Date post: | 27-Nov-2015 |
Category: |
Documents |
Upload: | najam-butt |
View: | 38 times |
Download: | 2 times |
1 | Presentation Title | January 2009
Equipment installationMirroring option: Recommended
ETH card
ETH card
RNC RouterLp/14, Eth/x
RJ45 (ETH cable)
Mirroring port (if the router does not have Ethernet port, an Optical-Copper SFP is needed)
Lp/15, Eth/x
mirroring
Iux over IP
Iux over IP
Iub (IP link)
Iu-PS/Iu-CS SGSN/MSC
PC
Ethernet Fiber
UL & DL traffic from multiple GIGE interfaces can be captured
2 | Presentation Title | January 2009
Equipment installation Splitter option
ETH card
RNC Router
Lp/14, Eth/x
RJ45 (ETH cable)Lp/15, Eth/x
Iux over IP Iub (IP link)
PC
Ethernet
Fiber
Optical – Ethernet Converter
One way traffic from only one GIGE interface can be captured
Rx slot
RNC Router
Lp/14, Eth/x
RJ45 (ETH cable)Lp/15, Eth/x
Iux over IP Iub (IP link)
PC
Ethernet
Fiber
Switch 6850 with 2 Optical
Ports (2 SFP)
Both UL & DL traffic from one GIGE interface can be captured
Rx slot
Rx slot
3 | Presentation Title | January 2009
Check list Confirm the type of fibers (SX/LX) and connectors (LC/FC/SC) needed Mirroring option (recommended), check availability of– Mirroring capability of the access routers
– The dedicated mirroring port must be configured– If the mirroring port is Gigabit Optical, need to have
– A “Copper Ethernet SFP”– Or an Optical – Ethernet converter
– Ethernet RJ-45 cable – Laptop with Wireshark Splitter option, check availability of– Optical splitters– 10/100/1000Base-T to 1000Base-SX/LX converter or
Omniswitch with associated SFP– Ethernet RJ-45 cable – Laptop with Wireshark running
5 | Presentation Title | January 2009
Software overview Winpcap
– Mandatory for IP sniffing on Laptop – Provided together with the Wireshark software– All archived Winpcap version can be downloaded on http://www.winpcap.org/– Stable version is 4.1.beta5 or 3.1
Wireshark – Wireshark version: 1.2.5 (or later), check http://www.wireshark.org – Installation tip: Install Wireshark in the default folder given by cmd.exe
Useful in case you need to run Tshark tool, provided with Wireshark Windump
– Windows version of the popular tcpdump tool– Used to capture the IP traffic with packet truncated size – Useful & robust for capturing live network traffic – Windump version 3.9.5, download from http://www.winpcap.org/ – Installation tip: put Windump.exe on a reachable folder from CMD
6 | Presentation Title | January 2009
How to check if Winpcap works well? “Winpcap works well” means Wireshark/Windump can
see all available network interfaces on the PC (Gigabit Ethernet, WiFi Link, Generic Adapter…) capture the UE trace from Qualcomm modem/data card (needed to see Generic Adapter)
– Workaround• Uninstall the current Winpcap & Install the recommended stable Winpcap version• Use another laptop PC (avoid Lenovo ThinkPad if possible)
Generic dialup Interface
Qualcomm USB Modem
Gigabit Ethernet Interface
From Wireshark: OK
From Windump: NOK No generic dialup adapter => cannot
take UE trace on this PC
7 | Presentation Title | January 2009
PC setting for capturing in promiscuous mode Capturing all traffic that the network card can
“see” (i.e. mirrored traffic) Check “capture packets in promiscuous
mode” in Wireshark Capture Options Configure a dummy IP@ for Local Area
Connection Automatic IP@ configuration can also work
under many PCs No tracing if there is a mismatch between the
speed on the PC & mirroring interface (Fast/Gigabit Ethernet) – Device manager > Network adapter> Advanced >
Link Speed & Duplex– “Auto Detect” is recommended (default setting)– 100Mbps/1Gbps & Full duplex is desirable (if the
auto detect does not work); the selected speed depends on the speed on the mirroring interface
Force the mirroring port to the same speed as the network interface card (NIC)
8 | Presentation Title | January 2009
VLAN capture setup issue With some PC/Network Interface Cards, you won't necessarily see the VLAN tags in packets when capturing on a VLAN
Some workaround to disable the stripping of VLAN tags.– http://wiki.wireshark.org/CaptureSetup/VLAN – http://www.intel.com/support/network/sb/CS-005897.htm – Workaround does not necessarily work for every NIC type, so please use another PC/NIC in order to not waste too much time
9 | Presentation Title | January 2009
Wireshark: Quick Launch
icon start a new live captureicon stop the running live capture
Launch the Wireshark application
Identity the capture interface (in our case, it is a Gigabit network connection)
Capture > Interfaces
This is the one we used to connect with the
RJ45
10 | Presentation Title | January 2009
Wireshark Settings Capture > Options
Select the right capture interface (NIC card)
Specify only in case you know exactly what
you want to capture (ex:
ether[70:2]=0x0014)
Check them if you want to see the traces
displayed in real-time
Click start to capture the traces
Check when capturing mirrored trafficTruncate the
captured packet (ex: 120 byte)
Save the trace while capturing
Save in multiple files, scheduled
by capturing duration or file
size
Schedule to stop capture
Basic, must-knowAdvanced,
useful for live network capture
11 | Presentation Title | January 2009
Wireshark trace example
captured messages
(time, address, protocol,
info)
Protocol stack of the
selected message
This is the DISPLAY filter, for example, tcp.analysis.retransmission to display only
the TCP retransmission messages.
Header + Data coded
in hexa
12 | Presentation Title | January 2009
Common display filters udp / tcp / sctp / icmp / ranap / sccp / gtp => to display only the desired protocol sctp && ip.src==10.2.4.9=> display sctp sent from the source having IP@= 10.2.4.9 sctp || tcp => display sctp or tcp message (both tcp & sctp will be displayed)
tcp.analysis.retransmission => display the TCP retransmission message
tcp.analysis.lost_segment => display previous segment lost
vlan.id == 123 => display the message having VLAN ID= 123
More about the filter expression, go to “Expression”