Professional Documents
Culture Documents
Wireshark User Guide v042
Wireshark User Guide v042
2012 NEA
February 2012
– Split traces update
– NBAP plugin installation ( workaround)
May 2012 LTE/LTEPA user guide
September 2012
– UE Attachment & Default Bearer Creation
– X2 Handovers
1. General Overview
2. Wireshark setting user guide
6. Synchronization NTP/PTP/SyncE
7. Wireshark trace analysis
8. Backup
Pros:
Wireshark software is free download & capable of being run in any laptop
Easy to send the traces to anyone without having to convert the file format
Software bugs and its functionalities depend on laptop network driver & PC
Iu-PS/Iu-CS
SGSN/MSC
mirroring
Lp/14, Eth/x Iux over IP Ethernet
Iub (IP link)
RNC Iux over IP Router Fiber
Lp/15, Eth/x
PC
RJ45 (ETH cable)
ETH card
Mirroring port
(if the router does not have Ethernet port, an Optical-Copper SFP is needed)
One way traffic from only one GIGE interface can be captured
Wireshark
Useful in case you need to run Tshark tool, provided with Wireshark
If you have already Wireshark running on your machine please follow the next workaround installation
Uninstall Wireshark and delete the entire folder of Wireshark (C:\Program Files\Wireshark).
Windump
capture the UE trace from Qualcomm modem/data card (needed to see Generic Adapter)
From Wireshark: OK
Workaround
Uninstall the current Winpcap & Install the recommended stable Winpcap version
This is the
one we used
to connect
with the RJ45
Schedule to stop
capture
Click start to capture the
traces
captured
messages
(time,
address,
protocol, info)
Protocol
stack of the
selected
message
Header +
Data coded
in hexa
tcp.analysis.retransmission =>
display the TCP retransmission
message
tcp.analysis.lost_segment =>
display previous segment lost
vlan.id == 123 => display the
message having VLAN ID= 123
More about the filter expression,
go to ―Expression‖
Display TCP RTT: delta between segment and its ACK. Makes sense only at
sender side.
Usage: check E2E RTT (will include buffering time if applicable). Check RTT
versus packet losses (possible overflow). Check if TCP not filling up E2E buffers
(low RTT=HSPA RTT)
Select a data packet (be careful, not to choose an acknowledgement packet)
and go to ‗Statistics‘, then ‗TCP time stream graph‘ and ‗RTT graph‘)
To avoid VLAN tag capturing capability, the capture filter can be designed from UDP stack
(instead of Ethernet)
Pos:0
Pos:32
Another option to filter IuPS User Plane trace of UE whose IP@ ==188.45.9.195 is
Use drag-and-drop to drop multiple files on the main window. Wireshark will try to merge the
packets in chronological order from the dropped files into a newly created temporary file. If you
drop only a single file, it will simply replace a (maybe) existing one.
COPYRIGHT © 2011 ALL RIGHTS RESERVED.
32 | Wireshark guide | May 2012 ALCATEL-LUCENT — INTERNAL PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
3.4 Edit a pcap capture to shorten filelength
Editcap is a program that reads some or all of the captured packets from the input_file, optionally converts them in
various ways and writes the resulting packets to the capture output_file
Save a lot of time for open a big trace capture on live network
The editcap default it is located in WIRESHARK directory ―C:\Program Files\Wireshark>editcap.exe‖
Right click on the M3UA part Decode As, select NBAP as Transport over SCTP
Right click on the data part Decode As, select RTP as transport over UDP
Check the RTP Payload type: 127 (in the below example), then go to Preferences/Protocol
IuUP/change IuUP dynamic Payload type =127
IuUP part
Edit/Preferences/
Protocols (IP)
LTEPA was built on the packet sniffer tool Wireshark freewareby providing additional protocol decoders. The
interface of LTEPA is the same as that of Wireshark.
