Scribd Logo
Upload

Welcome to Scribd!

  • Wireshark Wcdma

    Uploaded by

    adnanjav
    1K views18 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1K views18 pages

    Wireshark Wcdma

    Uploaded by

    adnanjav

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    Case 1.

    1: GPRS attach
    Preperation: 1. get mobile IMSI number. Eg: 460015760600070 2. delete subscribers from SGSN:
    gsh delete_subscriber -imsi 460015760600070

    3. Power off and power on mobile phone. Start the wireshark 4. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information:
    gsh get_subscriber -imsi 460015760600070 Subscriber Data ---------------------------------------------------------------------IMSI : 460015760600070 Mobile Subscriber ISDN No. : 8618606765400 IMEI : 358065021586680 Roaming Status : Home HLR Address : 861304576000 Home PLMN APN Operator Id : mnc001.mcc460.gprs Subscribed Teleservices : No SMS Network Access Mode : Packet/Circuit Switched Radio Access Technology : UMTS Mobility Management State : PMM-IDLE Paging Proceed Flag : Set Routing Area [RAI] : 460-01-57601-1 P-TMSI : 3346057757 (#C770CA1D) MSC/VLR Address : Not Gs connected Location Confirmed in HLR : true Data Confirmed by HLR : true

    Interface
    IuPs

    Wireshark Filter: Eg:


    gsm_a.imsi == 460015760600070 || gsm_a.tmsi == 0xc62cca2f || gsm_a.dtap_msg_gmm_type == 0x03 || gsm_a.dtap_msg_gmm_type == 0x04

    Target packets

    attach request attach accept attach complete attach reject

    Case 1.2.1: MS initiated GPRS detach


    Preperation: 1. get mobile IMSI number. Eg: 460015760600070 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information
    gsh get_subscriber -imsi 460015760600070 Subscriber Data ---------------------------------------------------------------------IMSI : 460015760600070 Mobile Subscriber ISDN No. : 8618606765400 IMEI : 358065021586680 Roaming Status : Home HLR Address : 861304576000 Home PLMN APN Operator Id : mnc001.mcc460.gprs Subscribed Teleservices : No SMS Network Access Mode : Packet/Circuit Switched Radio Access Technology : UMTS Mobility Management State : PMM-CONNECTED Paging Proceed Flag : Set Routing Area [RAI] : 460-01-57601-1 P-TMSI : 3346057757 (#C770CA1D) MSC/VLR Address : Not Gs connected Location Confirmed in HLR : true Data Confirmed by HLR : true

    3. Start Wireshark. Attach to the GPRS network. Active PDP context, then detach the MS by power off Mobile phone or unplug the DataCard. Interface
    IuPs

    Wireshark Filter: Eg:


    gsm_a.dtap_msg_gmm_type == 0x05 || gsm_a.dtap_msg_gmm_type == 0x06

    Target packets
    DETACH REQUEST DETACH ACCEPT

    Case 1.2.2: SGSN initiated GPRS detach


    Preperation: 1. get mobile IMSI number. Eg: 460015760600070 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information
    === wangguan@eqm01s14p2 ANCB ~ # gsh get_subscriber -msisdn 8618673144439 3. 4. Subscriber Data 5. ---------------------------------------------------------------------6. IMSI : 460013107600039 7. Mobile Subscriber ISDN No. : 8618673144439 8. IMEI : 357315010408310 9. Roaming Status : Home 10. HLR Address : 861301616000 11. Home PLMN APN Operator Id : mnc001.mcc460.gprs 12. Subscribed Teleservices : No SMS 13. Network Access Mode : Packet/Circuit Switched 14. Radio Access Technology : UMTS 15. Mobility Management State : PMM-CONNECTED 16. Paging Proceed Flag : Set 17. Routing Area [RAI] : 460-01-57601-1 18. P-TMSI : 3828667772 (#E434D57C) 19. MSC/VLR Address : Not Gs connected 20. Location Confirmed in HLR : true 21. Data Confirmed by HLR : true

