Вы находитесь на странице: 1из 24

Signaling and protocol

Analyzer-Wireshark Trickz
Sathish Kumar S
sathish.s@nokia.com

30-Dec-2016

1
1/25/17
Nokia 2014 - Author: Sathish S
Confidential- Only for internal purpose

Topics
Basic Signaling involved in 2G/3G/4G.
Case-Study1: Working with Wireshark and filtering techniques
for 2G/3G
Case-Study2: Working with Wireshark and filtering techniques
for 4G

2
1/25/17
Confidential

Nokia 2014 Author: Sathish S

2G/3G Signaling
Send Authentication Info
(SAI)
Messages
Used between the VLR/SGSN and the HLR for the VLR/SGSN to retrieve authentication
information from the HLR.
Location update (LUP)
Managing the and storage of the mobile subscribers location in terms of MSC/VLR
and SGSN address. MS registering in a network/plmn. Then HLR sends an Insert
Subscriber Data(ISD) message to the VLR/SGSN to provide all subscriber parameters at
location updating or when modifications (additions and changes) of subscriber data are
required.
Mobile terminated call (MTC) handling services
Call handling services comprise the MAP operations to support mobile terminated
calls, that is, the retrieval of a roaming number from the VLR to the GMSC over NTHLR.
Short message service (SMS)-MT
Provides routing information for short messages, stores message waiting data
of
the2014
associated
service
center) if the mobile subscriber cannot be reached, and
3(address
1/25/17
Nokia
Author: Sathish
S
Confidential
alerts the service center on re-reachability.

2G/3G Signaling
Unstructured supplementary
service data (USSD)
Messages
The USSD mechanism enables a mobile station (MS) user and a PLMN-operator
defined application to communicate in a way which is transparent to the MS and to
intermediate network entities. USSD feature also supports the relay of information to
the SCP/CSE, in order to support IN/CAMEL services such as USSD account enquiry for
prepaid mobile subscriber.
Network Initiated (Push notification for remaining balance after a call)
Mobile Initiated (Request to check balance or to subscribe a service).
Purge MS
The Purge MS service is used between the SGSN/VLR and the HLR. It causes the HLR to
mark purged flag as TRUE for an MS so that the MS will be treated as not reachable. It
is invoked when the subscriber record for the MS is to be deleted in the SGSN/VLR.
Cancel Location
HLR sends Cancel Location message to the VLR/SGSN when an MS needs to be
from
its local
database.
4 removed
1/25/17

Nokia 2014
Author: Sathish
S
Confidential

2G/3G Signaling
Provide Roaming Number(PRN)
Messages
PRN request message is initiated at the HLR to perform the interrogation of the
current VLR in order to route a call towards a mobile subscriber. In response to the Provide
Roaming Number indication, the VLR will return either a Mobile Station's roaming number
or an error(absent subscriber). This is invoked when the HLR receives SEND ROUTING
INFORMATION request from the MSS.

Send Routing Information(SRI)

MSS sends Send SRI-MT to HLR when a call is required to be routed to a mobile
subscriber (MS). When the HLR receives an SRI request this invokes the PROVIDE
ROAMING NUMBER (PRN) request to the current VLR. The VLR, in response to the PRN
request, returns the MSRN to HLR which relays it back to the MSS.
Send Routing info for SM
The (G)SMSC sends a SendRoutingInfoForSM request when a short message is required to
be routed to a MS. The SRM Ack returns the VLR number which which is stored in the HLR
database.
If the subscriber is not reachable, HLR will return the result with the error
5
1/25/17
Nokia 2014 Author: Sathish S
Confidential
AbsentSubscriber.

