Wireshark User Guide v042

User Guide
Wireshark for IP tracing
2012 NEA
COPYRIGHT © 2011 ALL RIGHTS RESERVED.

ALCATEL-LUCENT — INTERNAL PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
Publication history
AUTHORS: Ion Teodor Stanila ,Q. Thinh Nguyen-Vuong
MGR TIPS/ Network Engineering & Assurance

Data / Application & Support
Contributors: JR. Nascimento, C. Colin, L. Bonnot
PUBLICATION HISTORY:
 Sept. 2009
 Version 01
 March 2010
 Update
– Capture traffic on live network with Wireshark
– Analysis Wireshark trace
– UA7.1 traces decoded
 September 2011
– Syncronization NTP/PTP/SyncE
– Some updates
 February 2012
– Split traces update
– NBAP plugin installation ( workaround)
 May 2012 LTE/LTEPA user guide
 September 2012
– UE Attachment & Default Bearer Creation
– X2 Handovers
LIVELINK LOCATION: WIRESHARK NBAP plugin

2 | Wireshark guide | May 2012 ALCATEL-LUCENT — INTERNAL PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
Contents
1. General Overview
2. Wireshark setting user guide
3. Capture in live network

4. Decoding UA7.1 traces hints
5. LTEPA / LTE interfaces
6. Synchronization NTP/PTP/SyncE
7. Wireshark trace analysis
8. Backup

3 | Wireshark guide | September 2011
1
General Overview

Wireshark: Pros vs. Cons
 Pros:
 Wireshark software is free download & capable of being run in any laptop
 Easy to send the traces to anyone without having to convert the file format
 Provides a simple but powerful display filter language

 Cons
 Wireshark can drop the captured packets
 ―Out of memory‖ when capturing large traffic volume
 Some protocol stacks cannot be decoded by Wireshark (like Frame Protocol

over Iub)
 Software bugs and its functionalities depend on laptop network driver & PC

Equipment installation
Mirroring option: Recommended
UL & DL traffic from multiple GIGE interfaces can be captured
Iu-PS/Iu-CS
SGSN/MSC
mirroring
Lp/14, Eth/x Iux over IP Ethernet
Iub (IP link)
RNC Iux over IP Router Fiber
Lp/15, Eth/x
PC
RJ45 (ETH cable)
ETH card
Mirroring port
(if the router does not have Ethernet port, an Optical-Copper SFP is needed)

Equipment installation
Splitter option
One way traffic from only one GIGE interface can be captured

Iub (IP link)
Router Fiber
RNC
Lp/15, Eth/x
PC
Rx slot
RJ45 (ETH cable)
Optical – Ethernet
Converter
Both UL & DL traffic from one GIGE interface can be captured

Iub (IP link)
Router Fiber
RNC
Lp/15, Eth/x
RJ45 (ETH cable) PC
Rx slot
Switch 6850 with
Rx slot 2 Optical Ports
(2 SFP)

Check list
 Confirm the type of fibers (SX/LX) and connectors (LC/FC/SC) needed

 Mirroring option (recommended), check availability of
 Mirroring capability of the access routers
– The dedicated mirroring port must be configured
 If the mirroring port is Gigabit Optical, need to have
– A “Copper Ethernet SFP”
– Or an Optical – Ethernet converter
 Ethernet RJ-45 cable
 Laptop with Wireshark
 Splitter option, check availability of
 Optical splitters
 10/100/1000Base-T to 1000Base-SX/LX converter or Omniswitch with
associated SFP
 Ethernet RJ-45 cable
 Laptop with Wireshark running
2
Wireshark setting guide
(whatever the Iux interface)

Software overview
 Winpcap
 Mandatory for IP sniffing on Laptop
 Provided together with the Wireshark software
 All archived Winpcap version can be downloaded on http://www.winpcap.org/
 Stable version is 4.1.2
 Wireshark
 Wireshark version: 1.6.5 (or later), check http://www.wireshark.org
 Installation tip: Install Wireshark in the default folder given by cmd.exe
 Useful in case you need to run Tshark tool, provided with Wireshark
 Installation tip: put Windump.exe on a reachable folder from CMD

Software overview
 NBAP plugin installation ALU internal
 If you have already Wireshark running on your machine please follow the next workaround installation
 Uninstall Wireshark and delete the entire folder of Wireshark (C:\Program Files\Wireshark).
 Download from LL and unrar libwireshark-1.6.5-40429.rar.
 Install Wireshark v 1.6.5 and replace only the libwireshark.dll
 Windump
 Windows version of the popular tcpdump tool
 Used to capture the IP traffic with packet truncated size
 Useful & robust for capturing live network traffic
 Windump version 4.2.1, download from http://www.winpcap.org/

How to check if Winpcap works well?
 ―Winpcap works well‖ means Wireshark/Windump can
 see all available network interfaces on the PC (Gigabit Ethernet, WiFi Link, Generic Adapter…)
 capture the UE trace from Qualcomm modem/data card (needed to see Generic Adapter)
From Wireshark: OK
Generic dialup Interface

