Wireshark Wcdma
22
Case 1.1: GPRS attach Preperation: 1. get mobile IMSI number. Eg: 460015760600070 2. delete subscribers from SGSN: gsh delete_subscriber -imsi 460015760600070 3. Power off and power on mobile phone. Start the wireshark 4. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information: gsh get_subscriber -imsi 460015760600070 Subscriber Data --------------------------------------------------------------------- - IMSI : 460015760600070 Mobile Subscriber ISDN No. : 8618606765400 IMEI : 358065021586680 Roaming Status : Home HLR Address : 861304576000 Home PLMN APN Operator Id : mnc001.mcc460.gprs Subscribed Teleservices : No SMS Network Access Mode : Packet/Circuit Switched Radio Access Technology : UMTS Mobility Management State : PMM-IDLE Paging Proceed Flag : Set Routing Area [RAI] : 460-01-57601-1 P-TMSI : 3346057757 (#C770CA1D) MSC/VLR Address : Not Gs connected Location Confirmed in HLR : true Data Confirmed by HLR : true Interface: IuPs
Transcript of Wireshark Wcdma
Case 1.1: GPRS attach
Preperation:
1. get mobile IMSI number. Eg: 4600157606000702. delete subscribers from SGSN: gsh delete_subscriber -imsi 460015760600070
3. Power off and power on mobile phone. Start the wireshark4. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI
information:
gsh get_subscriber -imsi 460015760600070
Subscriber Data----------------------------------------------------------------------IMSI : 460015760600070Mobile Subscriber ISDN No. : 8618606765400IMEI : 358065021586680Roaming Status : HomeHLR Address : 861304576000Home PLMN APN Operator Id : mnc001.mcc460.gprsSubscribed Teleservices : No SMSNetwork Access Mode : Packet/Circuit SwitchedRadio Access Technology : UMTSMobility Management State : PMM-IDLEPaging Proceed Flag : SetRouting Area [RAI] : 460-01-57601-1P-TMSI : 3346057757 (#C770CA1D)MSC/VLR Address : Not Gs connectedLocation Confirmed in HLR : trueData Confirmed by HLR : true
Interface:
IuPs
Wireshark Filter:
Eg: gsm_a.imsi == 460015760600070 || gsm_a.tmsi == 0xc62cca2f || gsm_a.dtap_msg_gmm_type == 0x03 || gsm_a.dtap_msg_gmm_type == 0x04
Target packets:
attach requestattach acceptattach completeattach reject
Case 1.2.1: MS initiated GPRS detach
Preperation:
1. get mobile IMSI number. Eg: 4600157606000702. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI
informationgsh get_subscriber -imsi 460015760600070
Subscriber Data----------------------------------------------------------------------IMSI : 460015760600070Mobile Subscriber ISDN No. : 8618606765400IMEI : 358065021586680Roaming Status : HomeHLR Address : 861304576000Home PLMN APN Operator Id : mnc001.mcc460.gprsSubscribed Teleservices : No SMSNetwork Access Mode : Packet/Circuit SwitchedRadio Access Technology : UMTSMobility Management State : PMM-CONNECTEDPaging Proceed Flag : SetRouting Area [RAI] : 460-01-57601-1P-TMSI : 3346057757 (#C770CA1D)MSC/VLR Address : Not Gs connectedLocation Confirmed in HLR : trueData Confirmed by HLR : true
3. Start Wireshark. Attach to the GPRS network. Active PDP context, then detach the MS by power off Mobile phone or unplug the DataCard.
Interface:
IuPs
Wireshark Filter:
Eg: gsm_a.dtap_msg_gmm_type == 0x05 || gsm_a.dtap_msg_gmm_type == 0x06
Target packets:
DETACH REQUESTDETACH ACCEPT
Case 1.2.2: SGSN initiated GPRS detach
Preperation:
1. get mobile IMSI number. Eg: 4600157606000702. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI
information
=== wangguan@eqm01s14p2 ANCB ~ # gsh get_subscriber -msisdn 86186731444393.4. Subscriber Data5. ----------------------------------------------------------------------6. IMSI : 4600131076000397. Mobile Subscriber ISDN No. : 86186731444398. IMEI : 3573150104083109. Roaming Status : Home10. HLR Address : 86130161600011. Home PLMN APN Operator Id : mnc001.mcc460.gprs12. Subscribed Teleservices : No SMS13. Network Access Mode : Packet/Circuit Switched14. Radio Access Technology : UMTS15. Mobility Management State : PMM-CONNECTED16. Paging Proceed Flag : Set17. Routing Area [RAI] : 460-01-57601-118. P-TMSI : 3828667772 (#E434D57C)19. MSC/VLR Address : Not Gs connected20. Location Confirmed in HLR : true21. Data Confirmed by HLR : true
