Wireshark Filter for Lte

To Find out single end to end LTE call Flow from multiple wireshark Capture trac e, Please follow the below sequential steps: Only input we required to make the fillter is IMSI 404909060013311. NAS and S1-AP message in between UE-MME, eND-MME (NAS, S1-AP) --------------------------------------------------------------------------------------------------------------------------nas_eps.emm.imsi == "404909060013311" "404909060013311" //with this filter, we are able to extrac t InitialUEMessage, AttachRequest, PDNConnectivity Request. From above output output try to get get s1ap.ENB_UE_S1AP_ID s1ap.ENB_UE_S1AP_ID == 607 the meesages on S1-AP, NAS-EPS message.

// which gives you all

s1ap.ENB_UE_S1AP_ID == 607 Diameter Message in between MME to HSS (S6a and S13) -------------------------------------------We can easily put fillter as username diameter.User-Name == "404909060013311" "404909060013311" // Result of this Filter gives u s the output as AIR, ME-Identity Check and ULR from MME to HSS. Now our aim should be find the response for each corresponding Request. diameter.hopbyhopid == 0x57539708 // look for the fillter as Hop by Hop identifier on AIR message diameter.User-Name == "404909060013311"||diameter.hopbyhopid == 0x57539708 // Now we are able to get AIR, ME-Identity Check, ULR and AIA next Pending Message id ME-Identity Check Response diameter.hopbyhopid == 0x219bbd08 only pending message is ULA, for that we need to extract the fillter fro m Hop-by-Hop of ULR message (diameter.hopbyhopid == 0x78267708). diameter.User-Name == "404909060013311"||diameter.hopbyhopid == 0x57539708||diameter.hopbyhopid 0x57539708||diameter.h opbyhopid == 0x219bbd08||diameter.ho 0x219bbd08||diameter.hopbyhopid pbyhopid == 0x78267708 //Gives us all the message in s6a interfaces or We can easily put fillter as username diameter.User-Name == "404909060013311" "404909060013311" // Result of this Filter gives u s the output as AIR, ME-Identity Check and ULR from MME to HSS. diameter.Session-Id == "mme01.e2elte.ril.in;44 "mme01.e2elte.ril.in;44527db4;772a0b5f;041cda8a" 527db4;772a0b5f;041cda8a" for AIR and AIA diameter.Session-Id == "mme01.e2elte.ril.in;44 "mme01.e2elte.ril.in;44527db4;772a0b5f;39b9f14a" 527db4;772a0b5f;39b9f14a" for ULR and ULA diameter.Session-Id == "mscp01.pgw2.e2elte.ril "mscp01.pgw2.e2elte.ril.in;1695a065;4de4beb8;404 .in;1695a065;4de4beb8;4040 0 90000000010-00a00100" all the message in between in PGW and PCRF

Titles you can't find anywhere else

Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.

Titles you can't find anywhere else

Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.

Diameter Message in between PCRF and P-CSCF ------------------------------------------(diameter.Session-Id == "Video_Streaming2") || (diameter.Framed-IP-Addr (diameter.Framed-IP-Address.IPv4 ess.IPv4 == 10.21.1.1) 10.21.1.1) //message in between between Rx Interface !! GTPv2 messages in between MME to SGW (S11), SGW to PGW (S5/S8) --------------------------------------------------------------------------------------------------------------------------Steps to filter out the CSR, CSResp, from MME to SGW, SGW to PGW First figure out gtpv2.imsi == "404909060013311" // result give us CSR f rom MME to SGW, SGW to PGW. Then Extract EPS Bearer ID which is unique among this gtpv2.ebi == 5, wh ich gives us all the message on GTPv2 header from MME to SGW, SGW to PGW. Now update fillter is gtpv2.imsi == "404909060013311" "404909060013311" ||gtpv2.ebi ||gtpv2.ebi == 5 messages in between , MME, SGW, and PGW on GTPv2 Interfaces.

// for all the

Diameter message in between PGW to PCRF (Gx). ---------------------------------------------diameter.Subscription-Id-Data diameter.SubscriptionId-Data == "404909060013311" "404909060013311" ive you the CCR message, but but not the CCResponse for for this.

this filter filter result result g

But with help of this filter we can figure out diameter.hopbyhopid , as a result we can able to find out the CCResp message diameter.hopbyhopid == 0x03d86c6a Now updated filter for Diameter message in between PGW to PCRF is as bel ows: diameter.Subscription-Id-Data diameter.SubscriptionId-Data == "404909060013311"||di "404909060013311"||diameter.hopbyhopid ameter.hopbyhopid == 0x03d86c6a

Now below filter gives us the result for Both GTPv2 messages in between MME to SGW, SGW to PGW and Diameter message in between PGW to PCRF (S11, S5/S8, Gx) gtpv2.imsi == "404909060013311"||gtpv2 "404909060013311"||gtpv2.ebi .ebi == 5||diameter.Subscription5||diameter.Subscription-I I d-Data == "404909060013311"||diameter.hopbyhopid == 0x03d86c6a SGsAP Message in between MME to MSC (SGs) -------------------------------------gsm_a.imsi == "404909060013311"

Titles you can't find anywhere else

Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.

nas_eps.emm.imsi == "404909060013311"||s1ap.ENB_UE_S1AP_ID "404909060013311"||s1ap.ENB_UE_S1AP_ID == 607||gsm_a.imsi == "404909060013311"||diameter.User-Name "404909060013311"||diamet er.User-Name == "404909060013311"||diame "404909060013311"||diameter.hopbyhopid ter.hopbyhopid == 0x57539708||diameter.hopbyhopid == 0x219bbd08||diameter.hopbyhopid == 0x7826 7708||gtpv2.imsi == "404909060013311" ||gtpv2.ebi == 5||diameter.Subscripti 5||diameter.Subscription-Id on-Id -Data == "404909060013311"||diameter.hopbyhopid == 0x03d86c6a

s1ap.ENB_UE_S1AP_ID == 607||diameter.hopbyhopid == 0x57539708||diameter.hop 0x57539708||diameter.hopbyhop byhop id == 0x219bbd08||diameter.hop 0x219bbd08||diameter.hopbyhopid byhopid == 0x78267708||gsm_a.ims 0x78267708||gsm_a.imsi i == "404909060013 311"