Gigabit Ethernet Interface
Qualcomm USB Modem
From Windump: NOK No generic dialup

adapter => cannot
take UE trace on this
PC
 Workaround
 Uninstall the current Winpcap & Install the recommended stable Winpcap version
 Use another laptop PC (avoid Lenovo ThinkPad if possible)

PC setting for capturing in promiscuous mode
 Capturing all traffic that the network card can ―see‖ (i.e.
mirrored traffic)
 Check ―capture packets in promiscuous mode‖ in

Wireshark Capture Options
 Configure a dummy IP@ for Local Area Connection
 Automatic IP@ configuration can also work under many

PCs
 No tracing if there is a mismatch between the speed on the PC

& mirroring interface (Fast/Gigabit Ethernet)
 Device manager > Network adapter> Advanced > Link Speed

& Duplex
 “Auto Detect” is recommended (default setting)
 100Mbps/1Gbps & Full duplex is desirable (if the auto

detect does not work); the selected speed depends on the
speed on the mirroring interface
 Force the mirroring port to the same speed as the network

interface card (NIC)

VLAN capture setup issue
 With some PC/Network Interface Cards, you won't necessarily see the VLAN tags
in packets when capturing on a VLAN
 Some workaround to disable the stripping of VLAN tags.

 http://wiki.wireshark.org/CaptureSetup/VLAN
 http://www.intel.com/support/network/sb/CS-005897.htm
 Workaround does not necessarily work for every NIC type, so please use
another PC/NIC in order to not waste too much time

Wireshark: Quick Launch
 Launch the Wireshark application
icon  start a new live capture

icon  stop the running live capture
 Identity the capture interface (in our case, it is a Gigabit network connection)
 Capture > Interfaces
This is the
one we used
to connect
with the RJ45

Advanced, useful
Basic, must-know for live network
Wireshark Settings capture
 Capture > Options
Select the right capture

interface (NIC card)
Check when capturing

Truncate the mirrored traffic
captured packet
(ex: 120 byte) Specify only in case you
know exactly what you
want to capture (ex:
ether[70:2]=0x0014)
Save the trace
while capturing
Check them if you want to
see the traces displayed
Save in multiple in real-time
files, scheduled by
capturing duration
or file size
Schedule to stop
capture
Click start to capture the
traces

Wireshark trace example
This is the DISPLAY filter, for example,
tcp.analysis.retransmission to display only the
TCP retransmission messages.
captured
messages
(time,
address,
protocol, info)
Protocol
stack of the
selected
message
Header +
Data coded
in hexa

Common display filters
 udp / tcp / sctp / icmp / ranap / sccp / gtp => to display only the desired protocol
 sctp && ip.src==10.2.4.9=> display sctp sent from the source having IP@= 10.2.4.9
 sctp || tcp => display sctp or tcp message (both tcp & sctp will be displayed)
 tcp.analysis.retransmission =>
display the TCP retransmission
message
 tcp.analysis.lost_segment =>
display previous segment lost
vlan.id == 123 => display the
message having VLAN ID= 123
 More about the filter expression,
go to ―Expression‖

Quick Analysis
Statistics > Flow graphs
Analyze > Expert Infos
Statistics > TCP stream graph

Wireshark overview: timestamp format
 [Date and Time] & [Time of day]
 Useful for checking the day and time of measurement
 [Seconds Since Beginning…]
 Useful for checking trigger points and analyzing time-spans
 [Seconds Since Previous…]
 Useful for inter-packet arrival time interpretation
(*) From « TCP & Wireshark How-to.ppt » document by TIS/ONE

TCP trace
 Essential to display the time sequence graph to analyze the TCP traffic
 Usage: detailed analysis of TCP flow control, ACK shapes, spot retransmissions and losses
 Useful only with traces near to the TCP data source (FTP sever for DL or UE for UL)
 Select a data packet (not ACK packet) and go to ‗Statistics‘, then ‗TCP time stream graph‘
and ‗Time sequence graph – tcptrace‘)
 Zoom: click-left ; Unzoom: SHIFT + click-left
 Find packet: CTRL + click-left on packet (packet will be highlight)
 Move time or sequence number axis: click-right

Throughput graph
 Display instant throughput calculated by wireshark

 Usage: throughput dynamics (bandwidth changes, etc)
 Select a data packet (not ACK packet) and go to ‗Statistics‘, then ‗TCP time stream
graph‘ and ‗Throughput graph‘)

RTT graph
 Display TCP RTT: delta between segment and its ACK. Makes sense only at
sender side.
 Usage: check E2E RTT (will include buffering time if applicable). Check RTT
versus packet losses (possible overflow). Check if TCP not filling up E2E buffers
(low RTT=HSPA RTT)
 Select a data packet (be careful, not to choose an acknowledgement packet)
and go to ‗Statistics‘, then ‗TCP time stream graph‘ and ‗RTT graph‘)

In-flight data graph
 Display in-flight TCP data: useful at sending side only.