3. Start Wireshark. Active PDP context, delete subscriber on the SGSN by the following command.
gsh delete_subscriber -imsi 460013107600039 4. As the result, subscriber date in SGSN should change to detached immediately, then deleted on SGSN.
=== wangguan@eqm01s14p2 ANCB ~ # gsh delete_subscriber -msisdn 8618673144439=== wangguan@eqm01s14p2 ANCB ~ # gsh get_subscriber -msisdn 8618673144439
Subscriber Data----------------------------------------------------------------------IMSI : 460013107600039Mobile Subscriber ISDN No. : Information not available
IMEI : Information not availableRoaming Status : HomeHLR Address : 861301616000Home PLMN APN Operator Id : mnc001.mcc460.gprsSubscribed Teleservices : Information not availableNetwork Access Mode : Information not availableRadio Access Technology : UMTSMobility Management State : PMM-DETACHEDPaging Proceed Flag :Routing Area [RAI] :P-TMSI : Information not availableMSC/VLR Address : Not Gs connectedLocation Confirmed in HLR : falseData Confirmed by HLR : false
=== wangguan@eqm01s14p2 ANCB ~ # gsh get_subscriber -msisdn 8618673144439Subscriber identity: "8618673144439" is not registered in the SGSN.=== wangguan@eqm01s14p2 ANCB ~ #
Interface:
IuPs
Wireshark Filter:
Eg:
gsm_a.dtap_msg_gmm_type == 0x05 || gsm_a.dtap_msg_gmm_type == 0x06 Target packets:
DETACH REQUESTDETACH ACCEPT
Case 1.2.3: HLR initiated GPRS detach
Preperation:
1. get mobile IMSI number. Eg: 4600157606000702. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI
information
=== wangguan@eqm01s14p2 ANCB ~ # gsh get_subscriber -msisdn 86186731444393.4. Subscriber Data5. ----------------------------------------------------------------------
6. IMSI : 4600131076000397. Mobile Subscriber ISDN No. : 86186731444398. IMEI : 3573150104083109. Roaming Status : Home10. HLR Address : 86130161600011. Home PLMN APN Operator Id : mnc001.mcc460.gprs12. Subscribed Teleservices : No SMS13. Network Access Mode : Packet/Circuit Switched14. Radio Access Technology : UMTS15. Mobility Management State : PMM-CONNECTED16. Paging Proceed Flag : Set17. Routing Area [RAI] : 460-01-57601-118. P-TMSI : 3828667772 (#E434D57C)19. MSC/VLR Address : Not Gs connected20. Location Confirmed in HLR : true21. Data Confirmed by HLR : true
