In Lab5, you will learn how to use the Linux command tcpdump to capture packets passing through a network interface.
- Learn how to use tcpdump capture packets
- Learn how to use wireshark observing captured packets on N2, N3 and N4
- Install Wireshark to install for Windows and Mac, or using
sudo apt install wiresharkfor ubuntu - Install free5GC: refer free5GC Install
- Install Packetrusher as our UE/gNB simulator: refer PacketRusher Install to install
Network interface cards (NICs) have two configuration modes: Normal Mode and Promiscuous Mode.
In the standard state, NICs operate in Normal Mode, where the network card only accepts data from the network port if the destination address is specifically directed to it. However, when analyzing network traffic, identifying network packets, and troubleshooting network issues, Promiscuous Mode is often enabled. In this mode, the NIC will receive and process all packets passing through the network interface, regardless of their destination.
PCAP file is a file format used to capture and store network traffic data, the data including details like source and destination IP addresses, ports, protocols, and the packet's payload. PCAP file can be opened and analyzed using tools like Wireshark and tcpdump respectively. These tools allow users to inspect the network traffic in detail, apply filters, and decode protocols.
Common Uses for PCAP file :
Network Troubleshooting, Security Analysis, Network Protoco Development
Tips : tcpdump requires root privileges.
$ tcpdump -i {interface name}
$ tcpdump -i {interface name} -w {XXX}.pcap
$ tcpdump host {host ip}
$ tcpdump port {port number}
$ tcpdump host {host ip} and port {port number}
$ tcpdump -c {n}
$ tcpdump tcp
$ tcpdump udp
$ tcpdump icmp
Assuming we have a network configuration as shown in the diagram, and we want to capture the first 10 ICMP packets from the Server on the Client's eth0 interface, and save the result to icmp.pcap file, we can use the following command.
$ tcpdump icmp host 192.168.0.3 -i eth0 -c 10 -w icmp.pcap
In this part, we will capture the packets passing through the N2 and N3 paths, and in the next part, we will use Wireshark to observe which messages are transmitted using NGAP packets when the UE connects and disconnects to the core network.
- N2: handles control signaling between the
gNBandAMF - N3: manages user data transmission between the
gNBandUPF - NGAP: Next Generation Application Protocol, Used for signaling interactions between base stations (gNB) and the 5G core network (5G Core) in 5G networks. It operates over the N2 interface within the 5G network architecture, primarily responsible for control plane message exchange.
For my example, it's 192.168.56.102
For my example, it's 192.168.56.103
$ cd free5gc
$ ./run.sh
$ tcpdump -i enp0s8 -w N2N3.pcap
$ cd PacketRusher
$ ./packetrusher ue
Since the UE needs to go through the N3 interface to communicate with the Data Network, we can send ICMP packets externally to facilitate observation later.
On PacketRusher :
$ ip vrf exec vrf0000000003 ping 8.8.8.8
In this part, we will use Wireshark to observe which messages are transmitted and the protocol stack using NGAP packets when the UE connects and disconnects to the core network.
In Wireshark, you can enter conditions at the top to filter out the specific packets you need from all the captured packets.
- Specific IP :
ip.addr == {specific IP} - Source IP :
ip.src == {src IP} - Source Port :
tcp.srcport == {port number} - Destination IP :
ip.dst == {dst IP} - Destination Port :
tcp.dstport == {port number} - MAC Address :
eth.addr == {MAC Address} - Protocol types :
ngaporicmportcporsctpor others
Since we want to observe packets between the gNB and the AMF, we can set the source and destination IP addresses as filtering conditions, as well as filter for NGAP packet types.
You can observe from the 'Info' field what setup procedures the UE performed with the AMF through the gNB.
-
NGSetupRequest & NGSetupResponse : The purpose of the NG Setup procedure is to exchange application level data needed for the NG-RAN node and the AMF to correctly interoperate on the NG-C interface. This procedure shall be the first NGAP procedure triggered after the TNL association has become operational. The procedure uses non-UE associated signalling.
-
InitialUEMessage (Registration request) : The Initial UE Message procedure is used when the NG-RAN node has received from the radio interface the first uplink NAS message transmitted on an RRC connection to be forwarded to an AMF.
-
DownlinkNASTransport : The Downlink NAS Transport procedure is used when the AMF only needs to send a NAS message transparently via the NG-RAN node to the UE, and a UE-associated logical NG-connection exists for the UE or the AMF has received the RAN UE NGAP ID IE in an INITIAL UE MESSAGE message either over this NG interface instance or another NG interface instance.
-
UplinkNASTransport : The Uplink NAS Transport procedure is used when the NG-RAN node has received from the radio interface a NAS message to be forwarded to the AMF to which a UE-associated logical NG-connection for the UE exists.
-
InitialContextSetup : The purpose of the Initial Context Setup procedure is to establish the necessary overall initial UE Context at the NGRAN node, when required, including PDU session context, the Security Key, Mobility Restriction List, UE Radio Capability and UE Security Capabilities, etc. The AMF may initiate the Initial Context Setup procedure if a UEassociated logical NG-connection exists for the UE or if the AMF has received the RAN UE NGAP ID IE in an INITIAL UE MESSAGE message either over this NG interface instance or another NG interface instance, The procedure uses UE-associated signalling.
-
PDUSessionResourceSetup : The purpose of the PDU Session Resource Setup procedure is to assign resources on Uu and NG-U for one or several PDU session resources and the corresponding QoS flows, and to setup corresponding Data Radio Bearers for a given UE. The procedure uses UE-associated signalling.
-
PDUSessionResourceRelease : The purpose of the PDU Session Resource Release procedure is to enable the release of already established PDU session resources for a given UE. The procedure uses UE-associated signalling.
-
UEContextRelease : The purpose of the UE Context Release Request procedure is to enable the NG-RAN node to request the AMF to release the UE-associated logical NG-connection due to NG-RAN node generated reasons. The procedure uses UEassociated signalling.
Example : InitialUEMessage (Registration Request)
The protocol stack in this packet is :
- SCTP
- NGAP
Packet decapsulate :
- TTL : The maximum distance a packet can be transmitted when passing through a router
- Verification tag : The verification tag in SCTP is used to ensure that the packet belongs to a specific SCTP session.
- Paylad protocol identifier (PPID) : The payload of this data chunk contains NGAP (Next Generation Application Protocol) protocol data.
The N3 interface is responsible for transmitting user data (such as internet traffic, voice, video, etc.), and it typically uses GTP-U (GPRS Tunneling Protocol - User Plane) for encapsulation and transmission.
In Step 6 of capturing packets, we send ICMP packets to the Data Network, which will be observed here.
In this exercise, you need to follow the steps below to capture PFCP packets on the N4 interface, write down the Message Type of each packet in order, and describe the Protocol Stack of the PFCP packet.
- N4: controls user plane configuration and session management between the
SMFandUPF
vim ~/free5gc/config/smfcfg.yaml
$ tcpdump -i lo -w N4.pcap
$ cd free5gc
$ ./run.sh
$ cd PacketRusher
$ ./packetrusher ue
- Shutdown UE.
- Shutdown free5GC.
Observe the captured PFCP packets and answer the following questions.