 Usage: follow dynamic of CWIN / In-flight data, versus packet loss
(buffer overflow)
 Select a data packet (be careful, not to choose an acknowledgement
packet) and go to ‗Statistics‘, then ‗IO graphs‘)

3
Capture in live network
Things to know

How to capture in live network?
 Just remind you about ―live‖

 Volume of capturing traffic is BIG
 Traffic rate can reach up to hundreds of Mbps
 One or two minutes of capturing can generate 1Go trace
 Normal Wireshark capturing ==―out of memory‖ after less
than 3 minutes
 Not trivial to follow your individual call
 How to capture on live?

 Use Windump to capture the trace
 Use Wireshark
 1. Specify the ―capture filter‖ to take only the desired traffic flow
 2. Limit the packet size: truncate to take only the header of each packet
 3. Save the trace on multiple small files

Use Windump to capture the trace
 Options to be used with Windump

 Windump – D : display the interface
 Windump –i 2 –F ―filter.txt‖ –s 120 –C 200 –w filename.pcap

Interface number Each Packet size (byte) Trace file name
Each file size
« Capture filter » expression (unit: 1Mo)
See next slide for filter expression

 Advantages
 Low resources consumption while capturing (low probability of having packets dropped)
 Take big trace with long duration, no out-of-memory issue
3.1 Example of capture filter design : From Ethernet stack
 Filter IuPS User Plane trace of UE whose IP@ is188.45.9.195
 The source IP@ 188.45.9.195 is coded in hexa as 0xbc2d09c3 (4 bytes), started from byte 66
 Similarly, the destination IP@ 188.45.9.195 is coded with 4 bytes, started from byte 70
Pos: 0 Pos: 66 Pos: 16 Pos: 70 Pos: 74
Capture filter ether[66:4]=0xbc2d09c3 or ether[70:4]= 0xbc2d09c3

Note: if VLAN cannot be
captured, filter becomes
ether[62:4]=0xbc2d09c3 or ether[66:4]= 0xbc2d09c3
3.1 Example of capture filter design : from UDP stack
 To avoid VLAN tag capturing capability, the capture filter can be designed from UDP stack
(instead of Ethernet)
Pos:0
Pos:32
Capture filter udp[32:4]= 0xbc2d09c3
 Another option to filter IuPS User Plane trace of UE whose IP@ ==188.45.9.195 is
udp[28:4]=0xbc2d09c3 or udp[32:4]= 0xbc2d09c3

3.1 Specify the ―capture filter‖
 Specify the filter string in the ―Capture Filter‖
 How to design the filter?
 Identify what you want to trace
 User plane traffic of an UE (with known IP@) on IuPS,
 FTP data only, traffic flow with VLAN ID tag…
 Identify where and how this information is coded
 Hexa info in Wireshark trace
 Write down the capture filter
 ether[start_pos:byte_length]=0xhexa_info
 Some common capture filters
 User plane IuPS of an UE with known IP@
 udp[28:4]=0xUE_IP_hexa or udp[32:4]= 0xUE_IP_hexa‖
 Or with VLAN captured: ―ether[66:4]=0xUE_IP_hexa or ether[70:4]= 0xUE_IP_hexa‖
 FTP flow only (ftp port + ftp-data port) (without VLAN)
 ―ether[70:2]=0x0014 or ether[72:2]=0x0014 or ether[70:2]=0x0015 or ether[72:2]=0x0015‖
 GTP trace (without VLAN): ―ether[42:1]=0x30‖
3.2 Limit the captured packet size
 Advantages:
 Truncate each captured packet from beginning to the
specified value
 Having a small file trace: easy for storing & post-processing
 Same feature as tcpdump or windump
 Be careful
 Too small truncated packet will not contain
all useful header information
 Truncate packet (without capture filter)
gives the same ―out-of-memory‖ issue
 Statistics infos (like data flow rate,
throughput…) could not be obtained from
packet-truncated traces
 Recommended value: 120 bytes
 limit each packet to 120 bytes if you want
to take the whole IuPS traffic
This HTTP packet is truncated at 120byte

3.3 Save in multiple small files
 Advantages:
 Recommended to name the trace before capturing (specify the folder

where to store the trace as well)
 In case issue with Wireshark (out of memory), trace is already saved
 Take a lot of time for saving a big trace after capturing
 Hard to stop capturing the trace with Wireshark on live network
 Avoid the out-of-memory issue
 Ease to take trace on live network (with possibility to schedule the

capture)
File name: Iu_PS_test1
 ―Stop capture‖ can be used to schedule the capturing
Each file will be captured during 1 minute
And stop capturing after 10 files (10 minutes)
Merging capture files
Use drag-and-drop to drop multiple files on the main window. Wireshark will try to merge the
packets in chronological order from the dropped files into a newly created temporary file. If you
drop only a single file, it will simply replace a (maybe) existing one.
3.4 Edit a pcap capture to shorten filelength
 Editcap is a program that reads some or all of the captured packets from the input_file, optionally converts them in
various ways and writes the resulting packets to the capture output_file
 In general splitting up files is done with editcap
 Save a lot of time for open a big trace capture on live network
 The editcap default it is located in WIRESHARK directory ―C:\Program Files\Wireshark>editcap.exe‖
 editcap -c <packets_per_file> input.pcap outputfile.pcap or
 editcap –v -c <packets_per_file> input.pcap in verbose mode