    3. Start Wireshark. Active PDP context, delete subscriber on the SGSN by the following command.
    gsh delete_subscriber -imsi 460013107600039

    4. As the result, subscriber date in SGSN should change to detached immediately, then deleted on SGSN.
    === wangguan@eqm01s14p2 ANCB ~ # gsh delete_subscriber -msisdn 8618673144439 === wangguan@eqm01s14p2 ANCB ~ # gsh get_subscriber -msisdn 8618673144439 Subscriber Data ---------------------------------------------------------------------IMSI : 460013107600039 Mobile Subscriber ISDN No. : Information not available

    IMEI : Information not available Roaming Status : Home HLR Address : 861301616000 Home PLMN APN Operator Id : mnc001.mcc460.gprs Subscribed Teleservices : Information not available Network Access Mode : Information not available Radio Access Technology : UMTS Mobility Management State : PMM-DETACHED Paging Proceed Flag : Routing Area [RAI] : P-TMSI : Information not available MSC/VLR Address : Not Gs connected Location Confirmed in HLR : false Data Confirmed by HLR : false === wangguan@eqm01s14p2 ANCB ~ # gsh get_subscriber -msisdn 8618673144439 Subscriber identity: "8618673144439" is not registered in the SGSN. === wangguan@eqm01s14p2 ANCB ~ #

    Interface
    IuPs

    Wireshark Filter: Eg:


    gsm_a.dtap_msg_gmm_type == 0x05 || gsm_a.dtap_msg_gmm_type == 0x06

    Target packets
    DETACH REQUEST DETACH ACCEPT

    Case 1.2.3: HLR initiated GPRS detach


    Preperation: 1. get mobile IMSI number. Eg: 460015760600070 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information
    === wangguan@eqm01s14p2 ANCB ~ # gsh get_subscriber -msisdn 8618673144439 3. 4. Subscriber Data 5. ----------------------------------------------------------------------

    6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21.

    IMSI : 460013107600039 Mobile Subscriber ISDN No. : 8618673144439 IMEI : 357315010408310 Roaming Status : Home HLR Address : 861301616000 Home PLMN APN Operator Id : mnc001.mcc460.gprs Subscribed Teleservices : No SMS Network Access Mode : Packet/Circuit Switched Radio Access Technology : UMTS Mobility Management State : PMM-CONNECTED Paging Proceed Flag : Set Routing Area [RAI] : 460-01-57601-1 P-TMSI : 3828667772 (#E434D57C) MSC/VLR Address : Not Gs connected Location Confirmed in HLR : true Data Confirmed by HLR : true

    3. Active PDP context. HLR send cancel location message to the subscriber. 4. On the SGSN, subscriber date has been deleted. Interface
    IuPs

    Wireshark Filter: Eg:


    gsm_a.dtap_msg_gmm_type == 0x05 || gsm_a.dtap_msg_gmm_type == 0x06

    Target packets
    DETACH REQUEST DETACH ACCEPT

    Case 1.3: Authentication


    Preperation: 1. get mobile IMSI number. Eg: 460015760600070 get mobile IMEI Eg: 35731501040831970 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information
    === wangguan@eqm01s14p2 ANCB ~ # gsh get_subscriber -msisdn 8618673144439 3. Subscriber Data

    4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.

    ---------------------------------------------------------------------IMSI : 460013107600039 Mobile Subscriber ISDN No. : 8618673144439 IMEI : 357315010408310 Roaming Status : Home HLR Address : 861301616000 Home PLMN APN Operator Id : mnc001.mcc460.gprs Subscribed Teleservices : No SMS Network Access Mode : Packet/Circuit Switched Radio Access Technology : UMTS Mobility Management State : PMM-CONNECTED Paging Proceed Flag : Set Routing Area [RAI] : 460-01-57601-1 P-TMSI : 3828667772 (#E434D57C) MSC/VLR Address : Not Gs connected Location Confirmed in HLR : true Data Confirmed by HLR : true