LTEPA decode following – S1AP, X2AP, Gn, S3, S6a, S5, Gx, …
IF it‘s necessary for decoding S1.x following next step for LTEPA:
-on SCTP messages select DATA messages and right click decode as;
-select on SCTP/S1AP window port (3001, 3002 or both /recommended) and apply;
-for filter you can use‖s1ap‖ to display only the messages for S1.x;
The following table describes about different LTE interfaces supported by LTEPA and corresponding filter strings.
S1-MME: Reference point for the control plane protocol between E-UTRAN and MME.
S1-U: Reference point between E-UTRAN and Serving GW for the per bearer user plane tunnelling and inter eNodeB path
switching during handover.
S2a: It provides the user plane with related control and mobility support between trusted non 3GPP IP access and the
Gateway.
S3: It enables user and bearer information exchange for inter 3GPP access network mobility in idle and/or active state.
It is based on Gn reference point as defined between SGSNs.
S4: It provides related control and mobility support between GPRS Core and the 3GPP Anchor function of Serving GW
and is based on Gn reference point as defined between SGSN and GGSN. In addition, if Direct Tunnel is not established,
it provides the user plane tunnelling.
S5-PMIP: It provides user plane tunneling and tunnel management between Serving GW and PDN GW. It is used for
Serving GW relocation due to UE mobility and in case the Serving GW needs to connect to a non collocated PDN GW for
the required PDN connectivity.
S6a: This interface is defined between MME and HSS for authentication and authorization.
S6b: It is the reference point between PDN Gateway and 3GPP AAA server/proxy for mobility related authentication if
needed. This reference point may also be used to retrieve and request storage of mobility parameters. This reference
point may also be used to retrieve static QoS profile for a UE for non-3GPP access in case dynamic PCC is not supported.
S8: It is the roaming interface in case of roaming with home routed traffic. It provides the user plane with related control
between Gateways in the VPLMN and HPLMN.
S9: It provides transfer of (QoS) policy and charging control information between the Home PCRF and the Visited PCRF in
order to support local breakout function. In all other roaming scenarios, S9 has functionality to provide dynamic QoS
control policies from the HPLMN.
S10: This interface is reference point between MMEs for MME relocation and MME to MME information transfer.
COPYRIGHT © 2011 ALL RIGHTS RESERVED.
43 | Wireshark guide | May 2012 ALCATEL-LUCENT — INTERNAL PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
LTE Standard Reference Points (2 of 2)
S11: This interface is reference point between MME and Serving GW.
S103-U: This interface is the bearer interface between the EPC Serving Gateway and the HSGW,
S101: This interface is the signaling interface between the EPC MME and the evolved HRPD Access Network (eAN/PCF).
Gx: It provides transfer of (QoS) policy and charging rules from PCRF to Policy and Charging Enforcement Point (PCEF) )
in the PDN GW.
Gxa: It provides transfer of (QoS) policy information from PCRF to the Trusted Non-3GPP accesses.
Gxb: This interface is not specified within this release of the specification.
Gxc: It provides transfer of (QoS) policy information from PCRF to the Serving Gateway
X2: This interface is for eNodeB to eNodeB handoff.
Lab Setup
enodeB1 – 10.50.240.62
enodeB2 – 10.50.240.63
MME – 10.50.83.33
SGW - 10.50.79.40
PGW – 10.50.81.40
PCRF – 10.50.80.140
UEs – 10.150.21.157
Inter-eNB handovers
Handover procedures are controlled by UE and the eNB fig2 pag 51
•eNB coordinates active mode handovers using the X2 interface
•Data is forwarded from Original eNB to Target eNB during handover
•eNB signals to MME (Path Switch Request) via the S1-MME interface for handover
•MME signals to the S-GW (User Plane Update Request) via the S-11 interface to switch the downlink
bearer tunnel to the target eNB
Figure1
COPYRIGHT © 2011 ALL RIGHTS RESERVED.
