Analyzer-Wireshark Trickz Sathish Kumar S sathish.s@nokia.com
30-Dec-2016
1 1/25/17 Nokia 2014 - Author: Sathish S Confidential- Only for internal purpose
Topics Basic Signaling involved in 2G/3G/4G. Case-Study1: Working with Wireshark and filtering techniques for 2G/3G Case-Study2: Working with Wireshark and filtering techniques for 4G
2 1/25/17 Confidential
Nokia 2014 Author: Sathish S
2G/3G Signaling Send Authentication Info (SAI) Messages Used between the VLR/SGSN and the HLR for the VLR/SGSN to retrieve authentication information from the HLR. Location update (LUP) Managing the and storage of the mobile subscribers location in terms of MSC/VLR and SGSN address. MS registering in a network/plmn. Then HLR sends an Insert Subscriber Data(ISD) message to the VLR/SGSN to provide all subscriber parameters at location updating or when modifications (additions and changes) of subscriber data are required. Mobile terminated call (MTC) handling services Call handling services comprise the MAP operations to support mobile terminated calls, that is, the retrieval of a roaming number from the VLR to the GMSC over NTHLR. Short message service (SMS)-MT Provides routing information for short messages, stores message waiting data of the2014 associated service center) if the mobile subscriber cannot be reached, and 3(address 1/25/17 Nokia Author: Sathish S Confidential alerts the service center on re-reachability.
2G/3G Signaling Unstructured supplementary service data (USSD) Messages The USSD mechanism enables a mobile station (MS) user and a PLMN-operator defined application to communicate in a way which is transparent to the MS and to intermediate network entities. USSD feature also supports the relay of information to the SCP/CSE, in order to support IN/CAMEL services such as USSD account enquiry for prepaid mobile subscriber. Network Initiated (Push notification for remaining balance after a call) Mobile Initiated (Request to check balance or to subscribe a service). Purge MS The Purge MS service is used between the SGSN/VLR and the HLR. It causes the HLR to mark purged flag as TRUE for an MS so that the MS will be treated as not reachable. It is invoked when the subscriber record for the MS is to be deleted in the SGSN/VLR. Cancel Location HLR sends Cancel Location message to the VLR/SGSN when an MS needs to be from its local database. 4 removed 1/25/17
Nokia 2014 Author: Sathish S Confidential
2G/3G Signaling Provide Roaming Number(PRN) Messages PRN request message is initiated at the HLR to perform the interrogation of the current VLR in order to route a call towards a mobile subscriber. In response to the Provide Roaming Number indication, the VLR will return either a Mobile Station's roaming number or an error(absent subscriber). This is invoked when the HLR receives SEND ROUTING INFORMATION request from the MSS.
Send Routing Information(SRI)
MSS sends Send SRI-MT to HLR when a call is required to be routed to a mobile subscriber (MS). When the HLR receives an SRI request this invokes the PROVIDE ROAMING NUMBER (PRN) request to the current VLR. The VLR, in response to the PRN request, returns the MSRN to HLR which relays it back to the MSS. Send Routing info for SM The (G)SMSC sends a SendRoutingInfoForSM request when a short message is required to be routed to a MS. The SRM Ack returns the VLR number which which is stored in the HLR database. If the subscriber is not reachable, HLR will return the result with the error 5 1/25/17 Nokia 2014 Author: Sathish S Confidential AbsentSubscriber.
Wireshark Trickz to Filter Trace:
SAI Types of Authentication Vectors
3G: Quintet ( RAND, XRes, Ck, Ki,
AUTN) 2G: Triplet ( RAND, SRes, Kc) RAND - Random Number XRes - eXpected Response SRes Signed Response Ck/Kc Cipher Key Ki Integrity key
Some times S6a/S6d interfaces are treated as two separate interfaces but herewe treat them as single because both have same application identifier(16777251).S6a interface is between MME-HSS and S6d interface between SGSN-HSS.
This section gives abstract of s6a/s6d interface. In LTE network HSS (HomeSubscriber Server) is a database that containsAuthenticationInformation andSubscriber's Data such as Services associated, Location Information etc.Where MME shall take care of mobility of UE/Subscriber. This interface isused to Authenticate Subscriber, providing services to subscriber, to storelocation information of subscriber sent by MME. There are eight messages areexchanged between MME/SGSN and HSS. Four of them are invoked by MME and rest four are invoked by HSS.
1) AIR/AIA (Authentication-Information-Request/Answer) : MME fetchesAuthentication data from
HSS to authenticate subscriber.
2) ULR/ULA (Update-Location-Request/Answer):- MME stores its ownidentity at HSS, and fetches
subscription data from HSS.
15 1/25/17 Confidential
Nokia 2014 Author: Sathish S
3) PUR/PUA (Purge Request/Answer):- MME informs the HSS that UE isinactive for a long period that why MME has deleted the Subscription Datareceived in previous ULR from its end.