3. Active PDP context. HLR send cancel location message to the subscriber.
4. On the SGSN, subscriber date has been deleted.
Interface:
IuPs
Wireshark Filter:
Eg:
gsm_a.dtap_msg_gmm_type == 0x05 || gsm_a.dtap_msg_gmm_type == 0x06 Target packets:
DETACH REQUESTDETACH ACCEPT
Case 1.3: Authentication
Preperation:
1. get mobile IMSI number. Eg: 460015760600070get mobile IMEI Eg: 35731501040831970
2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information
=== wangguan@eqm01s14p2 ANCB ~ # gsh get_subscriber -msisdn 8618673144439
3. Subscriber Data4. ----------------------------------------------------------------------5. IMSI : 4600131076000396. Mobile Subscriber ISDN No. : 86186731444397. IMEI : 3573150104083108. Roaming Status : Home9. HLR Address : 86130161600010. Home PLMN APN Operator Id : mnc001.mcc460.gprs11. Subscribed Teleservices : No SMS12. Network Access Mode : Packet/Circuit Switched13. Radio Access Technology : UMTS14. Mobility Management State : PMM-CONNECTED15. Paging Proceed Flag : Set16. Routing Area [RAI] : 460-01-57601-117. P-TMSI : 3828667772 (#E434D57C)18. MSC/VLR Address : Not Gs connected19. Location Confirmed in HLR : true20. Data Confirmed by HLR : true
3. Start Wireshark. Active PDP context. Match the IMEI and RAI
抓取接口:
IuPs
Wireshark Filter:gsm_a.dtap_msg_gmm_type == 0x12 || gsm_a.dtap_msg_gmm_type == 0x13 || gsm_a.dtap_msg_gmm_type == 0x14 || gsm_a.dtap_msg_gmm_type == 0x1c
Target packets:
AUTHENTICATION AND CIPHERING REQUEST AUTHENTICATION AND CIPHERING RESPONSE
Case 1.4: Security mode
Preperation:
1. get mobile IMSI number. Eg: 4600157606000702. delete subscribers from SGSN: gsh delete_subscriber -imsi 4600157606000703. Start the wireshark . Power off and power on mobile phone. 4. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI
information
gsh get_subscriber -imsi 460015760600070
Subscriber Data----------------------------------------------------------------------IMSI : 460015760600070Mobile Subscriber ISDN No. : 8618606765400IMEI : 358065021586680Roaming Status : HomeHLR Address : 861304576000Home PLMN APN Operator Id : mnc001.mcc460.gprsSubscribed Teleservices : No SMSNetwork Access Mode : Packet/Circuit SwitchedRadio Access Technology : UMTSMobility Management State : PMM-IDLEPaging Proceed Flag : SetRouting Area [RAI] : 460-01-57601-1P-TMSI : 3346057757 (#C770CA1D)MSC/VLR Address : Not Gs connectedLocation Confirmed in HLR : trueData Confirmed by HLR : true
3. Active PDP context. Match RAI
Interface:
IuPs
Wireshark Filter:
Eg:
ranap.SecurityModeCommand || ranap.SecurityModeComplete || ranap.SecurityModeReject
Target packets:
Security mode commandSecurity mode completeSecurity mode reject
Case 1.5: RAB assignment
Preperation:
1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070
2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information:
gsh get_subscriber -imsi 460015760600070
Subscriber Data----------------------------------------------------------------------IMSI : 460015760600070Mobile Subscriber ISDN No. : 8618606765400IMEI : 358065021586680Roaming Status : HomeHLR Address : 861304576000Home PLMN APN Operator Id : mnc001.mcc460.gprsSubscribed Teleservices : No SMSNetwork Access Mode : Packet/Circuit SwitchedRadio Access Technology : UMTSMobility Management State : PMM-IDLEPaging Proceed Flag : SetRouting Area [RAI] : 460-01-57601-1P-TMSI : 3346057757 (#C770CA1D)MSC/VLR Address : Not Gs connectedLocation Confirmed in HLR : trueData Confirmed by HLR : true
3. Start wireshark, active PDP context. Match the RAI and IMSI.
Interface:
IuPs
Wireshark Filter:
Eg: ranap.RAB_AssignmentRequest || ranap.RAB_AssignmentResponse
Target packets:
RAB ASSIGNMENT REQUESTRAB ASSIGNMENT RESPONSE
Case 1.6.1: MS initiated service request. (MS发起的业务请求)
Preperation:
1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070
2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information: gsh get_subscriber -imsi 460015760600070
Subscriber Data----------------------------------------------------------------------IMSI : 460015760600070Mobile Subscriber ISDN No. : 8618606765400IMEI : 358065021586680Roaming Status : HomeHLR Address : 861304576000Home PLMN APN Operator Id : mnc001.mcc460.gprsSubscribed Teleservices : No SMSNetwork Access Mode : Packet/Circuit SwitchedRadio Access Technology : UMTSMobility Management State : PMM-IDLEPaging Proceed Flag : SetRouting Area [RAI] : 460-01-57601-1P-TMSI : 3346057757 (#C770CA1D)MSC/VLR Address : Not Gs connectedLocation Confirmed in HLR : trueData Confirmed by HLR : true
3. Start wireshark, active PDP context. Match the RAI and IMSI。
Interface:
IuPs
Wireshark Filter:
Eg: gsm_a.dtap_msg_gmm_type == 0x0c || gsm_a.dtap_msg_gmm_type == 0x0d || gsm_a.dtap_msg_gmm_type == 0x0e
Target packets:
Service request
Service acceptService reject
Case 1.6.2: Network initiated service request. (网络发起的业务请求)
Preperation:
1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070
2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information。
3. Active PDP context, download large file from FTP server. 4. Start wireshark. Simulate the network unreachable by enter the elevator
where the network doesn’t cover. 5. When the subscriber move out from the elevator, the network should push
send pagging and push the service to the subscriber. The FTP download should resume.