Wireshark Trickz to Filter Trace:


SAI
Types of Authentication Vectors

3G: Quintet ( RAND, XRes, Ck, Ki,


AUTN)
2G: Triplet ( RAND, SRes, Kc)
RAND - Random Number
XRes - eXpected Response
SRes Signed Response
Ck/Kc Cipher Key
Ki Integrity key

SAI: 414050000024585
6
1/25/17
Confidential

Nokia 2014 Author: Sathish S

AUTN AUThentication
tokeN

Wireshark Trickz to Filter Trace:


LUP

LUP: 414050000002497 & G-LUP: 414050000024582


7
1/25/17
Confidential

Nokia 2014 Author: Sathish S

Wireshark Trickz to Filter Trace:


Purge MS

PurgeMS: 414050000002497
8
1/25/17
Confidential

Nokia 2014 Author: Sathish S

Wireshark Trickz to Filter Trace:


Cancel-LUP

Cancel-LUP: 414050000043563
9
1/25/17
Confidential

Nokia 2014 Author: Sathish S

Wireshark Trickz to Filter Trace:


SRI-MT

10
1/25/17
Confidential

Nokia 2014 Author: Sathish S

SRI & PRN: 959971350574(B)

Wireshark Trickz to Filter Trace:


SRI-SM

SRI-SM: 959971358444(B)
11
1/25/17
Confidential

Nokia 2014 Author: Sathish S

Wireshark Trickz to Filter Trace:


USSD

P-USSD:414051001689546 &
Push-Notify: 414051002312189

12
1/25/17
Confidential

Nokia 2014 Author: Sathish S

Wireshark Trickz to Filter Trace:


End-End Call

Microsoft
PowerPoint 97-2003 Presentation

GuruKool.pcap

A: 959976019084, 414051000516431
B: 959971350574, 414050000002412

13
1/25/17
Confidential

Nokia 2014 Author: Sathish S

LTE Architecture

14
1/25/17
Confidential

Nokia 2014 Author: Sathish S

S6a/S6d [MME/SGSN <-->HSS]


Some times S6a/S6d interfaces are treated as two separate interfaces but herewe treat them as single
because both have same application identifier(16777251).S6a interface is between MME-HSS and S6d
interface between SGSN-HSS.

This section gives abstract of s6a/s6d interface. In LTE network HSS (HomeSubscriber Server) is a
database that containsAuthenticationInformation andSubscriber's Data such as Services associated,
Location Information etc.Where MME shall take care of mobility of UE/Subscriber. This interface isused to
Authenticate Subscriber, providing services to subscriber, to storelocation information of subscriber sent
by MME. There are eight messages areexchanged between MME/SGSN and HSS. Four of them are invoked
by MME and rest four are invoked by HSS.

1) AIR/AIA (Authentication-Information-Request/Answer) : MME fetchesAuthentication data from


HSS to authenticate subscriber.

2) ULR/ULA (Update-Location-Request/Answer):- MME stores its ownidentity at HSS, and fetches


subscription data from HSS.

15
1/25/17
Confidential

Nokia 2014 Author: Sathish S

3) PUR/PUA (Purge Request/Answer):- MME informs the HSS that UE isinactive for a long
period that why MME has deleted the Subscription Datareceived in previous ULR from its end.

4)IDR/IDA(Insert-Subscription-Data-Request/Answer):- It is invoked by HSSonly when a

subscriber is attached and there is change insubscriberprofile atHSS end then same change to
be reflected at Subscriber profile at MME (sentin ULA) end as well.

5)CLR/CLA(Cancel-Location-Request/Answer):- Invoked by HSS to detachthe subscriber.

