This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter all traces for a particular IMSI

0

Hi

I would like to know , how can we filtered out all related traces of a particular request on a production system.

For example , in a telecom network , how can we filtered out all related data for a particular IMSI ?

Regards Luke.

asked 14 Feb '15, 20:31

luke_devon's gravatar image

luke_devon
6113
accept rate: 0%

If it is GSM_MAP, you'd use as a display filter "gsm_map.imsi_digits contains 123456789012345" or some partial IMSI thereof. In newer versions of Wireshark, it's "gsm_map.imsi"

What Quadratic said is right about SS7 applications. In an ANSI network, there will be an E212/IMSI in the SCCP called party address for messaging that is being routed to a mobile global title (UpdateLocation, SendAuthenticationInfo, etc). In an ITU network, instead of E212/IMSI it will be a hybrid E214 for those same messages types. Note that for supplementary services type messages (i.e. hen a user sends *129# for balance inquiry) the IMSI is actually in the TCAP layer as a "destination reference".

If you give more specifics we can probably help you more.

(07 May '15, 07:24) tiger762

One Answer:

1

There isn't anything as simple as that, but on a per-protocol basis it can certainly be done. For example:

  • In Diameter S6a/S6d, 'diameter.User-Name==imsi' will get you the request. Then filter on that request's "diameter.Session-Id" value and you have the request/response for that IMSI.
  • In RANAP messaging, first you'd need to find an IMSI-based procedure (typically within the Common-Id IE) and search for the SCCP association id to grab. Search for that association id, and you get the full dialogue.
  • In policy control applications, typically it's the same as S6a except that diameter.Subscription-Id-Data would be used insead of diameter.User-Name.
  • In Sigtran/SS7 applications, at the SCCP layer often you have E.212/E.214 translation in use. In those cases, the called/calling party address can be searched for, mapped to a TCAP transaction, then that TCAP transaction can be searched for to get the full dialogue. For E.164-translated exchanges, you might not have an IMSI number at all so it would again depend on the application you're tracing.
  • In SGsAP, that protocol contains the IMSI in every single message in either direction (gsm_a.imsi==imsi), so it's dirt simple to trace.
  • In S1AP, IMSIs appear in some types of procedures but not all. You'd typically need to map out temporary identifiers for these (M-TMSIs), map them to IMSI from previous exchanges, then sort out the UE Contexts based on the MME UE Context ID and the eNodeB UE Context ID fields, realizing that both can change throughout the context due to mobility events.
  • For SIP, potentially you can get the IMSI out of a URI or would have to map it to a URI. From that, get related SIP exchanges on URI and take the Call ID from it to trace such a session.
  • For GTP, the procedure is similar between GTPv1 and v2 but either way you'd need to search for IMSI first, from it grab the sequence number, map it to the Create Session Response, then from that response you have all the GTP TEID values to include in a subsequent display filter for all the requests/responses mapping to tunnels set up for a given subscriber IMSI.

And I could keep going. :)

My point here is that your tracing methodology will depend greatly on the protocol, especially if you want all signaling that relates to a subscriber rather than just messages that contain the IMSI verbatim.

Now, in a telecom context typically you have trace tools (eg: Tektronix) to do this, though depending on what you're trying to do it isn't impossible to just built these trace tools from scratch. It's definitely not built into wireshark proper, though.

answered 15 Feb '15, 12:35

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 15 Feb '15, 12:37

Well, the development version of Wireshark (1.99.x) should make this easier: a lot of the places where Wireshark finds an IMSI (e.g., diameter.User-Name for S6a/S6d) now has a non-protocol-specific filter: e212.imsi . SCCP is the same (if the NP is appropriate). I forget what other protocols have been converted but I'm pretty sure Anders did a bunch.

(15 Feb '15, 15:25) JeffMorriss ♦