48 | Wireshark guide | May 2012 ALCATEL-LUCENT — INTERNAL PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
X2 Handovers / LTEPA 9.3.5
•X2 interfaces is a logical interface which connects eNBs with each other; facilitates seamless mobility and interface
management
•Target eNB prepares handover by sending required information to UE transparently through source eNB
Figure2
The format of the NTP Message data area, which immediately follows the UDP
header, is shown in below :
Leap Indicator (LI): This is a two-bit code warning of an impending leap second to be
inserted/deleted
in the last minute of the current day, with bit 0 and bit 1, respectively, coded as follows:
00 no warning
01 last minute has 61 seconds
10 last minute has 59 seconds)
11 alarm condition (clock not synchronized)
Version Number (VN): This is a three-bit integer indicating the NTP version number, currently
three (3).
Mode: This is a three-bit integer indicating the mode, with values defined as follows:
0 reserved
1 symmetric active
2 symmetric passive
3 client
4 server
5 broadcast
6 reserved for NTP control message (see Appendix B)
7 reserved for private use
1 symmetric active
2 symmetric passive
PTP PTP
UDP UDP
IP IP
t0 -d
t1 -d t0 r0
ti ri
Assumption:
no delay variation for the first message, then we
can compute the ti based on the r0
d: fixe propagation/transmission delay
13
15
17
19
21
23
55
1
9
-9
-7
-5
-3
-1
NOTE—This is the maximum number of Slow Protocols that use the specified protocol type defined
here. That is, there may be more than 10 slow protocols in the universe, but no more than 10 may
map to the same EthernetLength/Type field.
c) The MAC Client data generated by any of these protocols shall be no larger than
maxBasicDataSize.
It is recommended that the maximum length for a Slow Protocol frame be limited to 128 octets.
NOTE—The Slow Protocols specified in IEEE Std 802.1AX (i.e., LACP and Marker) conform to this
recommendedmaximum.
The OAM protocol specified in Clause 57 may generate frames greater than 128 octets.
In band signaling: Synchronous Status Messages (SSM) over the Ethernet are
defined for tracing the quality of the distributed frequency reference
ESMC Protocol
SSM are sent every 1 second (meets the message rate requirements of IEEE
802.3 Slow Protocols)
Synchronous Flow
Filter: slow.subtype==0x0a
To detect the suspected packet loss & retransmission with TCP Wireshark, use
filters:
tcp.analsysis.retransmission,
tcp.analysis.fast_retransmission
tcp.analysis.lost_segment
Useful to
determine the
network segment
having packet loss TCP packet; seq no=123 (not relative sequence number)
TCP packet; seq no=123 TCP packet; seq no=123
Statistics/Conversation List/UDP
UDP heartbeats (usually sent on port 65535) are lost
RNC Node B:350 Heartbeat
Node B RNC 345 Heartbeat
So 5 heartbeats from Node B to RNC are lost in the Iub backbone
UDP heartbeat can be used to detect the packets loss
Telephony/RTP/Stream Analysis
No RTP loss
Use Wireshark UDP Iperf trace (UE, IuPS, Gn, Gi, UDP server side trace)
Trace of UE UP
Loss can be detected with captured at IuPS
UDP Iperf
Sniffer 4
Convert pcap to text, use tool to convert to Excel file, then proceed excel result
Filter out the ACK flow (keep data segment flow only in Excel results (based on portSrc & portDst)
Copy the ―seq‖ column to new Excel Sheet
Find the duplication of the sequence number, using formula: --ISNUMBER(MATCH((A2,$A$1:A1,0))
– Return 0 if no duplication
– Return 1 if there is a duplication, the SUM provides total number of retransmitted packets
Retransmission Rate =
Total_Retransmitted_Pkts/Total_TCP_data_pkts
On Cisco Router/Switch
-> monitor session 1 source interface Fa0/2 Mirror bidirectional traffic on port
-> monitor session 1 destination interface Fa0/20
Fa0/2 to a mirroring port Fa0/20