Вы находитесь на странице: 1из 39

User Guide Wireshark for IP tracing in 3G IP RAN

Author: Nguyen Vuong Quoc Thinh Date: 03/04/2011

Contents

1. General Overview
2. Wireshark setting user guide

3. Capture in live network


4. Wireshark trace analysis

2 | Presentation Title | January 2009

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

General Overview

3 | Presentation Title | January 2009

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Wireshark: Pros vs. Cons Pros: Wireshark software is free download & capable of being run in any laptop Easy to send the traces to anyone without having to convert the file format Provides a simple but powerful display filter language Cons Wireshark can drop the captured packets Out of memory when capturing large traffic volume Some protocol stacks cannot be decoded by Wireshark (like Frame Protocol over Iub) Software bugs and its functionalities depend on laptop network driver & PC

4 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Equipment installation
Mirroring option: Recommended

UL & DL traffic from multiple GIGE interfaces can be captured

Iu-PS/Iu-CS
mirroring Lp/14, Eth/x Iux over IP

SGSN/MSC
Iub (IP link)
Ethernet Fiber

RNC
Lp/15, Eth/x

Iux over IP

Router

RJ45 (ETH cable)


Mirroring port

PC

ETH card
(if the router does not have Ethernet port, an Optical-Copper SFP is needed)

5 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Equipment installation
Splitter option One way traffic from only one GIGE interface can be captured
Lp/14, Eth/x Iux over IP

Iub (IP link)

Ethernet Fiber

RNC
Lp/15, Eth/x Rx slot

Router RJ45 (ETH cable)


PC

Optical Ethernet Converter

Both UL & DL traffic from one GIGE interface can be captured


Lp/14, Eth/x Iux over IP

Iub (IP link)

Ethernet Fiber

RNC
Lp/15, Eth/x Rx slot

Router RJ45 (ETH cable)


Rx slot
Switch 6850 with 2 Optical Ports (2 SFP)
Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

PC

6 | Wireshark user guide | April 2011

Nguyen Vuong Quoc Thinh

Check list Confirm the type of fibers (SX/LX) and connectors (LC/FC/SC) needed Mirroring option (recommended), check availability of Mirroring capability of the access routers
The dedicated mirroring port must be configured

If the mirroring port is Gigabit Optical, need to have


A Copper Ethernet SFP Or an Optical Ethernet converter

Ethernet RJ-45 cable

Laptop with Wireshark


Splitter option, check availability of Optical splitters 10/100/1000Base-T to 1000Base-SX/LX converter or Omniswitch with associated SFP Ethernet RJ-45 cable Laptop with Wireshark running
7 | Wireshark user guide | April 2011
Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Wireshark setting guide


(whatever the Iux interface)

8 | Presentation Title | January 2009

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Software overview
Winpcap Mandatory for IP sniffing on Laptop Provided together with the Wireshark software

All archived Winpcap version can be downloaded on http://www.winpcap.org/


Stable version is 4.1.beta5 or 3.1 Wireshark Wireshark version: 1.2.5 (or later), check http://www.wireshark.org Installation tip: Install Wireshark in the default folder given by cmd.exe
Useful in case you need to run Tshark tool, provided with Wireshark

Windump Windows version of the popular tcpdump tool

Used to capture the IP traffic with packet truncated size


Useful & robust for capturing live network traffic Windump version 3.9.5, download from http://www.winpcap.org/ Installation tip: put Windump.exe on a reachable folder from CMD
9 | Wireshark user guide | April 2011
Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

How to check if Winpcap works well?


Winpcap works well means Wireshark/Windump can
see all available network interfaces on the PC (Gigabit Ethernet, WiFi Link, Generic Adapter) capture the UE trace from Qualcomm modem/data card (needed to see Generic Adapter)

From Wireshark: OK
Generic dialup Interface Gigabit Ethernet Interface Qualcomm USB Modem

From Windump: NOK

No generic dialup adapter => cannot take UE trace on this PC

Workaround
Uninstall the current Winpcap & Install the recommended stable Winpcap version Use another laptop PC (avoid Lenovo ThinkPad if possible)
10 | Wireshark user guide | April 2011
Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

PC setting for capturing in promiscuous mode


Capturing all traffic that the network card can see (i.e. mirrored traffic)
Check capture packets in promiscuous mode in Wireshark Capture Options

