GSM/LTE LabKit AppNote: Wireshark LTE Analysis on GSM/LTE LabKits
One of the most useful features of LTE LabKits and SatSites is its ability to monitor traffic, both between the eNodeB and the UE and the EPC and the eNodeB. This is done with a mix of YateENB and Unix commands. The capture is compatible with analysis tools such as Wireshark.
The present article describes the procedures and results of monitoring from the LabKit/SatSite owner's point of view. Throughout this guide, we'll use LabKit as a name for the Legba eNB, but the tutorial fully applies to the SatSite line of products.
If you want to know about monitoring in GSM roaming/dataroam/NiPC modes, please consult the Wireshark GSM and GPRS monitoring for LabKits and SatSites page.
In order to be able to read the capture file you have to have the cyphering turned off, which means that the UE, LabKit and MME have to use the EEA0 EPS encryption algorythm. In case you are using YateBTS Hosted Core, YateBTS Minicore or YateUCN, this is provided to you by default. In case you are using another core, please contact your provider to switch to EEEA0.
Connecting and performing the capture
1. Connect to the LabKit by ssh:
ssh yatebts@YOUR_LABKIT_IP -p 54321
The password is the serial number printed on the front plate on your LabKit.
2. Prepare a work directory on the LabKit WWW server:
This step is necessary in order to subsequently get the capture file on your workstation. (You only need to do this step once.)
2.1. Go to the Web root:
2.2 Switch to root (same password as the yatebts user) and create a directory with a meaningful name, such as pcap or wireshark, in your web root. Go to the directory, to create the capture file there,
su mkdir YOUR_DIRECTORY cd YOUR_DIRECTORY
3. Telnet to be able to access the YateENB rmanager/YateENB commands, on port 5037:
telnet localhost 5037
4. Type in the following rmanager command:
enb capture start mac 23234
This will route the radio traffic to UDP port 23234. You should get an OK answer from the rmanager.
5. Start and stop the actual capture
Exit Telnet (
CONTROL + C). Change user to root to be able to initiate the capture:
su on LabKit's, with the same password as the yatebts user.
tcpdump -i any not tcp -w YOUR_FILENAME.pcap
Start using the UE. When you're done, abort the capture with
CONTROL + C. The capture should be in the root of your LabKit Web server.
6. Transferring the file to your workstation In order to be able to perform the analysis you have to transfer the capture file to your workstation.
To do so, type YOUR_LABKIT_IP:2080/YOUR_DIRECTORY in your WWW browser location bar.
Now you should be able to click on your file and download it on your workstation.
Note 1: The LabKit does have a GUI and Wireshark pre-installed so you could either perform the analysis locally or use the LabKit Wireshark by means of ssh X-forwarding. However, we advise against using the LabKit as a workstation. Also, you could use sftp or scp to get the file locally, but you have to change the permissions of the capture file.
The capture includes information both about the traffic between the LabKit and the UE, and the LabKit and the MME. You simply Open it from the File menu in Wireshark. To see the MAC-LTE traffic you have to enable all the MAC-LTE protocols from the Analyze menu. Also, set in Preferences/Protocols/Mac-LTE:
- Source of LCID -> drb chanel settings: From your configuration protocol
- Which Layer info to show in Info column: RLC info.
An example should look like this:
Note 2: In some Wireshark versions, radio trafic is inadvertently classified as "SKYPE". To see the actual protocol, disable Skype in Analyze/Enabled protocols.
Note 3: This page was built starting from public documentation written by Null Team, which is subject to their copyright.
Note 4: This is the on-line version of the GSM/LTE LabKit AppNote no. 1/2018-02-01.