Interface:
IuPs
Wireshark Filter:
Eg: gsm_a.dtap_msg_gmm_type == 0x0c || gsm_a.dtap_msg_gmm_type == 0x0d || gsm_a.dtap_msg_gmm_type == 0x0e
Target packets:
PagingService request service accept (SGSN to RNC)
Case 1.7.1: MS initiated PDP context activation. (MS发起的上下文激活)
Preperation:
1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070
2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information。
3. Start wireshark, active PDP context. Match the RAI and IMSI.
Interface:
IuPs
Gn
Filtered packet:
Active PDP Context RequestActive PDP Context AcceptActivate PDP Context RejectCreate PDP Context RequestCreate PDP Context Response
Target packets:
RANAP:
gsm_a.dtap_msg_sm_type == 0x41 || gsm_a.dtap_msg_sm_type == 0x42 || gsm_a.dtap_msg_sm_type == 0x43
GTP:gtp.imsi == "460015760600070" && gtp.message == 0x10" then right click and choose “follow UDP Stream”
Case 1.7.2: MS initiated secondary PDP context activation. (MS发起的上下文二次激活)
Preperation:
1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070
2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information。
3. Start wireshark, active secondary PDP context. Match the RAI and IMSI.
Interface:
IuPs
Gn
Filtered packet:
Active Secondary PDP Context RequestActive Secondary PDP Context AcceptActivate Secondary PDP Context RejectCreate PDP Context RequestCreate PDP Context Response
Target packets:
RANAP: gsm_a.dtap_msg_sm_type == 0x4d || gsm_a.dtap_msg_sm_type == 0x4e || gsm_a.dtap_msg_sm_type == 0x4f
GTP:gtp.imsi == "460015760600070" && gtp.message == 0x10" then right click and choose “follow UDP Stream
Case 1.7.3: Network initiated secondary PDP context activation. (网络发起的 PDP上下文激活)
Preperation:
1. Mobile phone attached to the GPRS network. get mobile IMSI number. Eg: 460015760600070
2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI
information。3. Start wireshark, active PDP context from the network. Match the RAI and
IMSI.
Interface:
IuPs
Gn
Filtered packet:
PagingService request service accept (SGSN to RNC)
Target packets:
Eg: gsm_a.dtap_msg_gmm_type == 0x0c || gsm_a.dtap_msg_gmm_type == 0x0d || gsm_a.dtap_msg_gmm_type == 0x0e
Case 1.8.2: Network initiated PDP context modification. (网络发起的 PDP上下文修改)
Preperation:
1. Mobile phone attached to the GPRS network. Active PDP context, get mobile IMSI number. Eg: 460015760600070.
2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information.
3. Start Wireshark. On the HLR, Modify PDP context QOS profile. Trigger SGSN to initiate PDP context modification process.
Interface:
IuPs
Gn
Filtered packet:
Update PDP Context requestUpdate PDP Context ResponseModify PDP Context RequestModify PDP context accept Modify PDP Context Reject
Target packets:
Eg: gtp.message == 0x12 || gtp.message == 0x13 || gsm_a.dtap_msg_sm_type == 0x48 || gsm_a.dtap_msg_sm_type == 0x49
Case 1.9.1: MS initiated PDP context deactivation. (MS发起的PDP上下文去激活)
Preperation:
1. Mobile phone attached to the GPRS network. Active PDP context, get mobile IMSI number. Eg: 460015760600070.
2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information.