Configure a dummy IP@ for Local Area Connection


Automatic IP@ configuration can also work under many PCs

No tracing if there is a mismatch between the speed on the PC & mirroring interface (Fast/Gigabit Ethernet)
Device manager > Network adapter> Advanced > Link Speed & Duplex
Auto Detect is recommended (default setting)

100Mbps/1Gbps & Full duplex is desirable (if the auto detect does not work); the selected speed depends on the speed on the mirroring interface
Force the mirroring port to the same speed as the network interface card (NIC)

11 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

VLAN capture setup issue With some PC/Network Interface Cards, you won't necessarily see the VLAN tags in packets when capturing on a VLAN

Some workaround to disable the stripping of VLAN tags. http://wiki.wireshark.org/CaptureSetup/VLAN http://www.intel.com/support/network/sb/CS-005897.htm

Workaround does not necessarily work for every NIC type, so please use another PC/NIC in order to not waste too much time

12 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Wireshark: Quick Launch Launch the Wireshark application

icon start a new live capture icon stop the running live capture

Identity the capture interface (in our case, it is a Gigabit network connection)
Capture > Interfaces

This is the one we used to connect with the RJ45

13 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Wireshark Settings Capture > Options

Basic, must-know

Advanced, useful for live network capture

Select the right capture interface (NIC card)

Truncate the captured packet (ex: 120 byte)

Check when capturing mirrored traffic


Specify only in case you know exactly what you want to capture (ex: ether[70:2]=0x0014) Check them if you want to see the traces displayed in real-time

Save the trace while capturing

Save in multiple files, scheduled by capturing duration or file size

Schedule to stop capture Click start to capture the traces

14 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Wireshark trace example


This is the DISPLAY filter, for example, tcp.analysis.retransmission to display only the TCP retransmission messages.

captured messages (time, address, protocol, info)

Protocol stack of the selected message

Header + Data coded in hexa

15 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Common display filters


udp / tcp / sctp / icmp / ranap / sccp / gtp => to display only the desired protocol sctp && ip.src==10.2.4.9=> display sctp sent from the source having IP@= 10.2.4.9 sctp || tcp => display sctp or tcp message (both tcp & sctp will be displayed)

tcp.analysis.retransmission => display the TCP retransmission message


tcp.analysis.lost_segment => display previous segment lost vlan.id == 123 => display the message having VLAN ID= 123 More about the filter expression, go to Expression

16 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Quick Analysis Statistics > Flow graphs

Analyze > Expert Infos

Statistics > TCP stream graph


17 | Wireshark user guide | April 2011
Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Wireshark overview: timestamp format


[Date and Time] & [Time of day]
Useful for checking the day and time of measurement

[Seconds Since Beginning]


Useful for checking trigger points and analyzing time-spans

[Seconds Since Previous]


Useful for inter-packet arrival time interpretation

18 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

TCP trace
Essential to display the time sequence graph to analyze the TCP traffic

Usage: detailed analysis of TCP flow control, ACK shapes, spot retransmissions and losses
Useful only with traces near to the TCP data source (FTP sever for DL or UE for UL)

Select a data packet (not ACK packet) and go to Statistics, then TCP time stream graph and Time sequence graph tcptrace)
Zoom: click-left ; Unzoom: SHIFT + click-left Find packet: CTRL + click-left on packet (packet will be highlight) Move time or sequence number axis: click-right

19 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Throughput graph
Display instant throughput calculated by wireshark Usage: throughput dynamics (bandwidth changes, etc) Select a data packet (not ACK packet) and go to Statistics, then TCP time stream graph and Throughput graph)

20 | Wireshark | January 2009 20 | Presentation Title user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

RTT graph
Display TCP RTT: delta between segment and its ACK. Makes sense only at sender side. Usage: check E2E RTT (will include buffering time if applicable). Check RTT versus packet losses (possible overflow). Check if TCP not filling up E2E buffers (low RTT=HSPA RTT) Select a data packet (be careful, not to choose an acknowledgement packet) and go to Statistics, then TCP time stream graph and RTT graph)

21 | Wireshark | January 2009 21 | Presentation Title user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

In-flight data graph


Display in-flight TCP data: useful at sending side only. Usage: follow dynamic of CWIN / In-flight data, versus packet loss (buffer overflow) Select a data packet (be careful, not to choose an acknowledgement packet) and go to Statistics, then IO graphs)

22 | Presentation Title | January 2009

22 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Capture in live network


Things to know

23 | Presentation Title | January 2009

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

How to capture in live network? Just remind you about live


Volume of capturing traffic is BIG
Traffic rate can reach up to hundreds of Mbps

One or two minutes of capturing can generate 1Go trace

Normal Wireshark capturing ==out of memory after less than 3 minutes

Not trivial to follow your individual call

How to capture on live?