    3. Start Wireshark. Active PDP context. Match the IMEI and RAI
    IuPs

    Wireshark Filter:
    gsm_a.dtap_msg_gmm_type == 0x12 || gsm_a.dtap_msg_gmm_type == 0x13 || gsm_a.dtap_msg_gmm_type == 0x14 || gsm_a.dtap_msg_gmm_type == 0x1c

    Target packets
    AUTHENTICATION AND CIPHERING REQUEST AUTHENTICATION AND CIPHERING RESPONSE

    Case 1.4: Security mode


    Preperation: 1. get mobile IMSI number. Eg: 460015760600070 2. delete subscribers from SGSN:
    gsh delete_subscriber -imsi 460015760600070

    3. Start the wireshark . Power off and power on mobile phone. 4. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information
    gsh get_subscriber -imsi 460015760600070

    Subscriber Data ---------------------------------------------------------------------IMSI : 460015760600070 Mobile Subscriber ISDN No. : 8618606765400 IMEI : 358065021586680 Roaming Status : Home HLR Address : 861304576000 Home PLMN APN Operator Id : mnc001.mcc460.gprs Subscribed Teleservices : No SMS Network Access Mode : Packet/Circuit Switched Radio Access Technology : UMTS Mobility Management State : PMM-IDLE Paging Proceed Flag : Set Routing Area [RAI] : 460-01-57601-1 P-TMSI : 3346057757 (#C770CA1D) MSC/VLR Address : Not Gs connected Location Confirmed in HLR : true Data Confirmed by HLR : true

    3. Active PDP context. Match RAI

    Interface
    IuPs

    Wireshark Filter: Eg:


    ranap.SecurityModeCommand || ranap.SecurityModeComplete || ranap.SecurityModeReject

    Target packets
    Security mode command Security mode complete Security mode reject

    Case 1.5: RAB assignment


    Preperation:

    1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information:
    gsh get_subscriber -imsi 460015760600070 Subscriber Data ---------------------------------------------------------------------IMSI : 460015760600070 Mobile Subscriber ISDN No. : 8618606765400 IMEI : 358065021586680 Roaming Status : Home HLR Address : 861304576000 Home PLMN APN Operator Id : mnc001.mcc460.gprs Subscribed Teleservices : No SMS Network Access Mode : Packet/Circuit Switched Radio Access Technology : UMTS Mobility Management State : PMM-IDLE Paging Proceed Flag : Set Routing Area [RAI] : 460-01-57601-1 P-TMSI : 3346057757 (#C770CA1D) MSC/VLR Address : Not Gs connected Location Confirmed in HLR : true Data Confirmed by HLR : true

    3. Start wireshark, active PDP context. Match the RAI and IMSI. Interface
    IuPs

    Wireshark Filter: Eg:


    ranap.RAB_AssignmentRequest || ranap.RAB_AssignmentResponse

    Target packets:
    RAB ASSIGNMENT REQUEST RAB ASSIGNMENT RESPONSE

    Case 1.6.1: MS initiated service request. (MS )

    Preperation: 1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information:
    gsh get_subscriber -imsi 460015760600070 Subscriber Data ---------------------------------------------------------------------IMSI : 460015760600070 Mobile Subscriber ISDN No. : 8618606765400 IMEI : 358065021586680 Roaming Status : Home HLR Address : 861304576000 Home PLMN APN Operator Id : mnc001.mcc460.gprs Subscribed Teleservices : No SMS Network Access Mode : Packet/Circuit Switched Radio Access Technology : UMTS Mobility Management State : PMM-IDLE Paging Proceed Flag : Set Routing Area [RAI] : 460-01-57601-1 P-TMSI : 3346057757 (#C770CA1D) MSC/VLR Address : Not Gs connected Location Confirmed in HLR : true Data Confirmed by HLR : true

    3. Start wireshark, active PDP context. Match the RAI and IMSI

    Interface
    IuPs

    Wireshark Filter: Eg:


    gsm_a.dtap_msg_gmm_type == 0x0c || gsm_a.dtap_msg_gmm_type == 0x0d || gsm_a.dtap_msg_gmm_type == 0x0e

