Wireshark monitoring traffic inside YateENB

To capture traffic inside YateENB, the Mobility Management Entity (MME), eNodeB and UE must use EPS encryption algorithm EEA0. This algorithm must be supported by all sides.

EEA0 (EPS Encryption Algorithm 0) doesn’t use ciphering at all.

When ciphering and integrity checking are activated, the UE, MME and eNodeB can select an appropriate EPS Encryption Algorithm (eea0, eea1, eea2, eea3) and an EPC Integrity Algorithm (eia1, eia2) from a list of algorithms that are supported by both sides.

YateUCN MME configuration

In [mme] section of yateucn.conf file add the following lines:

; UCN tells the eNodeB to use EEA0
; eNodeB will tell the UE to use EEA0

To activate the changes reload yateucn from rmanager or restart yate-ucn.service and reattach UE to the eNodeB.

Capture traffic

  • From eNodeB rmanager console (telnet 0 5037) type: enb capture start mac 23234
  • From YateUCN linux console type: tcpdump -i any not tcp -w captured-trafic.pcap
  • Start using internet over LTE from the UE. (After you finish you can stop tcpdump capture with Ctrl+C and open captured-traffic.pcap file with Wireshark.)
  • Captured traffic: S1 Interface (S1AP and GTP-U, YateENB ↔ EPC)

Wireshark settings

  • To see MAC-LTE captured traffic with Wireshark, check all options from: Analize -> Enabled protocols -> MAC-LTE
  • Then on Protocol Preferences:
  • Source of LCID -> drb channel settings: check From configuration protocol
  • Which layer info to show in info column: check RLC info