You are on page 1of 39

User Guide Wireshark for IP tracing in 3G IP RAN

Author: Nguyen Vuong Quoc Thinh Date: 03/04/2011

Contents

1. General Overview
2. Wireshark setting user guide

3. Capture in live network
4. Wireshark trace analysis

2 | Presentation Title | January 2009

Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. XXXXX

1

General Overview

3 | Presentation Title | January 2009

Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. XXXXX

Cons  Pros:  Wireshark software is free download & capable of being run in any laptop  Easy to send the traces to anyone without having to convert the file format  Provides a simple but powerful display filter language  Cons  Wireshark can drop the captured packets  “Out of memory” when capturing large traffic volume  Some protocol stacks cannot be decoded by Wireshark (like Frame Protocol over Iub)  Software bugs and its functionalities depend on laptop network driver & PC 4 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. XXXXX Nguyen Vuong Quoc Thinh .Wireshark: Pros vs.

Eth/x Iux over IP Router RJ45 (ETH cable) Mirroring port PC ETH card (if the router does not have Ethernet port. Eth/x Iux over IP SGSN/MSC Iub (IP link) Ethernet Fiber RNC Lp/15. an Optical-Copper SFP is needed) 5 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.Equipment installation Mirroring option: Recommended UL & DL traffic from multiple GIGE interfaces can be captured Iu-PS/Iu-CS mirroring Lp/14. XXXXX Nguyen Vuong Quoc Thinh .

Eth/x Iux over IP Iub (IP link) Ethernet Fiber RNC Lp/15.Equipment installation Splitter option One way traffic from only one GIGE interface can be captured Lp/14. XXXXX PC 6 | Wireshark user guide | April 2011 Nguyen Vuong Quoc Thinh . Eth/x Rx slot Router RJ45 (ETH cable) PC Optical – Ethernet Converter Both UL & DL traffic from one GIGE interface can be captured Lp/14. Eth/x Rx slot Router RJ45 (ETH cable) Rx slot Switch 6850 with 2 Optical Ports (2 SFP) Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. Eth/x Iux over IP Iub (IP link) Ethernet Fiber RNC Lp/15.

XXXXX Nguyen Vuong Quoc Thinh . check availability of  Mirroring capability of the access routers – The dedicated mirroring port must be configured  If the mirroring port is Gigabit Optical. need to have – A “Copper Ethernet SFP” – Or an Optical – Ethernet converter  Ethernet RJ-45 cable  Laptop with Wireshark  Splitter option.Check list  Confirm the type of fibers (SX/LX) and connectors (LC/FC/SC) needed  Mirroring option (recommended). check availability of  Optical splitters  10/100/1000Base-T to 1000Base-SX/LX converter or Omniswitch with associated SFP  Ethernet RJ-45 cable  Laptop with Wireshark running 7 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.

XXXXX .2 Wireshark setting guide (whatever the Iux interface) 8 | Presentation Title | January 2009 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.

winpcap. XXXXX Nguyen Vuong Quoc Thinh .org/  Stable version is 4.1.Software overview  Winpcap  Mandatory for IP sniffing on Laptop  Provided together with the Wireshark software  All archived Winpcap version can be downloaded on http://www.1  Wireshark  Wireshark version: 1.org  Installation tip: Install Wireshark in the default folder given by cmd. provided with Wireshark  Windump  Windows version of the popular tcpdump tool  Used to capture the IP traffic with packet truncated size  Useful & robust for capturing live network traffic  Windump version 3.wireshark.exe on a reachable folder from CMD 9 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.5.exe  Useful in case you need to run Tshark tool. download from http://www.5 (or later).2.9.beta5 or 3.org/  Installation tip: put Windump. check http://www.winpcap.

How to check if Winpcap works well?  “Winpcap works well” means Wireshark/Windump can  see all available network interfaces on the PC (Gigabit Ethernet. Generic Adapter…)  capture the UE trace from Qualcomm modem/data card (needed to see Generic Adapter) From Wireshark: OK Generic dialup Interface Gigabit Ethernet Interface Qualcomm USB Modem From Windump: NOK No generic dialup adapter => cannot take UE trace on this PC  Workaround  Uninstall the current Winpcap & Install the recommended stable Winpcap version  Use another laptop PC (avoid Lenovo ThinkPad if possible) 10 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. XXXXX Nguyen Vuong Quoc Thinh . WiFi Link.

