wireshark training 16.11.09

Wireshark TrainingConfiguration and Analyzing logs

2

Topics covered

Capture file format

Basics of Wireshark configuration/preferences: config files storage (Linux, Windows)

Wireshark configuration for Iub interface monitoring in following scenarios:

FP/MAC/RLC static configuration FP/MAC/RLC auto-configuration (or dynamic configuration)

Display filters

Wireshark GUI features e.g. enabling/disabling protocols, follow tcp stream etc.

tshark usage (command line version of Wireshark)

3

Capture File Formats

Supported file formats:File Save As… Save as type

e.g. tcpdump -i any -n -s 1600 -w tcpdump_output.pcap for pcap format

Ethernet & linux cooked capture encapsulated files can not be merged

4

Basics of Wireshark Preferences

Configuration Files: preferences (common prefs. e.g. TCP/UDP port for protocols) recent (list of recently opened capture files) disabled_protos (names of disabled protocols) dfilters (recently used display filters) colorfilters (recently used color filters) Common_FP_Static_Table (FP common channel details)

DCH_FP_Static_Table (FP DCH channel details)

EDCH_FP_Static_Table (FP E-DCH channel details)

HS_DSCH_FP_Static_Table (FP HS-DCH channel details)

Cipher_rlc_Static_Table (ciphering details for SRBs)

preferences file is most important, it stores current settings for all protocol dissectors except static configuration details of FP/MAC/RLC

5

Basics of Wireshark Preferences

Entering Protocol Dissector Specific Preference: Open menu, Edit Preferences… Protocols XXX

Where Preferences are stored: Linux: <home_directory>/.wireshark Windows: C:\Documents and Settings\<user_xxx>\Application Data\Wireshark

preferences file is created automatically (after preference is changed and saved using GUI), if it does not exist

6

Entering Port/Port Range

Single port number to be entered as non-negative integer

Examples of correct single port entries: 52002 11000

Port range to be entered as comma separated list of non-negative integers and/or hyphen separated single range entries

Examples of correct port range entries: 49000-50000,50002,205 2394 46500,46510,46520-46528,46543-46549

7

Entering TFS Details

TFS consists of a list of TB size and corresponding number of TBs

In Wireshark, TFS is entered against two text entries namely TBsize and number_of_TBs

Enter a comma separated list of non-negative integers, representing TB size in bits, against the entry named TBsize

Enter a comma separated list of non-negative integers, representing corresponding number of TBs, against the entry named number_of_TBs

Example of correct TBsize entries: 0,168,336

Example of correct number_of_TBs entries: 0,1,1

8

Static Configuration (FP/MAC/RLC protocols on Iub interface)

Open preference dialog box of protocol FP, to fill following tables: Common Transport Channel Config Table for RACH, FACH and PCH DCH Config Table for DCH channels E-DCH Config Table for E-DCH channels HS-DSCH Config Table for HS-DSCH channels

NodeB side and RNC side ports are typically filled as same in LAITE environment (this is LAITE tester implementation specific).

Set mac_rlc_static_config to FALSE if decoding up to only FP is desired. In this case all entries below mac_rlc_static_config field are not required

Static configuration details need not to be entered each time

Wireshark loads the static config details from the configuration files, if present in the preference directory

9

Static Configuration (FP/MAC/RLC in LAITE environment)

Configuration parameters to be taken from DMX signaling messages or testcase tcl script in case of LAITE tester environment. Important DMX messages:

RNC side IP/port from C2E8 and Node-B side IP/port from A9B1

DCH tfs details from D0F4 (for SL) or D0F2

E-DCH mac-d flow ID and ddi from A3E9

E-DCH mac-d pdu size from uplink pu size of D5E6

RB-ID, logical channel ID, DCH-ID from D0F2

10

DCH Configuration (static)

Important Parameters: SRNC_ip & port NodeB_or_DRNC_ip & port channel_id & direction TBsize in bits number_of_TBs channel_nature mac_rlc_static_config rlc_mode rb_id cn_domain is_srb

If not known, set: cell_id to 1 ul_scrambling_code* to 100 UM_LI to 7 or 15 TM_seg_ind to FALSE

hsdpa

11

HS-DSCH Configuration (static)

Important Parameters: SRNC_ip & port NodeB_or_DRNC_ip & port mac_d_flow_id mac_rlc_static_config rlc_mode rb_id logical_channel_id cn_domain


