U runs on the S1-U interface between the eNodeB (cell tower) and the S-GW (Serving Gateway), and on the S5/S8 interface between the S-GW and P-GW (Packet Data Network Gateway).⁶ Every byte of 4G data crosses at least two GTP-U tunnels.

In 5G, GTP-U continues on the N3 interface between the gNB (5G tower) and the UPF (User Plane Function). The 5G core redesigned almost everything — except it kept GTP-U. The protocol that carried a 56kbps GPRS session in 2000 is the same one that wraps 5G gigabit sessions today.

Security

GTP-U was designed for carrier-internal use. It was never meant to be exposed to the public Internet.

The Shadowserver Foundation actively monitors for GTP-U endpoints reachable from the open Internet and flags them as a security risk. When port 2152 is accessible from outside the carrier's network, the consequences include:⁷

• Subscriber spoofing: An attacker who can send forged GTP-U packets can inject traffic into another subscriber's session
• Tunnel hijacking: With a guessable TEID, an attacker can redirect tunnel traffic
• DDoS amplification: GTP-U over UDP is exploitable for reflection attacks against carrier infrastructure
• Roaming interface abuse: International roaming links connect two carriers' GTP infrastructure — a vulnerability in one carrier's GTP implementation can affect subscribers on another

The security community discovered that many 4G/5G infrastructure components exposed GTP on the Internet improperly, allowing attacks from user devices or external networks that reached deep into carrier core infrastructure.⁸

GTP-U should never be accessible from the public Internet. If you see port 2152 open on a public-facing host, it is misconfigured.

How to Check What's Running on Port 2152

On Linux:

# Check for GTP-U listeners
sudo ss -ulnp | grep 2152

# Or with netstat
sudo netstat -ulnp | grep 2152

On macOS:

sudo lsof -iUDP:2152

On Windows:

netstat -ano | findstr :2152

GTP-U is also visible in Wireshark. The dissector understands the protocol natively — filter with gtpv1 or gtp to see tunnels and decode TEIDs.

Related Ports