EX
C:\Program Files\Wireshark>editcap.exe -v -c 500000 "D:\AR\IuPS_H.pcap" "D:\AR\Iu_PS―
…… ………………………
Packet: 6863592
Packet: 6863593
Packet: 6863594
Packet: 6863595
Packet: 6863596
Packet: 6863597
Packet: 6863598
Packet: 6863599
Packet: 6863600
Merging the split files see 3.3

4 Decoding UA7.1 traces hints

Native Iub: Decode NBAP messages
 By default, Wireshark decodes all messages transported over SCTP as M3UA messages
 Wireshark trace, M3UA messages are marked as ―RF reserved [Malformed Packet]‖
 Right click on the M3UA part  Decode As, select NBAP as Transport over SCTP

IuCS over IP: Decode RTP messages
 By default, Wireshark does not decode UDP data as RTP for IuCS over IP User Plane
 Right click on the data part  Decode As, select RTP as transport over UDP

IuCS over IP: Decode IuUP messages
 Iu User Plane protocol can be decoded by Wireshark on top of RTP: this allows to see
timing adjustment messages
 Check the RTP Payload type: 127 (in the below example), then go to Preferences/Protocol
IuUP/change IuUP dynamic Payload type =127
IuUP part

IuPS over IP: Decode RANAP messages
 Sometimes, the BSSAP+ is recognized by Wireshark instead of RANAP
 Go to Edit/Preferences/Protocol (BSSAP)/change default SSN used for BSSAP

IuPS over IP: See IP fragmentation packets
 Payload can be fragmented on IuPS UP
 IP Fragmentation can be easily seen if ―Reassemble fragmented IP datagrams‖ is

checked
Edit/Preferences/
Protocols (IP)

5
LTE interfaces / LTEPA

LTEPA 9.3.5
LTEPA was built on the packet sniffer tool Wireshark freewareby providing additional protocol decoders. The
interface of LTEPA is the same as that of Wireshark.
The LTEPA sw could be downloaded :http://mobility.web.alcatel-lucent.com/~ltetool/ltepa/LtepaInstall.htm

NOTE: The LTEPA tool is restricted to internal Alcatel-Lucent use only. It may not be given to customers or
other third parties.
LTEPA decode following – S1AP, X2AP, Gn, S3, S6a, S5, Gx, …
IF it‘s necessary for decoding S1.x following next step for LTEPA:
-on SCTP messages select DATA messages and right click decode as;
-select on SCTP/S1AP window port (3001, 3002 or both /recommended) and apply;
-for filter you can use‖s1ap‖ to display only the messages for S1.x;
The following table describes about different LTE interfaces supported by LTEPA and corresponding filter strings.
S.No Interface Name Filter string

1 S6a s6a
2 S1-MME s1ap
3 Gx gx
4 Gxc gxc
5 S5/S8 S5_s8/gtp

Primary 3GPP R8 Interfaces and architecture

LTE Standard Reference Points (1 of 2)
S1-MME: Reference point for the control plane protocol between E-UTRAN and MME.
S1-U: Reference point between E-UTRAN and Serving GW for the per bearer user plane tunnelling and inter eNodeB path
switching during handover.
S2a: It provides the user plane with related control and mobility support between trusted non 3GPP IP access and the
Gateway.
S3: It enables user and bearer information exchange for inter 3GPP access network mobility in idle and/or active state.
It is based on Gn reference point as defined between SGSNs.
S4: It provides related control and mobility support between GPRS Core and the 3GPP Anchor function of Serving GW
and is based on Gn reference point as defined between SGSN and GGSN. In addition, if Direct Tunnel is not established,
it provides the user plane tunnelling.
S5-PMIP: It provides user plane tunneling and tunnel management between Serving GW and PDN GW. It is used for
Serving GW relocation due to UE mobility and in case the Serving GW needs to connect to a non collocated PDN GW for
the required PDN connectivity.
S6a: This interface is defined between MME and HSS for authentication and authorization.
S6b: It is the reference point between PDN Gateway and 3GPP AAA server/proxy for mobility related authentication if
needed. This reference point may also be used to retrieve and request storage of mobility parameters. This reference
point may also be used to retrieve static QoS profile for a UE for non-3GPP access in case dynamic PCC is not supported.
S8: It is the roaming interface in case of roaming with home routed traffic. It provides the user plane with related control
between Gateways in the VPLMN and HPLMN.
S9: It provides transfer of (QoS) policy and charging control information between the Home PCRF and the Visited PCRF in
order to support local breakout function. In all other roaming scenarios, S9 has functionality to provide dynamic QoS
control policies from the HPLMN.
S10: This interface is reference point between MMEs for MME relocation and MME to MME information transfer.
LTE Standard Reference Points (2 of 2)
S11: This interface is reference point between MME and Serving GW.
S103-U: This interface is the bearer interface between the EPC Serving Gateway and the HSGW,
S101: This interface is the signaling interface between the EPC MME and the evolved HRPD Access Network (eAN/PCF).
Gx: It provides transfer of (QoS) policy and charging rules from PCRF to Policy and Charging Enforcement Point (PCEF) )
in the PDN GW.
Gxa: It provides transfer of (QoS) policy information from PCRF to the Trusted Non-3GPP accesses.
Gxb: This interface is not specified within this release of the specification.
Gxc: It provides transfer of (QoS) policy information from PCRF to the Serving Gateway
X2: This interface is for eNodeB to eNodeB handoff.