    Target packets:
    Service request Service accept Service reject

    Case 1.6.2: Network initiated service request. ( )


    Preperation: 1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information 3. Active PDP context, download large file from FTP server. 4. Start wireshark. Simulate the network unreachable by enter the elevator where the network doesnt cover. 5. When the subscriber move out from the elevator, the network should push send pagging and push the service to the subscriber. The FTP download should resume. Interface
    IuPs

    Wireshark Filter: Eg:


    gsm_a.dtap_msg_gmm_type == 0x0c || gsm_a.dtap_msg_gmm_type == 0x0d || gsm_a.dtap_msg_gmm_type == 0x0e

    Target packets:
    Paging Service request service accept (SGSN to RNC)

    Case 1.7.1: MS initiated PDP context activation. (MS )


    Preperation:

    1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information 3. Start wireshark, active PDP context. Match the RAI and IMSI. Interface
    IuPs Gn

    Filtered packet:
    Active PDP Context Request Active PDP Context Accept Activate PDP Context Reject Create PDP Context Request Create PDP Context Response

    Target packets: RANAP:


    gsm_a.dtap_msg_sm_type == 0x41 || gsm_a.dtap_msg_sm_type == 0x42 || gsm_a.dtap_msg_sm_type == 0x43

    GTP:
    gtp.imsi == "460015760600070" && gtp.message == 0x10"

    then right click and choose

    follow UDP Stream

    Case 1.7.2: MS initiated secondary PDP context activation. (MS )


    Preperation: 1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information 3. Start wireshark, active secondary PDP context. Match the RAI and IMSI.

    Interface
    IuPs Gn

    Filtered packet:
    Active Secondary PDP Context Request Active Secondary PDP Context Accept Activate Secondary PDP Context Reject Create PDP Context Request Create PDP Context Response

    Target packets: RANAP:


    gsm_a.dtap_msg_sm_type == 0x4d || gsm_a.dtap_msg_sm_type == 0x4e || gsm_a.dtap_msg_sm_type == 0x4f

    GTP:
    gtp.imsi == "460015760600070" && gtp.message == 0x10"

    then right click and choose

    follow UDP Stream

    Case 1.7.3: Network initiated secondary PDP context activation. ( PDP )


    Preperation: 1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information 3. Start wireshark, active PDP context from the network. Match the RAI and IMSI.

    Interface

    IuPs Gn

    Filtered packet:
    Paging Service request service accept (SGSN to RNC)

    Target packets: Eg:


    gsm_a.dtap_msg_gmm_type == 0x0c || gsm_a.dtap_msg_gmm_type == 0x0d || gsm_a.dtap_msg_gmm_type == 0x0e

    Case 1.8.2: Network initiated PDP context modification. ( PDP )


    Preperation: 1. Mobile phone attached to the GPRS network. Active PDP context, get mobile IMSI number. Eg: 460015760600070. 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information. 3. Start Wireshark. On the HLR, Modify PDP context QOS profile. Trigger SGSN to initiate PDP context modification process. Interface
    IuPs Gn

    Filtered packet:
    Update PDP Context request Update PDP Context Response Modify PDP Context Request Modify PDP context accept Modify PDP Context Reject

    Target packets:

    Eg:
    gtp.message == 0x12 || gtp.message == 0x13 || gsm_a.dtap_msg_sm_type == 0x48 || gsm_a.dtap_msg_sm_type == 0x49

    Case 1.9.1: MS initiated PDP context deactivation. (MS PDP )


    Preperation: 1. Mobile phone attached to the GPRS network. Active PDP context, get mobile IMSI number. Eg: 460015760600070. 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information. 3. Start wireshark. Deactivate PDP context by closing the Brower on mobile phone. Interface
    IuPs Gn

    Filtered packet:
    Delete PDP Context Request Delete PDP Context Response Deactivate PDP Context Request Deactivate PDP context accept

    Target packets:

    RANAP:
    gsm_a.dtap_msg_sm_type == 0x46 || gsm_a.dtap_msg_sm_type == 0x47 || gtp.message == 0x14 || gtp.message == 0x15