16
1/25/17
Confidential

Nokia 2014 Author: Sathish S

EPS
Attach
e212.imsi == "268060000000001"

D:\userdata\sats\
Desktop\GuruKool\4 succe

17
1/25/17
Confidential

Nokia 2014 Author: Sathish S

1) After RRC connection has been completed, the UE attaches to LTE network by sending Attach
Request to MME.The S1AP InitialUEMessagethat delivers the Attach Requestcontains TAI
and ECGI to inform the network of its location.
2) Upon receiving the Attach Request, the MME performs the LTE authentication and Security
measurement with the UE. HSS will provide Auth infos.
3) Once Auth is success, MME update the location of the UE to the HSS by sending
UpdateLocationRequest that contains the PLMN identifier (i.e., MCC and MNC).
4) The MME creates a GTP-C session with the SGW/PGW by sending the Create Session Request
and it contains the Serving-Network IE for the PLMN ID and the User Location Info IE for TAI
and ECGI, TEID of MME is created. The P-GW allocates an IP address to the
terminal(static/dynamic/dhcp) and notifies the S-GW of this information. This process
establishes a continuous core-network communications path between the P-GW and the S-GW
for the allocated IP address.
5) The P-GW triggers the Credit-Control-Request (CCR) to the PCRF. The CCR contains the 3GPPUser-Location-Info AVP to accommodate the TAI and ECGI. PCRF will enforce if rules or policy
to be applied to user in CCA.
18
1/25/17
Confidential

Nokia 2014 Author: Sathish S

6) After CCA from PCRF, The S-GW prepares a radio access bearer from itself to the eNodeB, and
sends a create session response signal to the MME. The create session response signal
contains information required to configure the radio access bearer from the eNodeB to the SGW, including information elements issued by the S-GW and the IP address allocated to the
terminal. TEID between SGW/PGW will be available now for GTP-U&C tunnel.
7) The MME sends the information in the create session response signal to the eNodeB in an
initial context setup request signal. Note that this signaling also contains other notifications
such as the attach accept, which is the response to the attach request. The Attach Request
contains the Tracking Area List (TAL), which is the list of TAIs to which UE is implicitly
registered by the network. Henceforth, the UE does not need to update its location when it
moves within the given TAL, thereby the intention is to reduce the traffic regarding the TAU.
When the terminal receives the attach accept, it sends an attach complete response to the
MME, notifying that processing has completed.
8) The UE establishes the E-RAB with the eNB and sends the Accept Complete to the MME. It
also configures the radio access bearer from the eNodeB to the S-GW and sends an initial
context setup response to the MME. The initial context setup response contains information
elements issued by the eNodeB required to establish the radio access bearer from the S-GW
19
1/25/17
Nokia 2014 Author: Sathish S
Confidential
to the eNodeB (ie., it contains the TEID of eNB for S1U-Tunnel)

9) The MME requests the SGW/PGW to establish the S1 bearer(S1U) by sending Modify EPS
bearer request. The S-GW completes configuration of the previously prepared radio bearer
from the S-GW to the eNodeB and sends a modify bearer response to the MME.
10) A communications path from the terminal to the P-GW is established, enabling
communication with the default PDN. If the terminal performs no communication for a set
period of time, the always-on connection function described above releases the radio control
link (e-RAB), the LTE radio data link, and the LTE radio access bearer, while maintaining the
core network communications path.

20
1/25/17
Confidential

Nokia 2014 Author: Sathish S

21
1/25/17
Nokia 2014 - Author: Sathish S
Confidential- Only for internal purpose

Appendix

22
1/25/17
Nokia 2014 - Author: Sathish S
Confidential- Only for internal purpose

S1-AP identifies the Signaling messages transferred between the MME and EnodeB.
Each of The EnodeB and MME assigns a separate S1-AP ID

eNBS1-AP UE ID

MME S1-AP IE ID

This two IDs is to control the messages between MME and EnodeB on the S1 interface

23
1/25/17
Confidential

Nokia 2014 Author: Sathish S

Globally Unique Temporary Identity (GUTI)


the GUTI is allocated to the UE by the MME
The purpose of the GUTI is to provide an unambiguous identification of the UE that does not
reveal the UE or the user's permanent identity in the Evolved Packet System (EPS).
It can be used by the network and the UE to establish the UE's identity during signalling
between them in the EPS.

24
1/25/17
Confidential

Nokia 2014 Author: Sathish S