XXXXX Nguyen Vuong Quoc Thinh . mirrored traffic)  Check “capture packets in promiscuous mode” in Wireshark Capture Options  Configure a dummy IP@ for Local Area Connection  Automatic IP@ configuration can also work under many PCs  No tracing if there is a mismatch between the speed on the PC & mirroring interface (Fast/Gigabit Ethernet)  Device manager > Network adapter> Advanced > Link Speed & Duplex  “Auto Detect” is recommended (default setting)  100Mbps/1Gbps & Full duplex is desirable (if the auto detect does not work). the selected speed depends on the speed on the mirroring interface  Force the mirroring port to the same speed as the network interface card (NIC) 11 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.PC setting for capturing in promiscuous mode  Capturing all traffic that the network card can “see” (i.e.

you won't necessarily see the VLAN tags in packets when capturing on a VLAN  Some workaround to disable the stripping of VLAN tags.org/CaptureSetup/VLAN  http://www. so please use another PC/NIC in order to not waste too much time 12 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.VLAN capture setup issue  With some PC/Network Interface Cards.com/support/network/sb/CS-005897.htm  Workaround does not necessarily work for every NIC type.  http://wiki. XXXXX Nguyen Vuong Quoc Thinh .intel.wireshark.

XXXXX Nguyen Vuong Quoc Thinh . it is a Gigabit network connection)  Capture > Interfaces This is the one we used to connect with the RJ45 13 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.Wireshark: Quick Launch  Launch the Wireshark application icon  start a new live capture icon  stop the running live capture  Identity the capture interface (in our case.

scheduled by capturing duration or file size Schedule to stop capture Click start to capture the traces 14 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.Wireshark Settings  Capture > Options Basic. useful for live network capture Select the right capture interface (NIC card) Truncate the captured packet (ex: 120 byte) Check when capturing mirrored traffic Specify only in case you know exactly what you want to capture (ex: ether[70:2]=0x0014) Check them if you want to see the traces displayed in real-time Save the trace while capturing Save in multiple files. must-know Advanced. XXXXX Nguyen Vuong Quoc Thinh .

tcp.retransmission to display only the TCP retransmission messages. protocol. captured messages (time.Wireshark trace example This is the DISPLAY filter. address. info) Protocol stack of the selected message Header + Data coded in hexa 15 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.analysis. for example. XXXXX Nguyen Vuong Quoc Thinh .

Common display filters  udp / tcp / sctp / icmp / ranap / sccp / gtp => to display only the desired protocol  sctp && ip.analysis. go to “Expression” 16 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.analysis.9=> display sctp sent from the source having IP@= 10.2.9  sctp || tcp => display sctp or tcp message (both tcp & sctp will be displayed)  tcp.lost_segment => display previous segment lost vlan.id == 123 => display the message having VLAN ID= 123  More about the filter expression. XXXXX Nguyen Vuong Quoc Thinh .src==10.2.4.retransmission => display the TCP retransmission message  tcp.4.

XXXXX Nguyen Vuong Quoc Thinh .Quick Analysis Statistics > Flow graphs Analyze > Expert Infos Statistics > TCP stream graph 17 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.

Wireshark overview: timestamp format  [Date and Time] & [Time of day]  Useful for checking the day and time of measurement  [Seconds Since Beginning…]  Useful for checking trigger points and analyzing time-spans  [Seconds Since Previous…]  Useful for inter-packet arrival time interpretation 18 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. XXXXX Nguyen Vuong Quoc Thinh .

ACK shapes. then „TCP time stream graph‟ and „Time sequence graph – tcptrace‟)  Zoom: click-left . Unzoom: SHIFT + click-left  Find packet: CTRL + click-left on packet (packet will be highlight)  Move time or sequence number axis: click-right 19 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. spot retransmissions and losses  Useful only with traces near to the TCP data source (FTP sever for DL or UE for UL)  Select a data packet (not ACK packet) and go to „Statistics‟.TCP trace  Essential to display the time sequence graph to analyze the TCP traffic  Usage: detailed analysis of TCP flow control. XXXXX Nguyen Vuong Quoc Thinh .

etc)  Select a data packet (not ACK packet) and go to „Statistics‟. XXXXX Nguyen Vuong Quoc Thinh . then „TCP time stream graph‟ and „Throughput graph‟) 20 | Wireshark | January 2009 20 | Presentation Title user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.Throughput graph  Display instant throughput calculated by wireshark  Usage: throughput dynamics (bandwidth changes.

RTT graph  Display TCP RTT: delta between segment and its ACK. not to choose an acknowledgement packet) and go to „Statistics‟. then „TCP time stream graph‟ and „RTT graph‟) 21 | Wireshark | January 2009 21 | Presentation Title user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.  Usage: check E2E RTT (will include buffering time if applicable). XXXXX Nguyen Vuong Quoc Thinh . Makes sense only at sender side. Check if TCP not filling up E2E buffers (low RTT=HSPA RTT)  Select a data packet (be careful. Check RTT versus packet losses (possible overflow).

not to choose an acknowledgement packet) and go to „Statistics‟. XXXXX Nguyen Vuong Quoc Thinh .In-flight data graph  Display in-flight TCP data: useful at sending side only. then „IO graphs‟) 22 | Presentation Title | January 2009 22 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. versus packet loss (buffer overflow)  Select a data packet (be careful.  Usage: follow dynamic of CWIN / In-flight data.