Use Windump to capture the trace


Use Wireshark
1. Specify the capture filter to take only the desired traffic flow 2. Limit the packet size: truncate to take only the header of each packet 3. Save the trace on multiple small files

24 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Use Windump to capture the trace


Options to be used with Windump Windump D : display the interface

Windump i 2 F filter.txt s 120


Interface number Capture filter expression

C 200

w filename.pcap
Trace file name

Each Packet size (byte) Each file size (unit: 1Mo)

See next slide for filter expression

Advantages

Low resources consumption while capturing (low probability of having packets dropped)
Take big trace with long duration, no out-of-memory issue
25 | Wireshark user guide | April 2011
Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

3.1 Example of capture filter design : From Ethernet stack


Filter IuPS User Plane trace of UE whose IP@ is188.45.9.195
The source IP@ 188.45.9.195 is coded in hexa as 0xbc2d09c3 (4 bytes), started from byte 66 Similarly, the destination IP@ 188.45.9.195 is coded with 4 bytes, started from byte 70

Pos: 0 Pos: 66

Pos: 16

Pos: 70

Pos: 74

Capture filter
Note: if VLAN cannot be captured, filter becomes

ether[66:4]=0xbc2d09c3 or ether[70:4]= 0xbc2d09c3

ether[62:4]=0xbc2d09c3 or ether[66:4]= 0xbc2d09c3


Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

26 | Wireshark user guide | April 2011

Nguyen Vuong Quoc Thinh

3.1 Example of capture filter design : from UDP stack


To avoid VLAN tag capturing capability, the capture filter can be designed from UDP stack (instead of Ethernet)

Pos:0 Pos:32

Capture filter

udp[32:4]= 0xbc2d09c3

Another option to filter IuPS User Plane trace of UE whose IP@ ==188.45.9.195 is udp[28:4]=0xbc2d09c3 or udp[32:4]= 0xbc2d09c3

27 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

3.1 Specify the capture filter


Specify the filter string in the Capture Filter How to design the filter? Identify what you want to trace
User plane traffic of an UE (with known IP@) on IuPS,
FTP data only, traffic flow with VLAN ID tag

Identify where and how this information is coded


Hexa info in Wireshark trace

Write down the capture filter


ether[start_pos:byte_length]=0xhexa_info

Some common capture filters


User plane IuPS of an UE with known IP@
udp[28:4]=0xUE_IP_hexa or udp[32:4]= 0xUE_IP_hexa Or with VLAN captured: ether[66:4]=0xUE_IP_hexa or ether[70:4]= 0xUE_IP_hexa

FTP flow only (ftp port + ftp-data port) (without VLAN)


ether[70:2]=0x0014 or ether[72:2]=0x0014 or ether[70:2]=0x0015 or ether[72:2]=0x0015

GTP trace (without VLAN): ether[42:1]=0x30


28 | Wireshark user guide | April 2011
Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

3.2 Limit the captured packet size


Advantages: Truncate each captured packet from beginning to the specified value Having a small file trace: easy for storing & post-processing Same feature as tcpdump or windump Be careful

Too small truncated packet will not contain all useful header information
Truncate packet (without capture filter) gives the same out-of-memory issue Statistics infos (like data flow rate, throughput) could not be obtained from packet-truncated traces

Recommended value: 120 bytes


limit each packet to 120 bytes if you want to take the whole IuPS traffic
This HTTP packet is truncated at 120byte

29 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

3.3 Save in multiple small files


Advantages: Recommended to name the trace before capturing (specify the folder where to store the trace as well)
In case issue with Wireshark (out of memory), trace is already saved Take a lot of time for saving a big trace after capturing Hard to stop capturing the trace with Wireshark on live network

