Equipment installation

Mirroring option: Recommended UL & DL traffic from multiple GIGE interfaces can be captured
Iu-PS/Iu-CS
mirroring Lp/14, Eth/x

SGSN/MSC Iub (IP link)

Ethernet Fiber

Iux over IP Iux over IP

RNC
Lp/15, Eth/x

Router

RJ45 (ETH cable)

Mirroring port

PC ETH card

(if the router does not have Ethernet port, an Optical-Copper SFP is needed)

1 | Presentation Title | January 2009

ETH card

Equipment installation
Splitter option One way traffic from only one GIGE interface can be captured
Lp/14, Eth/x

Iux over IP

Iub (IP link)

Ethernet Fiber

RNC
Lp/15, Eth/x Rx slot

Router RJ45 (ETH cable)

PC

Optical Ethernet Converter

Both UL & DL traffic from one GIGE interface can be captured

Lp/14, Eth/x

Iux over IP

Iub (IP link)

Ethernet Fiber

RNC
Lp/15, Eth/x Rx slot Rx slot 2 | Presentation Title | January 2009

Router RJ45 (ETH cable)

Switch 6850 with 2 Optical Ports (2 SFP)

PC

ETH card

Check list Confirm the type of fibers (SX/LX) and

connectors (LC/FC/SC) needed Mirroring option (recommended), check availability of

Mirroring capability of the access routers
The dedicated mirroring port must be configured A Copper Ethernet SFP Or an Optical Ethernet converter

If the mirroring port is Gigabit Optical, need to have Ethernet RJ-45 cable Laptop with Wireshark

Splitter option, check availability of

Optical splitters 10/100/1000Base-T to 1000Base-SX/LX converter or Omniswitch with associated SFP Ethernet RJ-45 cable Laptop with Wireshark running

3 | Presentation Title | January 2009

Wireshark setting guide

(whatever the Iux interface)

4 | Presentation Title | January 2009

Winpcap Mandatory for IP sniffing on Laptop Provided together with the Wireshark software All archived Winpcap version can be downloaded on http://www.winpcap.org/ Stable version is 4.1.beta5 or 3.1 Wireshark Wireshark version: 1.2.5 (or later), check http://www.wireshark.org Installation tip: Install Wireshark in the default folder given by cmd.exe
Useful in case you need to run Tshark tool, provided with Wireshark

Software overview

Windump Windows version of the popular tcpdump tool Used to capture the IP traffic with packet truncated size Useful & robust for capturing live network traffic Windump version 3.9.5, download from http://www.winpcap.org/ Installation tip: put Windump.exe on a reachable folder from CMD

5 | Presentation Title | January 2009

Winpcap works well means Wireshark/Windump can

How to check if Winpcap works well?

see all available network interfaces on the PC (Gigabit Ethernet, WiFi Link, Generic Adapter) capture the UE trace from Qualcomm modem/data card (needed to see Generic Adapter)

From Wireshark: OK
Generic dialup Interface Gigabit Ethernet Interface Qualcomm USB Modem

No generic dialup adapter => cannot Workaround take UE trace on this Uninstall the current Winpcap & Install the recommended stable Winpcap version PC Use another laptop PC (avoid Lenovo ThinkPad if possible)

From Windump: NOK

6 | Presentation Title | January 2009

Capturing all traffic that the network card can see (i.e. mirrored traffic)
Check capture packets in promiscuous mode in Wireshark Capture Options

PC setting for capturing in promiscuous mode

Configure a dummy IP@ for Local Area Connection

Automatic IP@ configuration can also work under many PCs

No tracing if there is a mismatch between the speed on the PC & mirroring interface (Fast/Gigabit Ethernet)
Device manager > Network adapter> Advanced > Link Speed & Duplex Auto Detect is recommended (default setting) 100Mbps/1Gbps & Full duplex is desirable (if the auto detect does not work); the selected speed depends on the speed on the mirroring interface
Force the mirroring port to the same speed as the network interface card (NIC)

7 | Presentation Title | January 2009

VLAN capture setup issue With some PC/Network Interface Cards, you

won't necessarily see the VLAN tags in packets when capturing on a VLAN

Some workaround to disable the stripping of VLAN tags.

http://wiki.wireshark.org/CaptureSetup/VLAN http://www.intel.com/support/network/sb/CS005897.htm Workaround does not necessarily work for every NIC type, so please use another PC/NIC in order to not waste too much time

8 | Presentation Title | January 2009

 Launch the Wireshark application

Wireshark: Quick Launch

icon start a new live capture icon stop the running live capture

Identity the capture interface (in our case, it is a Gigabit network connection)
Capture > Interfaces

This is the one we used to connect with the RJ45

9 | Presentation Title | January 2009

 Capture > Options

Wireshark Settings

Basic, must-know

Advanced, useful for live network capture

Select the right capture interface (NIC card) Check when capturing mirrored traffic Specify only in case you know exactly what you want to capture (ex: ether[70:2]=0x0014) Check them if you want to see the traces displayed in real-time

Truncate the captured packet (ex: 120 byte)

Save the trace while capturing Save in multiple files, scheduled by capturing duration or file size

Schedule to stop capture

Click start to capture the traces

10 | Presentation Title | January 2009

Wireshark trace example

This is the DISPLAY filter, for example, tcp.analysis.retransmission to display only the TCP retransmission messages.

captured messages (time, address, protocol, info)

Protocol stack of the selected message

Header + Data coded in hexa

11 | Presentation Title | January 2009

udp / tcp / sctp / icmp / ranap / sccp / gtp => to display only the desired protocol sctp && ip.src==10.2.4.9=> display sctp sent from the source having IP@= 10.2.4.9 sctp || tcp => display sctp or tcp message (both tcp & sctp will be displayed)

Common display filters

tcp.analysis.retransmission => display the TCP retransmission message

tcp.analysis.lost_segment => display previous segment lost

vlan.id == 123 => display the message having VLAN ID= 123
More about the filter expression, go to Expression

12 | Presentation Title | January 2009