XXXXX .3 Capture in live network Things to know 23 | Presentation Title | January 2009 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.

Save the trace on multiple small files 24 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. Specify the “capture filter” to take only the desired traffic flow  2. XXXXX Nguyen Vuong Quoc Thinh . Limit the packet size: truncate to take only the header of each packet  3.How to capture in live network?  Just remind you about “live”  Volume of capturing traffic is BIG  Traffic rate can reach up to hundreds of Mbps  One or two minutes of capturing can generate 1Go trace  Normal Wireshark capturing ==“out of memory” after less than 3 minutes  Not trivial to follow your individual call  How to capture on live?  Use Windump to capture the trace  Use Wireshark  1.

Use Windump to capture the trace  Options to be used with Windump  Windump – D : display the interface  Windump –i 2 –F “filter.pcap Trace file name Each Packet size (byte) Each file size (unit: 1Mo) See next slide for filter expression  Advantages  Low resources consumption while capturing (low probability of having packets dropped)  Take big trace with long duration. XXXXX Nguyen Vuong Quoc Thinh .txt” –s 120 Interface number « Capture filter » expression –C 200 –w filename. no out-of-memory issue 25 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.

195 is coded in hexa as 0xbc2d09c3 (4 bytes). XXXXX 26 | Wireshark user guide | April 2011 Nguyen Vuong Quoc Thinh . filter becomes ether[66:4]=0xbc2d09c3 or ether[70:4]= 0xbc2d09c3 ether[62:4]=0xbc2d09c3 or ether[66:4]= 0xbc2d09c3 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.9.195 is coded with 4 bytes.1 Example of capture filter design : From Ethernet stack  Filter IuPS User Plane trace of UE whose IP@ is188. started from byte 70 Pos: 0 Pos: 66 Pos: 16 Pos: 70 Pos: 74 Capture filter Note: if VLAN cannot be captured.45.9.195  The source IP@ 188.9.45. the destination IP@ 188. started from byte 66  Similarly.45.3.

195 is udp[28:4]=0xbc2d09c3 or udp[32:4]= 0xbc2d09c3 27 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.3. the capture filter can be designed from UDP stack (instead of Ethernet) Pos:0 Pos:32 Capture filter udp[32:4]= 0xbc2d09c3  Another option to filter IuPS User Plane trace of UE whose IP@ ==188.9.1 Example of capture filter design : from UDP stack  To avoid VLAN tag capturing capability. XXXXX Nguyen Vuong Quoc Thinh .45.

traffic flow with VLAN ID tag…  Identify where and how this information is coded  Hexa info in Wireshark trace  Write down the capture filter  ether[start_pos:byte_length]=0xhexa_info  Some common capture filters  User plane IuPS of an UE with known IP@  udp[28:4]=0xUE_IP_hexa or udp[32:4]= 0xUE_IP_hexa”  Or with VLAN captured: “ether[66:4]=0xUE_IP_hexa or ether[70:4]= 0xUE_IP_hexa”  FTP flow only (ftp port + ftp-data port) (without VLAN)  “ether[70:2]=0x0014 or ether[72:2]=0x0014 or ether[70:2]=0x0015 or ether[72:2]=0x0015”  GTP trace (without VLAN): “ether[42:1]=0x30” 28 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. XXXXX Nguyen Vuong Quoc Thinh .1 Specify the “capture filter”  Specify the filter string in the “Capture Filter”  How to design the filter?  Identify what you want to trace  User plane traffic of an UE (with known IP@) on IuPS.  FTP data only.3.

XXXXX Nguyen Vuong Quoc Thinh . throughput…) could not be obtained from packet-truncated traces  Recommended value: 120 bytes  limit each packet to 120 bytes if you want to take the whole IuPS traffic This HTTP packet is truncated at 120byte 29 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.2 Limit the captured packet size  Advantages:  Truncate each captured packet from beginning to the specified value  Having a small file trace: easy for storing & post-processing  Same feature as tcpdump or windump  Be careful  Too small truncated packet will not contain all useful header information  Truncate packet (without capture filter) gives the same “out-of-memory” issue  Statistics infos (like data flow rate.3.

