To start off with, a few useful filters:
- x2ap.UE_X2AP_ID (gives the X2AP procedure for a given UE context across an X2 handover)
- x2ap.gTP_TEID (gives the GTP tunnel identifiers, used both for X2 GTP as well as S1 GTP)
- gtp.teid (search for GTP payload of a given GTP tunnel ID)
- x2ap.mME_UE_S1AP_ID (value maps to the UE Context ID used by the MME for the S1AP signaling for the UE being moved over)
What filters to use depend on what you are trying to do though. For example, if you have a phone number and are trying to "search for it's X2 traffic", that's not a one-step process. Usually if you're doing it long-hand it goes something like this:
- Start by knowing something that will identify the UE in mobility management procedures (eg: IMSI or GUTI/M-TMSI as the case may be)
- Search for the above identifier's in S1-MME to find the UE at that level. Note that while identifiers in initiation of UE Contexts are sent prior to any standard encryption mechanisms, the use of temporary identifiers may mean some recursive searching or knowledge of the mobile operator (particularly HSS's knowledge of the serving MME, and the MME's knowledge of the assigned temp identifier to that UE) to get a usable search criteria for the UE in raw mobility signaling flows.
- Catch that identifier in use within a transaction over S1AP signaling (S1-MME interface) such that you can grab the MME and eNodeB's "UE Context ID" value in use for that ECM connection
- Follow the MME UE Context ID through the ECM connection until you see a path switch request come in for it, always from a new "target" eNodeB.
- From there, you know you have X2AP signaling between the source and target eNodeB's for the X2 HO. So, search over X2AP signaling between them based on the MME UE Context ID. That will lead you to the X2AP context identifier, for which you can follow the handover preparation exchange.
- From the handover preparation exchange, the GTP identifiers will lead you to follow the S1 and X2 GTP bearers as needed, depending on what you're looking for.
Now, that is assuming you are starting from nothing but an IMSI or GUTI. If you already know some of that information or you have a different starting point, your process will be quite different.
Always with Wireshark protocol analysis, knowing the protocol is paramount. Knowing the "right display filters" is intuitive if you know what identifiers exist logically between the systems that can be mapped to things. Right click and "copy as filter" on any field you want in Wireshark and it will produce the filter format for it, but this is less than 1% of the battle.
answered 22 Apr '16, 18:45
accept rate: 13%