Main interfaces for LTE traces / LTEPA 9.3.5
Lab Setup
enodeB1 – 10.50.240.62
enodeB2 – 10.50.240.63
MME – 10.50.83.33
SGW - 10.50.79.40
PGW – 10.50.81.40
PCRF – 10.50.80.140
UEs – 10.150.21.157

UE Attachment & Default Bearer Creation & X2 Handovers
UE Attachment & Default Bearer Creation & UE Detach

UE sends an Attach message to the MME to register with the network for service access
(Network Attachment Procedure) fig 1 pag50
•MME will signal the S-GW via a Create Session Request message to establish the default
bearer after successful authentication
•S-GW forwards the request (or via Proxy Binding Update for PMIP ) to PDN-GW
•PDN-GW requests from the PCRF the new session policy then installs necessary filter for the
new session
Inter-eNB handovers
Handover procedures are controlled by UE and the eNB fig2 pag 51
•eNB coordinates active mode handovers using the X2 interface
•Data is forwarded from Original eNB to Target eNB during handover
•eNB signals to MME (Path Switch Request) via the S1-MME interface for handover
•MME signals to the S-GW (User Plane Update Request) via the S-11 interface to switch the downlink
bearer tunnel to the target eNB

UE Attachment & Default Bearer Creation & X2 Handovers / LTEPA 9.3.5
To filter unwanted messages the following filter could be use for

S1AP,X2 and NAS messages:
s1ap||x2ap or s1ap||x2ap||nas
UE attach/detach success / LTEPA 9.3.5
Figure1
X2 Handovers / LTEPA 9.3.5
•X2 interfaces is a logical interface which connects eNBs with each other; facilitates seamless mobility and interface
management
•Target eNB prepares handover by sending required information to UE transparently through source eNB
Figure2
•Data is transferred between source eNB and target eNB

until path switch to prevent data losss
6
Synchronization NTP/PTP/SyncE

NTP synchronization
RFC 1305 - Network Time Protocol
The format of the NTP Message data area, which immediately follows the UDP
header, is shown in below :
Stratum: This is a eight-bit integer

indicating the stratum level of the local
clock, with values defined
as follows:
0 unspecified
1 primary reference (e.g., radio clock)
2-255 secondary reference (via NTP)

NTP synchronization
Leap Indicator (LI): This is a two-bit code warning of an impending leap second to be
inserted/deleted
in the last minute of the current day, with bit 0 and bit 1, respectively, coded as follows:
00 no warning
01 last minute has 61 seconds
10 last minute has 59 seconds)
11 alarm condition (clock not synchronized)
Version Number (VN): This is a three-bit integer indicating the NTP version number, currently
three (3).
Mode: This is a three-bit integer indicating the mode, with values defined as follows:
0 reserved
1 symmetric active
2 symmetric passive
3 client
4 server
5 broadcast
6 reserved for NTP control message (see Appendix B)
7 reserved for private use

NTP synchronization active-passive
1 symmetric active
2 symmetric passive

NTP synchronization: server-client

PTP synchronization
PTP over UDP

With VLAN Without VLAN
PTP PTP
UDP UDP
IP IP
IEEE 802.1Q VLAN Tagging
IEEE 802.3 Ethernet IEEE 802.3 Ethernet
PTP protocol defines event and general messages

used by iBTS with 1 step mode
•Event messages are timed messages in that an
accurate timestamp is generated both at
transmission and receipt:
Sync messages – receive direction only
•General messages do not require accurate
timestamps:
Announce messages- receive direction
only
Management messages – receive and
transmit direction
Signaling messages – receive and
transmit direction

Native Iub: Compute distribution of 10% fastest PTP Sync packets
 10% of fastest PTP sync messages is important for PTP synchronization algorithm (for
syntonization in UA7.1.1)
 PTP server sends 64 PTP sync messages per second
In theory: Interval between

two PTP sync messages is
1/64=0.015625 second
Above PTP trace: time display format =
 Principe to estimate the distribution of 10% fastest PTP sync messages

 Capture PTP trace close to the BTS
 Apply filter (ptp.v2.messageid == 0x00) to display only the Sync messages (not
Announcement messages)
 Export the display sync messages as text file
 To get the inter-arrival time between the PTP sync messages
 ―Packet summary line‖ is enough