3.3 Save in multiple small files  Advantages:  Recommended to name the trace before capturing (specify the folder where to store the trace as well)  In case issue with Wireshark (out of memory). trace is already saved  Take a lot of time for saving a big trace after capturing  Hard to stop capturing the trace with Wireshark on live network  Avoid the out-of-memory issue  Ease to take trace on live network (with possibility to schedule the capture)  “Stop capture” can be used to schedule the capturing File name: Iu_PS_test1 Each file will be captured during 1 minute And stop capturing after 10 files (10 minutes) 30 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. XXXXX Nguyen Vuong Quoc Thinh .

4 Wireshark trace Analysis 31 | Presentation Title | January 2009 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. XXXXX .

Packet loss detection TCP trace To detect the suspected packet loss & retransmission with TCP Wireshark.analsysis. we only see the retransmitted packet.lost_segment  Useful to determine the network segment having packet loss TCP packet. seq no=123 TCP packet. XXXXX 32 | Wireshark user guide | April 2011 Nguyen Vuong Quoc Thinh . use filters:  tcp.seq == 123 is sent twice by the UE and these packets can be seen twice at sniffer 2. seq no=123 The TCP packet with tcp.  tcp. Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. seq no=123 (not relative sequence number) TCP packet.analysis.fast_retransmission  tcp. But at the sniffer 3.retransmission.analysis.

sack_number_of_duplicated_tsns != 0  => loss of SCTP DATA packet 33 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. native Iub)  Compare the number of SCTP heartbeat & heartbeat ACK  Loss of heartbeat packet  Telephony-> SCTP/Analyze this Association -> Chunk statistics  Check the TNS duplication number for SACK message  sctp.Packet loss detection SCTP trace (Iu. XXXXX Nguyen Vuong Quoc Thinh .

XXXXX Nguyen Vuong Quoc Thinh .Packet loss detection RTP trace (IuCS over IP)  Telephony/RTP/Stream Analysis No RTP loss 34 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.

54 Mbps Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.  Determine the UL transfer throughput: Wireshark does not give application throughput which can be calculated by: App_Thr = Packets*pkt_size*8/Duration  Note: if limit packet size is applied.Check UDP Flow throughput  Check UDP throughput on UE/IuPS UDP Iperf flow  Use Statistics/Conversation List/ UDP to get UDP transfer statistics. XXXXX Throughput (Ethernet+IP+ Transport+App) . no available statistics info Server IP address UE IP address App_Thr ≈ 1.

IuPS. Gn. UDP server side trace) Loss can be detected with UDP Iperf  UDP datagram ID. Gi. XXXXX Nguyen Vuong Quoc Thinh .How to compute the UDP Iperf loss rate? Main ideas   Use Wireshark UDP Iperf trace (UE. starting from 0 this ID is incremented at each UDP segment (used to detect packet loss) Trace of UE UP captured at IuPS 1st UDP pkt 2nd UDP pkt 3rd UDP pkt … 36 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction.

XXXXX Nguyen Vuong Quoc Thinh . IuPS. Gi. FTP server  Retransmission is detected based on TCP sequence number  Real sequence number is used instead of relative sequence number (Edit/Preferences) Unchecked « relative sequence number »  More than one packets with the same sequence number  retransmission Sniffer 4 seq no=3698364802 (not relative seq) seq no=3698364802 tcp.seq == 3698556853 tcp.seq == 3698556853 37 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. Gn.How to compute the TCP retransmission rate? Main ideas  Use Wireshark FTP trace at UE.

should be 0x6f48] Checksum at UE side This is the checksum value inside the packet (added at FTP server) This is the checksum computed by Wireshark at CE-RNC side. 0x3d28 [incorrect.TCP bad checksum problem  When the checksum is bad. the packet is rejected. It is different from the one inside the packet. thus retransmission  Check checksum at different network segment Checksum at FTP server (computed by Wireshark.  The checksum errors are related to the IP transmission errors such as toggled. 38 | Wireshark user guide | April 2011 Alcatel-Lucent – Internal Proprietary – Use pursuant to Company instruction. missing or duplicated bits. should be 0x1623] 0x3d10 [correct] 0x3d1c [incorrect. the one added in the packet) 0x3d28 Checksum at CERNC (Iu-PS) 0x3d28 [incorrect. should be 0x6f48] 0x3d1c 0x3d10 0x3d1c [incorrect. should be 0x1623] 0x3d10 [correct] =>TCP checksum error was happened from the FTP server to the CE (on the Iu-PS interface). XXXXX Nguyen Vuong Quoc Thinh .

This slide package is dedicated for VNTelecom folks! 2. If you have any questions/comments. If you want to reuse any part of this slide. please address to me at nvqthinh@vntelecom. please contact me before. 3.org 39 | Wireshark user guide | April Proprietary – Use pursuant to Company instruction. XXXXX Vuong Quoc Thinh 2011 Nguyen Alcatel-Lucent – Internal .Thank you 1.