Avoid the out-of-memory issue Ease to take trace on live network (with possibility to schedule the capture) Stop capture can be used to schedule the capturing
File name: Iu_PS_test1

Each file will be captured during 1 minute


And stop capturing after 10 files (10 minutes)

30 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Wireshark trace Analysis

31 | Presentation Title | January 2009

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Packet loss detection


TCP trace

To detect the suspected packet loss & retransmission with TCP Wireshark, use filters:
tcp.analsysis.retransmission, tcp.analysis.fast_retransmission tcp.analysis.lost_segment

Useful to determine the network segment having packet loss

TCP packet; seq no=123 (not relative sequence number) TCP packet; seq no=123 TCP packet; seq no=123

The TCP packet with tcp.seq == 123 is sent twice by the UE and these packets can be seen twice at sniffer 2. But at the sniffer 3, we only see the retransmitted packet.
Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

32 | Wireshark user guide | April 2011

Nguyen Vuong Quoc Thinh

Packet loss detection


SCTP trace (Iu, native Iub)

Compare the number of SCTP heartbeat & heartbeat ACK Loss of heartbeat packet
Telephony-> SCTP/Analyze this Association -> Chunk statistics

Check the TNS duplication number for SACK message


sctp.sack_number_of_duplicated_tsns != 0 => loss of SCTP DATA packet

33 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Packet loss detection


RTP trace (IuCS over IP)

Telephony/RTP/Stream Analysis

No RTP loss

34 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Check UDP Flow throughput

Check UDP throughput on UE/IuPS UDP Iperf flow


Use Statistics/Conversation List/ UDP to get UDP transfer statistics.

Determine the UL transfer throughput: Wireshark does not give application throughput which can be calculated by:
App_Thr = Packets*pkt_size*8/Duration

Note: if limit packet size is applied, no available statistics info

Server IP address

UE IP address

App_Thr 1.54 Mbps


Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Throughput (Ethernet+IP+ Transport+App)

How to compute the UDP Iperf loss rate?


Main ideas Use Wireshark UDP Iperf trace (UE, IuPS, Gn, Gi, UDP server side trace) Loss can be detected with UDP Iperf
UDP datagram ID, starting from 0 this ID is incremented at each UDP segment (used to detect packet loss) Trace of UE UP captured at IuPS

1st UDP pkt 2nd UDP pkt

3rd UDP pkt

36 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

How to compute the TCP retransmission rate?


Main ideas Use Wireshark FTP trace at UE, IuPS, Gn,

Gi, FTP server


Retransmission is detected based on TCP sequence number
Real sequence number is used instead of relative sequence number (Edit/Preferences) Unchecked relative sequence number

More than one packets with the same sequence number retransmission
Sniffer 4

seq no=3698364802 (not relative seq) seq no=3698364802 tcp.seq == 3698556853 tcp.seq == 3698556853

37 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

TCP bad checksum problem When the checksum is bad, the packet is rejected, thus retransmission Check checksum at different network segment
Checksum at FTP server (computed by Wireshark, the one added in the packet) 0x3d28 Checksum at CERNC (Iu-PS) 0x3d28 [incorrect, should be 0x6f48] Checksum at UE side

This is the checksum value inside the packet (added at FTP server) This is the checksum computed by Wireshark at CE-RNC side. It is different from the one inside the packet.

0x3d28 [incorrect, should be 0x6f48]

0x3d1c
0x3d10

0x3d1c [incorrect, should be 0x1623]


0x3d10 [correct]

0x3d1c [incorrect, should be 0x1623]


0x3d10 [correct]

=>TCP checksum error was happened from the FTP server to the CE (on the Iu-PS interface). The checksum errors are related to the IP transmission errors such as toggled, missing or duplicated bits.

38 | Wireshark user guide | April 2011

Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX

Nguyen Vuong Quoc Thinh

Thank you
1. This slide package is dedicated for VNTelecom folks!
2. If you want to reuse any part of this slide, please contact me before.

3. If you have any questions/comments, please address to me at nvqthinh@vntelecom.org

39 | Wireshark user guide | April Proprietary Use pursuant to Company instruction. XXXXX Vuong Quoc Thinh 2011 Nguyen

Alcatel-Lucent Internal