3. Start wireshark. Deactivate PDP context by closing the Brower on mobile phone.
Interface:
IuPs
Gn
Filtered packet:
Delete PDP Context RequestDelete PDP Context ResponseDeactivate PDP Context RequestDeactivate PDP context accept
Target packets:
RANAP: gsm_a.dtap_msg_sm_type == 0x46 || gsm_a.dtap_msg_sm_type == 0x47 || gtp.message == 0x14 || gtp.message == 0x15
GTP:
gtp.message == 0x14 || gtp.message == 0x15
Case 1.9.2: SGSN initiated PDP context deactivation. (SGSN发起的 PDP上下文去激活)
Preperation:
1. Mobile phone attached to the GPRS network. Active PDP context, get mobile IMSI number. Eg: 460015760600070.
2. get mobile P-TMSI by the follow SGSN cmd, also notice the RAI information.
3. Start wireshark. Deactivate PDP context by deleting the subscriber on the SGSN, use cmd:
gsh delete_subscriber -imsi 460015760600070
Interface:
IuPs
Gn
Filtered packet:
Delete PDP Context RequestDelete PDP Context ResponseDeactivate PDP Context RequestDeactivate PDP context accept
Target packets:
Eg: gsm_a.dtap_msg_sm_type == 0x46 || gsm_a.dtap_msg_sm_type == 0x47 || gtp.message == 0x14 || gtp.message == 0x15
Case 1.10: DNS resolve (DNS解析流程)
Preperation:
1. Mobile phone attached to the GPRS network. Active PDP context, get mobile IMSI number. Eg: 460015760600070
2. Start wireshark. MS active PDP context.
Interface:
Gn
Target packets:
standard querystandard query response
Wireshark Filter: DNS
Case 4.1.1:intra SGSN routing area update (SGSN内路由区更新流程,周期路由更新)Preperation:
1. Mobile phone attached to the GPRS network. Active PDP context get mobile IMSI number. Eg: 460015760600070.
2. Get mobile P-TMSI by the follow SGSN cmd, also get the RAI information.3. Start wireshark. Capture Iu-ps and Gr interface.
Interface:IuPs
Target packets:
Routing Area Update RequestRouting Area Update AcceptRouting Area Update CompleteRouting area update reject
Wireshark Filter:
Eg: gsm_a.dtap_msg_gmm_type == 0x08 || gsm_a.dtap_msg_gmm_type == 0x09 || gsm_a.dtap_msg_gmm_type == 0x0a || gsm_a.dtap_msg_gmm_type == 0x0b
Case 4.2: GPRS identity (GPRS 身份标识)
Preperation:
1. Mobile phone attached to the GPRS network. Get mobile IMSI number. Eg: 460015760600070.
2. Start Wireshark. MS detach to the GPRS network by disable the UTMS network connection.
3. Delete subscriber data on the SGSN. Attach to the GPRS network by re-active UMTS network connection. This will make sure the MS use P-TMSI to attach to send attach request. Match the P-TMSI and IMSI.
Interface:IuPs
Target packets:
IDENTITY REQUEST (Identity type)IDENTITY response( mobile identity)
Wireshark Filter:
Eg: gsm_a.dtap_msg_gmm_type == 0x15 || gsm_a.dtap_msg_gmm_type == 0x16
Case 4.3: P-TMSI re-allocation (P-TMSI 重分配)
Preperation:
1. Mobile phone attached to the GPRS network get mobile IMSI number. Eg: 460015760600070.
2. Get mobile P-TMSI by the follow SGSN cmd, also get the RAI information. 3. Start wireshark. Simulate RA update by moving UE between RNC. 4. On the SGSN, check the new P-TMSI has been assigned for the MS.
Interface:IuPs
Target packets:
P-TMSI Reallocation CommandP-TMSI reallocation complete
Wireshark Filter:
Eg: gsm_a.dtap_msg_mm_type == 0x1a || gsm_a.dtap_msg_mm_type == 0x1b
Case 4.4: Paging (寻呼)
Preperation:
1. Mobile phone attached to the GPRS network. Active PDP context. Get mobile IMSI number. Eg: 460015760600070.
2. Get mobile P-TMSI by the follow SGSN cmd, also get the RAI information gsh get_subscriber -imsi 460015760600070
3. Start wireshark. Simulate subscriber unreachable by enter the elevator where the network doesn’t cover.
4. When subscriber step out the elevator, the MS should be reachable again.
Interface:IuPs
Target packets:
Paging
Wireshark Filter:
Eg: ranap.imsi_digits == " 460011808600107 " || ranap.Paging