Arrival time at BTS Real arrival time

PTP server (expected, without with delay variation
(sync sent) jitter)
t0 -d
t1 -d t0 r0
t1 r1  Relative transmission delay for message i is

t2 -d
computed by: i=(ri-ti)
1/64 s r2
t2  The fastest packets are the ones having
smallest relative delay delta_i
ti -d r3
ti ri
 Assumption:
 no delay variation for the first message, then we
can compute the ti based on the r0
 d: fixe propagation/transmission delay

 Principe to estimate the distribution of 10% fastest PTP sync messages
 Process with Microsoft Excel
 Copy –paste the ―packet summary line‖ to excel (separate text to column with space) to extract
the ―Time‖, then use Round-up + Pivot table to compute distribution
 See Attached Excel sheet here for more details
Cum ulative relative delay distribution
Based on the 10% distribution, we can

120,00%
100,00%
compute
80,00%
60,00% •Jitter of 10% fastest packets
40,00%
20,00% •Delay variation range (max Delay of
0,00% 10% fastest and min Delay)
11
13
15
17
19
21
23
55
1
9
-9
-7
-5
-3
-1
10% fastest packets relative packet delay (m icrosecond)

Slow Protocol
Slow Protocol transmission characteristics

Protocols that make use of the addressing and protocol identification mechanisms identified in this
annex are subject to the following constraints:
a) No more than 10 frames shall be transmitted in any one-second period.
b) The maximum number of Slow Protocols is 10.
NOTE—This is the maximum number of Slow Protocols that use the specified protocol type defined
here. That is, there may be more than 10 slow protocols in the universe, but no more than 10 may
map to the same EthernetLength/Type field.
c) The MAC Client data generated by any of these protocols shall be no larger than
maxBasicDataSize.
It is recommended that the maximum length for a Slow Protocol frame be limited to 128 octets.
NOTE—The Slow Protocols specified in IEEE Std 802.1AX (i.e., LACP and Marker) conform to this
recommendedmaximum.
The OAM protocol specified in Clause 57 may generate frames greater than 128 octets.

Synchronous Ethernet
SyncE is based on a well established SONET/SDH synchronization

distribution model
PRC Primary
reference
clock
Device NE NE NE … NE NE
SyncE = make use of the Ethernet physical layer to transport a reference

clock PRC (frequency only) on a NE-by-NE basis up to the end device
In band signaling: Synchronous Status Messages (SSM) over the Ethernet are
defined for tracing the quality of the distributed frequency reference
Subtype 0x0a is used to carry EthernetSSM for Synchronous Ethernet

Wireshark filter : slow.subtype == 0x0a

ESMC Protocol
Ethernet Synchronization Messaging Channel (ESMC) is the protocol

carrying the SSMs on a NE-by-NE basis
SSM are sent every 1 second (meets the message rate requirements of IEEE
802.3 Slow Protocols)
To protect against possible failure, the lack of the messages is considered

to be a failure condition: the protocol behavior is such that the SSM value is
set to ―DNU‖ (Do Not Use) at the receiver side if no SSM messages are
received after a 5 seconds (not reconfigurable) period of time.

Synchronous Flow
Filter: slow.subtype==0x0a

7
Wireshark trace Analysis

Packet loss detection
TCP trace
To detect the suspected packet loss & retransmission with TCP Wireshark, use
filters:
 tcp.analsysis.retransmission,
 tcp.analysis.fast_retransmission
 tcp.analysis.lost_segment
 Useful to
determine the
network segment
having packet loss TCP packet; seq no=123 (not relative sequence number)
TCP packet; seq no=123 TCP packet; seq no=123
The TCP packet with tcp.seq == 123 is sent twice by the UE

and these packets can be seen twice at sniffer 2. But at the
sniffer 3, we only see the retransmitted packet.

UDP heartbeat packet (Hybrid Iub)
Statistics/Conversation List/UDP
UDP heartbeats (usually sent on port 65535) are lost
 RNC  Node B:350 Heartbeat
 Node B  RNC 345 Heartbeat
 So 5 heartbeats from Node B to RNC are lost in the Iub backbone
 UDP heartbeat can be used to detect the packets loss

SCTP trace (Iu, native Iub)
 Compare the number of SCTP

heartbeat & heartbeat ACK
 Loss of heartbeat packet
 Telephony-> SCTP/Analyze this
Association -> Chunk statistics
 Check the TNS duplication number
for SACK message
 sctp.sack_number_of_duplicated_tsns
!= 0
 => loss of SCTP DATA packet

RTP trace (IuCS over IP)
 Telephony/RTP/Stream Analysis
No RTP loss

Check UDP Flow throughput
 Check UDP throughput on UE/IuPS UDP Iperf flow

 Use Statistics/Conversation List/ UDP
to get UDP transfer statistics.
 Determine the UL transfer throughput:
Wireshark does not give application
throughput which can be calculated
by:
App_Thr = Packets*pkt_size*8/Duration
 Note: if limit packet size is applied,

no available statistics info
App_Thr ≈ 1.54 Mbps Throughput (Ethernet+IP+

UE IP address
Server IP address COPYRIGHT © 2011 ALL RIGHTS RESERVED. Transport+App)
How to compute the UDP Iperf loss rate?
Main ideas
 Use Wireshark UDP Iperf trace (UE, IuPS, Gn, Gi, UDP server side trace)
Trace of UE UP
 Loss can be detected with captured at IuPS
UDP Iperf
 UDP datagram ID, starting

from 0 this ID is incremented
at each UDP segment (used to
detect packet loss)
1st UDP pkt

