This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello!

I am trying to use wireshark to decode LTE protocols data, captured from the system. It works for S1 (going to hex, then tex2pcap, then tshark -V).

But, something is lost with RRC, I can not get it tunning:

Maybe I should add something to RRC, like direction?

Best regards, thanks, HNY

Iztok

example in hex, RC_CONNECTION_REQUEST
000000 58 55 95 97 74 06 zz

tshark answer:

Frame 1: 6 bytes on wire (48 bits), 6 bytes captured (48 bits)  
    WTAP_ENCAP: 54  
    Arrival Time: Dec 13, 2012 21:35:02.000000000 CET  
    [Time shift for this packet: 0.000000000 seconds]  
    Epoch Time: 1355430902.000000000 seconds  
    [Time delta from previous captured frame: .000000000 seconds]  
    [Time delta from previous displayed frame: 0.000000000 seconds]  
    [Time since reference or first frame: 0.000000000 seconds]  
    Frame Number: 1  
    Frame Length: 6 bytes (48 bits)  
    Capture Length: 6 bytes (48 bits)  
    [Frame is marked: False]  
    [Frame is ignored: False]  
    [Protocols in frame: user_dlt:rlc-lte]  
DLT: 156, Payload: rlc-lte (RLC-LTE)  
RLC-LTE  
[Can't dissect LTE RLC frame because no per-frame info was attached!]

S1 example:
hex:
000000 20 17 00 12 00 00 02 00 00 40 05 C0 01 36 FC D2 00 08 40 02 00 68 zz

tshark:

Frame 15: 22 bytes on wire (176 bits), 22 bytes captured (176 bits)  
    WTAP_ENCAP: 56  
    Arrival Time: Dec 13, 2012 21:37:55.000014000 CET  
    [Time shift for this packet: 0.000000000 seconds]  
    Epoch Time: 1355431075.000014000 seconds  
    [Time delta from previous captured frame: 0.000001000 seconds]  
    [Time delta from previous displayed frame: 0.000001000 seconds]  
    [Time since reference or first frame: 0.000014000 seconds]  
    Frame Number: 15  
    Frame Length: 22 bytes (176 bits)  
    Capture Length: 22 bytes (176 bits)  
    [Frame is marked: False]
    [Frame is ignored: False]  
    [Protocols in frame: user_dlt:s1ap:s1ap:s1ap:s1ap]  
DLT: 158, Payload: s1ap (S1 Application Protocol)  
S1 Application Protocol  
    S1AP-PDU: successfulOutcome (1)  
        successfulOutcome  
            procedureCode: id-UEContextRelease (23)  
            criticality: reject (0)  
            value  
                UEContextReleaseComplete  
                    protocolIEs: 2 items  
                        Item 0: id-MME-UE-S1AP-ID  
                            ProtocolIE-Field  
                                id: id-MME-UE-S1AP-ID (0)  
                                criticality: ignore (1)  
                                value  
                                    MME-UE-S1AP-ID: 20380882  
                        Item 1: id-eNB-UE-S1AP-ID  
                            ProtocolIE-Field  
                                id: id-eNB-UE-S1AP-ID (8)  
                                criticality: ignore (1)  
                                value  
                                    ENB-UE-S1AP-ID: 104

asked 13 Dec '12, 12:53

s52d's gravatar image

s52d
1113
accept rate: 50%

edited 16 Dec '12, 23:50

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


Hello!