    GTP:
    gtp.message == 0x14 || gtp.message == 0x15

    Case 1.9.2: SGSN initiated PDP context deactivation. (SGSN PDP )


    Preperation: 1. Mobile phone attached to the GPRS network. Active PDP context, get mobile IMSI number. Eg: 460015760600070. 2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information. 3. Start wireshark. Deactivate PDP context by deleting the subscriber on the SGSN, use cmd:
    gsh delete_subscriber -imsi 460015760600070

    Interface
    IuPs Gn

    Filtered packet:
    Delete PDP Context Request Delete PDP Context Response Deactivate PDP Context Request Deactivate PDP context accept

    Target packets: Eg:


    gsm_a.dtap_msg_sm_type == 0x46 || gsm_a.dtap_msg_sm_type == 0x47 || gtp.message == 0x14 || gtp.message == 0x15

    Case 1.10: DNS resolve (DNS )


    Preperation: 1. Mobile phone attached to the GPRS network. Active PDP context, get mobile IMSI number. Eg: 460015760600070

    2. Start wireshark. MS active PDP context. Interface


    Gn

    Target packets:
    standard query standard query response

    Wireshark Filter:
    DNS

    Case 4.1.1:intra SGSN routing area update (SGSN ,)


    Preperation: 1. Mobile phone attached to the GPRS network. Active PDP context get mobile IMSI number. Eg: 460015760600070. 2. Get mobile P-TMSI by the follow SGSN cmd, also get the RAI information. 3. Start wireshark. Capture Iu-ps and Gr interface.

    Interface
    IuPs

    Target packets:
    Routing Area Update Request Routing Area Update Accept Routing Area Update Complete Routing area update reject

    Wireshark Filter: Eg:


    gsm_a.dtap_msg_gmm_type == 0x08 || gsm_a.dtap_msg_gmm_type == 0x09 || gsm_a.dtap_msg_gmm_type == 0x0a || gsm_a.dtap_msg_gmm_type == 0x0b

    Case 4.2: GPRS identity (GPRS )


    Preperation: 1. Mobile phone attached to the GPRS network. Get mobile IMSI number. Eg: 460015760600070. 2. Start Wireshark. MS detach to the GPRS network by disable the UTMS network connection. 3. Delete subscriber data on the SGSN. Attach to the GPRS network by reactive UMTS network connection. This will make sure the MS use P-TMSI to attach to send attach request. Match the P-TMSI and IMSI. Interface
    IuPs

    Target packets:
    IDENTITY REQUEST Identity type IDENTITY response mobile identity

    Wireshark Filter: Eg:


    gsm_a.dtap_msg_gmm_type == 0x15 || gsm_a.dtap_msg_gmm_type == 0x16

    Case 4.3: P-TMSI re-allocation (P-TMSI )


    Preperation: 1. Mobile phone attached to the GPRS network get mobile IMSI number. Eg: 460015760600070. 2. Get mobile P-TMSI by the follow SGSN cmd, also get the RAI information. 3. Start wireshark. Simulate RA update by moving UE between RNC. 4. On the SGSN, check the new P-TMSI has been assigned for the MS. Interface
    IuPs

    Target packets:
    P-TMSI Reallocation Command P-TMSI reallocation complete

    Wireshark Filter: Eg:


    gsm_a.dtap_msg_mm_type == 0x1a || gsm_a.dtap_msg_mm_type == 0x1b

    Case 4.4: Paging ()


    Preperation: 1. Mobile phone attached to the GPRS network. Active PDP context. Get mobile IMSI number. Eg: 460015760600070. 2. Get mobile P-TMSI by the follow SGSN cmd, also get the RAI information
    gsh get_subscriber -imsi 460015760600070

    3. Start wireshark. Simulate subscriber unreachable by enter the elevator where the network doesnt cover. 4. When subscriber step out the elevator, the MS should be reachable again. Interface
    IuPs

    Target packets:
    Paging

    Wireshark Filter: Eg:


    ranap.imsi_digits == " 460011808600107 " || ranap.Paging

    You might also like