2nd UDP pkt
3rd UDP pkt
…

UE IuPS Server
How to compute the TCP RTT? t0
ftp-data (seq=x)
t2
Use Wireshark to XLS tool
RTT(IuPS) RTT(server)
ACK for seq=x
t3
 Available at https://wcdma-ll.app.alcatel-
t1
lucent.com/livelink/livelink.exe?func=ll&objId=58649459&objAction=browse&sort=name&viewType=1
 User guide is included in the tool

1 2
Internal tool
FTP Pcap Wireshark txt file XLS
Wireshark_to_XLS_v3.2.exe
DL TCP RTT et server

Average RTT=90ms & STDEV=22ms
 Extract the RTT results
0,5
 Filter out the data messages (keep ACK)
time (second)
0,4
0,3
 Based on port number for example 0,2
0,1
 Copy RTT column to new Excel sheet 0
55158596
57933716
60336148
62885052
65194212
67398900
69897932
72542644
75069068
77822188
80579772
83036804
85486836
87975804
90347436
92706732
95179164
97644332
100098564
102518324
104963628
107321788
109933164
 filter out the blank & ―unfound!‖ cases
 Compute average RTT & standard deviation

sequence number ACK'ed

Use perl udpProcess.pl tool
 A tool based on Perl used to compute
 UDP lost datagrams
 UDP Lost rate
 ActivePerl is required to be able to use the tool udpProcess.pl
 Install ActivePerl (ex: ActivePerl 5.10.1 Build 1007)

 Program tool
– udpProcess.pl
– Livelink https://wcdma-ll.app.alcatel-
 Step 1: Prepare UDP trace in txt format (from Wireshark/export to File)

 Apply filter on desirable UDP flow, like ip.src==IP@ && udp &&!tcp && !icmp
 File > Export > File
– Packet Range: select “Displayed”
– Packet Format: “All expanded”
– Filename: asyoulike.txt

 Step 2: Put the perl program (udpProcess.pl) and UDP text trace in the same folder
 Run cmd and go to the folder
 Step 3: Run the perl program
 >perl udpProcess.pl UDP_trace.txt result
 Result: we can find in the same folder result.txt

How to compute the TCP retransmission rate?
Main ideas
 Use Wireshark FTP trace at UE, IuPS, Gn,

Gi, FTP server
 Retransmission is detected based on TCP

sequence number
 Real sequence number is used instead of Unchecked « relative

relative sequence number (Edit/Preferences) sequence number »
 More than one packets with the same sequence
number  retransmission
Sniffer 4
seq no=3698364802 (not relative seq)

seq no=3698364802
tcp.seq == 3698556853
tcp.seq == 3698556853

Use perl tcpProcess.pl tool
 A tool based on Perl used to compute
 Count retransmission ftp-data packets
 Compute the retransmission rate
tcpProcess.pl
 ActivePerl is required to be able to use the tool
 Install ActivePerl (ex: ActivePerl 5.10.1 Build 1007)
 Perl tool : tcpProcess.pl
– Livelink https://wcdma-ll.app.alcatel-
 Step 1: Prepare TCP trace in txt format (from Wireshark/export to File)

 Apply filter on desirable TCP flow (FTP-data flow only), like ip.src==IP@ && ftp-data && !icmp &&
!dns
 File > Export > File
– Packet Range: select “Displayed”
– Packet Format: “All expanded”
– Filename: asyoulike.txt

 Step 2: Put the perl program (tcpProcess.pl) and TCP text trace in the same folder
 Run cmd and go to the folder
 Step 3: Run the perl program
 >perl tcpProcess.pl TCP_trace.txt result
 Result: we can find in the same folder result.txt

Use Wireshark-to-XLS tool
 Download tool at https://wcdma-ll.app.alcatel-

lucent.com/livelink/livelink.exe?func=ll&objId=58649459&objAction=browse&sort=name
&viewType=1
User guide here
(*) Tool truncates the trace at 65500th
message (due to Excel row limit).
Think to split big trace into several
small ones.
 Convert pcap to text, use tool to convert to Excel file, then proceed excel result
 Filter out the ACK flow (keep data segment flow only in Excel results (based on portSrc & portDst)
 Copy the ―seq‖ column to new Excel Sheet
 Find the duplication of the sequence number, using formula: --ISNUMBER(MATCH((A2,$A$1:A1,0))
– Return 0 if no duplication
– Return 1 if there is a duplication, the SUM provides total number of retransmitted packets
Retransmission Rate =
Total_Retransmitted_Pkts/Total_TCP_data_pkts

TCP bad checksum problem
 When the checksum is bad, the packet is rejected, thus retransmission