Solved: by using separate user_dlts, generating several hex files, and then merging tshark output files together.

my user_dlts:

"User 3 (DLT=150)","lte-rrc.bcch.bch","0","","0",""

"User 4 (DLT=151)","lte-rrc.bcch.dl.sch","0","","0",""

"User 5 (DLT=152)","lte-rrc.dl.ccch","0","","0",""

"User 6 (DLT=153)","lte-rrc.dl.dcch","0","","0",""

"User 7 (DLT=154)","lte-rrc.pcch","0","","0",""

"User 8 (DLT=155)","lte-rrc.ul.ccch","0","","0",""

"User 9 (DLT=156)","lte-rrc.ul.dcch","0","","0",""

example in hex, RC_CONNECTION_REQUEST 000000 58 55 95 97 74 06 zz

is coverted by: text2pcap -q -l 155 x.hex x.pcap and tshark -r x.pcap -V

So simple... And I learned a lot about wireshark! HNY, GL Iztok

permanent link

answered 27 Dec '12, 00:25

s52d's gravatar image

s52d
1113
accept rate: 50%

The LTE-RLC dissector expects a structure to be attached to the frame. See packet-rlc-lte.h for details. or http://wiki.wireshark.org/RLC-LTE

permanent link

answered 13 Dec '12, 14:29

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

Hello! Thanks for fast answer, but I keep failing. Is it possible than hex via text2pcap does not work? maybe this works for UDP access only?

can I get working hex sample? Just to verify if I understood headers properly?

BR Iztok

example in hex, following packet-rlc-lte.h, but no succsess. it is typed manually, and at this point data might be incorect, but I fail to get header done properly.

00000000 72 6c 63 2d 6c 74 65 00 02 02 05 03 00 04 00 06 01 00 07 00 00 01 58 55 95 97 74 06 zz

(15 Dec '12, 09:21) s52d

This string:

00000000 72 6c 63 2d 6c 74 65 01 02 02 05 03 00 04 00 06 01 00 07 00 00 01 58 55 95 97 74 06 zz

At least gets it dissected by the dissector.

00000000 72 6c 63 2d 6c 74 65 01 Last byte 01 is rlcMode= RLC_TM_MODE

(16 Dec '12, 07:22) Anders ♦

Ups... I just wanted to get something out of it, and then to fix proper data: format first, then proper contents.

is pcap way ok? Iztok

File y.hex 00000000 72 6c 63 2d 6c 74 65 01 02 02 05 03 00 04 00 06 01 00 07 00 00 01 58 55 95 97 74 06 zz

text2pcap -q -l 156 y.hex y.pcap

tshark -r y.pcap -V

TShark 1.8.4 (cut few characters) Capture Length: 28 bytes (224 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: user_dlt:rlc-lte] DLT: 156, Payload: rlc-lte (RLC-LTE) RLC-LTE [Can't dissect LTE RLC frame because no per-frame info was attached!]

(16 Dec '12, 13:48) s52d

You need to add a dummy UDP header:

0000   20 52 45 43 56 00 20 53 45 4e 44 00 08 00 45 00   RECV. SEND...E.
0010   00 38 12 34 00 00 ff 11 a3 7b 01 01 01 01 02 02  .8.4.....{......
0020   02 02 00 00 00 00 00 24 e1 8d 72 6c 63 2d 6c 74  .......$..rlc-lt
0030   65 01 02 02 05 03 00 04 00 06 01 00 07 00 00 01  e...............
0040   58 55 95 97 74 06                                XU..t.
(16 Dec '12, 22:51) Anders ♦

Sorry, I am lost... To summarize: to get RRC decoded, we put dummy RLC around, and into dummy UDP. But I keep failing: I got something by changing settings of wireshark, but even demos from rlc_lte_logger.c and mac_pcap_sample_code.c are failing. May I ask for good RRC sample, so I can find where I got lost? Thanks!

(26 Dec '12, 10:53) s52d

Managed! New look at it, by defining lte-rrc.dl.ccch in user_dlts.

So, by putting each type in own hex file, calling text2pcap for each one, it can be done. Back to coding.

(26 Dec '12, 22:56) s52d
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×238
×36
×14
×11
×10

question asked: 13 Dec '12, 12:53

question was seen: 8,252 times

last updated: 27 Dec '12, 00:25

p​o​w​e​r​e​d by O​S​Q​A