12

E-DCH Configuration (static)

Important Parameters: SRNC_ip & port NodeB_or_DRNC_ip & port mac_d_flow_id ddi Mac_d_PDU_Size in bits mac_rlc_static_config rlc_mode rb_id logical_channel_id cn_domain


edch

13

Common Channel Configuration (static)

Important Parameters: SRNC_ip SRNC_port NodeB_or_DRNC_ip NodeB_or_DRNC_port channel_type TBsize in bits number_of_TBs

If not known, set: cell_id to 1

14

Auto configuration (NBAP procedures & IEs required) …

For common channelso Procedures

Common transport channel setup [ request / response ]o Information Elements

C - ID Common physical channel ID Common transport channel ID TFS Binding ID and Transport layer address

For DCH, E-DCH and HS-DSCH channelso Procedures

Radio Link setup Radio Link reconfiguration Radio Link addition

15

Auto configuration (NBAP procedures & IEs required)

For DCH, E-DCH and HS-DSCH channelso Information Elements

CRNC communication context IDNode-B communication context IDUplink Scrambling codeC – IDRL IDTransport channel IDMac-d Flow IDTFSBinding ID and Transport layer address

16

Auto configuration (RRC procedures & IEs required)

For DCH, E-DCH and HS-DSCH channelso Procedures

RRC connection establishment (RRC Connection Request/ RRC Connection Setup)

Radio bearer setup Radio bearer reconfiguration Transport channel reconfiguration Cell update

o Information Elements New C-RNTI New U-RNTI Uplink Scrambling code RB ID RLC Info choice RB mapping info

17

Auto-Configuration (NBAP preferences)

Open the preference dialog box for NBAP Enter correct SCTP Port range on which NBAP messages are transferred

18

Auto-Configuration (DMX preferences for LAITE environment)

Open the preference dialog box for DMX Check the preference Enable LAITE Auto-configuration Enter correct DMX TCP Port number(s)

19

Auto-Configuration Contd…

If both static and dynamic configuration are there, dynamic will override static configuration

DMX (for LAITE env only otherwise NBAP) messages must be present in the capture file for dynamic configuration to work

If Iub trace and DMX (for LAITE env only otherwise NBAP) trace are in two separate capture files, merge them and open the merged file

20

Auto-Configuration Example Capturing/Monitoring Setup (LAITE environment)

LAITE DMX Client

LAITE CB(Iub User Plane)

IP TAP/ Switch

RNC

Wireshark

21

Display Filters

Filters can be name of any dissector in small case e.g. fp, mac, rlc etc, or name of any field related to a protocol e.g. dmx.msg_type

The filter entry turns green if text entered is a valid filter, a red indication means incorrect syntax

Filters can be ANDed (&&), ORed (||), negated (!). e.g. (fp && rlc) and (!tcp)

Some common filters used frequently are: udp.srcport (e.g. udp.srcport == 11000) udp.dstport (e.g. udp.srcport != 11000) tcp.srcport (e.g. (tcp.srcport == 11000) & (tcp.srcport != 12000)) tcp.dstport (e.g. tcp.srcport == 11000) ip.src (e.g. ip.src == 2.1.2.1) ip.dst (e.g. ip.src == 2.1.2.1 && ip.dst != 2.1.1.2) tcp.port (either source or destination port) udp.port (either source or destination port)

To create more detailed filters, click Expression button in the GUI

22

Enabling/Disabling Protocol Dissector

Use Enabled Protocol under Analyze menu to enable/disable protocols

23

TCP Follow Stream

To investigate TCP data, first filter tcp and then use FOLLOW TCP Stream.

24

Command Line Utilities

tshark can be used to filter out protocol specific packets to a separate capture file. e.g. tshark –R “dmx || udp” –r inputfile –w outputfile

tshark uses same preference as used by Wireshark

While filtering auto-configurable protocol packets, make sure to filter signaling packets too

Tool editcap can be used to slice a large capture file into small chunks e.g. to create chunks of 1000 packets use: editcap –C 1000 input_file_name output_file_name

Tool mergecap can be used to merge two or more capture files into one e.g. to merge files input_file_1 and input_file_2 into one use: mergecap –w output_file input_file_1 input_file_2

to concatenate input_file_1 and input_file_2 into one use: mergecap –a –w output_file input_file_1 input_file_2

Thanks