 Check checksum at different network segment
This is the checksum value
inside the packet (added at
Checksum at FTP server Checksum at CE- Checksum at UE side
FTP server)
(computed by Wireshark, the RNC (Iu-PS)
one added in the packet)
This is the checksum
0x3d28 0x3d28 [incorrect, 0x3d28 [incorrect, should
should be 0x6f48] be 0x6f48]
computed by Wireshark at
CE-RNC side. It is different
0x3d1c 0x3d1c [incorrect, 0x3d1c [incorrect, should from the one inside the
should be 0x1623] be 0x1623] packet.
0x3d10 0x3d10 [correct] 0x3d10 [correct]
=>TCP checksum error was

happened from the FTP server to
the CE (on the Iu-PS interface).
 The checksum errors are related to

the IP transmission errors such as
toggled, missing or duplicated bits.

8
Backup

Mirroring configuration
 On Alcatel Omniswitch OS6850
-> port mirroring 1 destination 1/20 unblocked 5 enable

Mirror bidirectional traffic on port
-> port mirroring 1 source 1/21 bidirectional enable 1/21 & 1/22 to a mirroring port 1/20
-> port mirroring 1 source 1/22 bidirectional enable
 On Cisco Router/Switch
-> monitor session 1 source interface Fa0/2 Mirror bidirectional traffic on port
-> monitor session 1 destination interface Fa0/20
Fa0/2 to a mirroring port Fa0/20
 Telco systems switch
>monitor session tx source interface 1/1/2,1/1/23
>monitor session tx destination interface 1/1/1 Mirror bidirectional traffic on port

1/1/2 & 1/1/23 to a mirroring port
>monitor session rx source interface 1/1/2,1/1/23 1/1/1
>monitor session rx destination interface 1/1/1

Mirroring configuration on SR7750
Mirroring destination config Mirroring source config (from debug)

#-------------------------------------------------- A:SR7_R2# show debug
echo "Mirror Configuration" debug
#-------------------------------------------------- mirror-source 100
mirror sap 1/2/5:100 egress ingress
mirror-dest 100 create sap 1/2/5:102 egress ingress
remote-source sap 1/2/6:110 egress ingress
far-end 172.28.128.5 sap 1/2/6:112 egress ingress
exit sap 1/2/7 egress ingress
sap 1/2/17 create sap 1/2/8 egress ingress
exit sap 1/2/9:123 egress ingress
no shutdown no shutdown
exit exit
exit exit


Wireshark User Guide v042

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireshark User Guide v042

Uploaded by

Copyright:

Available Formats

User Guide

Wireshark for IP tracing

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

AUTHORS: Ion Teodor Stanila ,Q. Thinh Nguyen-Vuong

MGR TIPS/ Network Engineering & Assurance

LIVELINK LOCATION: WIRESHARK NBAP plugin

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

3. Capture in live network

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

 Provides a simple but powerful display filter language

 Wireshark can drop the captured packets

 ―Out of memory‖ when capturing large traffic volume

 Some protocol stacks cannot be decoded by Wireshark (like Frame Protocol

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

UL & DL traffic from multiple GIGE interfaces can be captured

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

Lp/14, Eth/x Iux over IP Ethernet

Both UL & DL traffic from one GIGE interface can be captured

Lp/14, Eth/x Iux over IP Ethernet

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

 Confirm the type of fibers (SX/LX) and connectors (LC/FC/SC) needed

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

 Mandatory for IP sniffing on Laptop

 Provided together with the Wireshark software

 All archived Winpcap version can be downloaded on http://www.winpcap.org/

 Stable version is 4.1.2

 Wireshark version: 1.6.5 (or later), check http://www.wireshark.org

 Installation tip: Install Wireshark in the default folder given by cmd.exe

 Installation tip: put Windump.exe on a reachable folder from CMD

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

 NBAP plugin installation ALU internal

 Download from LL and unrar libwireshark-1.6.5-40429.rar.

 Install Wireshark v 1.6.5 and replace only the libwireshark.dll

 Windows version of the popular tcpdump tool

 Used to capture the IP traffic with packet truncated size

 Useful & robust for capturing live network traffic

 Windump version 4.2.1, download from http://www.winpcap.org/

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

Generic dialup Interface

Qualcomm USB Modem

From Windump: NOK No generic dialup

 Use another laptop PC (avoid Lenovo ThinkPad if possible)

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

 Check ―capture packets in promiscuous mode‖ in

 Configure a dummy IP@ for Local Area Connection

 Automatic IP@ configuration can also work under many

 No tracing if there is a mismatch between the speed on the PC

 Device manager > Network adapter> Advanced > Link Speed

 “Auto Detect” is recommended (default setting)

 100Mbps/1Gbps & Full duplex is desirable (if the auto

 Force the mirroring port to the same speed as the network

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

 Some workaround to disable the stripping of VLAN tags.

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

icon  start a new live capture

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

 Capture > Options

Select the right capture

Check when capturing

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

COPYRIGHT © 2011 ALL RIGHTS RESERVED.

Analyze > Expert Infos