4)IDR/IDA(Insert-Subscription-Data-Request/Answer):- It is invoked by HSSonly when a
subscriber is attached and there is change insubscriberprofile atHSS end then same change to be reflected at Subscriber profile at MME (sentin ULA) end as well.
5)CLR/CLA(Cancel-Location-Request/Answer):- Invoked by HSS to detachthe subscriber.
16 1/25/17 Confidential
Nokia 2014 Author: Sathish S
EPS Attach e212.imsi == "268060000000001"
D:\userdata\sats\ Desktop\GuruKool\4 succe
17 1/25/17 Confidential
Nokia 2014 Author: Sathish S
1) After RRC connection has been completed, the UE attaches to LTE network by sending Attach Request to MME.The S1AP InitialUEMessagethat delivers the Attach Requestcontains TAI and ECGI to inform the network of its location. 2) Upon receiving the Attach Request, the MME performs the LTE authentication and Security measurement with the UE. HSS will provide Auth infos. 3) Once Auth is success, MME update the location of the UE to the HSS by sending UpdateLocationRequest that contains the PLMN identifier (i.e., MCC and MNC). 4) The MME creates a GTP-C session with the SGW/PGW by sending the Create Session Request and it contains the Serving-Network IE for the PLMN ID and the User Location Info IE for TAI and ECGI, TEID of MME is created. The P-GW allocates an IP address to the terminal(static/dynamic/dhcp) and notifies the S-GW of this information. This process establishes a continuous core-network communications path between the P-GW and the S-GW for the allocated IP address. 5) The P-GW triggers the Credit-Control-Request (CCR) to the PCRF. The CCR contains the 3GPPUser-Location-Info AVP to accommodate the TAI and ECGI. PCRF will enforce if rules or policy to be applied to user in CCA. 18 1/25/17 Confidential
Nokia 2014 Author: Sathish S
6) After CCA from PCRF, The S-GW prepares a radio access bearer from itself to the eNodeB, and sends a create session response signal to the MME. The create session response signal contains information required to configure the radio access bearer from the eNodeB to the SGW, including information elements issued by the S-GW and the IP address allocated to the terminal. TEID between SGW/PGW will be available now for GTP-U&C tunnel. 7) The MME sends the information in the create session response signal to the eNodeB in an initial context setup request signal. Note that this signaling also contains other notifications such as the attach accept, which is the response to the attach request. The Attach Request contains the Tracking Area List (TAL), which is the list of TAIs to which UE is implicitly registered by the network. Henceforth, the UE does not need to update its location when it moves within the given TAL, thereby the intention is to reduce the traffic regarding the TAU. When the terminal receives the attach accept, it sends an attach complete response to the MME, notifying that processing has completed. 8) The UE establishes the E-RAB with the eNB and sends the Accept Complete to the MME. It also configures the radio access bearer from the eNodeB to the S-GW and sends an initial context setup response to the MME. The initial context setup response contains information elements issued by the eNodeB required to establish the radio access bearer from the S-GW 19 1/25/17 Nokia 2014 Author: Sathish S Confidential to the eNodeB (ie., it contains the TEID of eNB for S1U-Tunnel)
9) The MME requests the SGW/PGW to establish the S1 bearer(S1U) by sending Modify EPS bearer request. The S-GW completes configuration of the previously prepared radio bearer from the S-GW to the eNodeB and sends a modify bearer response to the MME. 10) A communications path from the terminal to the P-GW is established, enabling communication with the default PDN. If the terminal performs no communication for a set period of time, the always-on connection function described above releases the radio control link (e-RAB), the LTE radio data link, and the LTE radio access bearer, while maintaining the core network communications path.
20 1/25/17 Confidential
Nokia 2014 Author: Sathish S
21 1/25/17 Nokia 2014 - Author: Sathish S Confidential- Only for internal purpose
Appendix
22 1/25/17 Nokia 2014 - Author: Sathish S Confidential- Only for internal purpose
S1-AP identifies the Signaling messages transferred between the MME and EnodeB. Each of The EnodeB and MME assigns a separate S1-AP ID
eNBS1-AP UE ID
MME S1-AP IE ID
This two IDs is to control the messages between MME and EnodeB on the S1 interface
23 1/25/17 Confidential
Nokia 2014 Author: Sathish S
Globally Unique Temporary Identity (GUTI)
the GUTI is allocated to the UE by the MME The purpose of the GUTI is to provide an unambiguous identification of the UE that does not reveal the UE or the user's permanent identity in the Evolved Packet System (EPS). It can be used by the network and the UE to establish the UE's identity during signalling between them in the EPS.
![TE[FE]_04_GSM](https://imgv2-2-f.scribdassets.com/img/document/489114375/149x198/05ebaf203c/1608908639?v=1)
