Wireshark monitoring traffic inside YateENB

LTE PCAP

To capture traffic inside YateENB, the Mobility Management Entity (MME), eNodeB and UE must use EPS encryption algorithm EEA0. This algorithm must be supported by all sides.

EEA0 (EPS Encryption Algorithm 0) doesn’t use ciphering at all.

When ciphering and integrity checking are activated, the UE, MME and eNodeB can select an appropriate EPS Encryption Algorithm (eea0, eea1, eea2, eea3) and an EPC Integrity Algorithm (eia1, eia2) from a list of algorithms that are supported by both sides.

YateUCN MME configuration

In [mme] section of yateucn.conf file add the following lines:

[mme]
; UCN tells the eNodeB to use EEA0
cipher_algos=EEA0
; eNodeB will tell the UE to use EEA0
enb_cipher_algos=EEA0

To activate the changes reload yateucn from rmanager or restart yate-ucn.service and reattach UE to the eNodeB.

Capture traffic

  • Steps to follow:
  • 1. Connect to the LabKit by SHH:
ssh yatebts@YOUR_LABKIT_IP -p 54321

The password is the serial number printed on the front plate on your LabKit.

  • 2. Prepare a work directory on the LabKit WWW server:

This step is necessary in order to subsequently get the capture file on your workstation. (You only need to do this step once.)

2.1. Go to the Web root:

cd /var/www/html

2.2 Switch to root (same password as the yatebts user) and create a directory with a meaningful name, such as pcap or wireshark, in your web root. Go to the directory, to create the capture file there,

su
mkdir YOUR_DIRECTORY
cd YOUR_DIRECTORY
  • 3. Telnet to be able to access the YateENB rmanager/YateENB commands, on port 5037:
telnet localhost 5037
  • 4. Type in the following rmanager command:
enb capture start mac 23234

This will route the radio traffic to UDP port 23234. You should get an OK answer from the rmanager.

  • 5. Start and stop the actual capture:

Exit Telnet (quit or CONTROL + C). Change user to root to be able to initiate the capture: su on LabKit’s, with the same password as the yatebts user.

tcpdump -i any not tcp -w YOUR_FILENAME.pcap

Start using the UE. When you’re done, abort the capture with CONTROL + C. The capture should be in the root of your LabKit Web server.

  • 6. Transferring the file to your workstation

In order to be able to perform the analysis you have to transfer the capture file to your workstation.

To do so, type YOUR_LABKIT_IP:2080/YOUR_DIRECTORY in your WWW browser location bar.

Transferring the file to your workstation

Now you should be able to click on your file and download it on your workstation.

  • Captured traffic: S1 Interface (S1AP and GTP-U, YateENB ↔ EPC)

Wireshark settings

  • To see MAC-LTE captured traffic with Wireshark, check all options from: Analize -> Enabled protocols -> MAC-LTE
  • Then on Protocol Preferences:
  • Source of LCID -> drb channel settings: check From configuration protocol
  • Which layer info to show in info column: check RLC info