Wireshark application in telecommunication area
In telecommunication field, especially in new technology development, the connection problems are often found.
The following article concerns the usage of Wireshark program in Nokia laboratory tests and problem investigation.
Wireshark is a opensource sniffer – program whose main purpose is to capture and analyze the network data flow. It allows capturing data packets in real time, recording, and decoding them. Due to a large number of add-ons, it can recognize and decode numerous communication protocols. Wireshark includes filters, color coding, and other features that let user dig deep into network traffic and inspect individual packets. Also the promiscuous mode is available allows the user to see all the other packets on the network, instead of only the packets addressed to certain network adapter/interface. Many organizations don’t allow Wireshark and similar tools on their networks. However, in Nokia Wireshark is a basic diagnostic tool used in many departments.
2. Main functionality
Wireshark offers various useful options depending on how thorough the investigation has to be. After choosing which network interface should be monitored (WiFi, Bluetooth, Local) user sees basic information about captured packets like: time, source, destination, protocol, length. Below, see a typical WiFi captured data stream.
This dataflow capture provides basic information about data traffic on – in this case – WiFi interface, and what happens between the computer and the WiFi router user is connected to.
Except for its basic functionality of capturing, Wireshark can – as mentioned above –analyze packets thoroughly. Using a filter window, user can choose and analyze only packets that came from or go to a specific IP address or packets sent by the specific protocol.
On the screen below the traffic has been filtered and only packets sent / received via DNS protocol are shown. The Domain Name System (DNS) protocol is a ‘hierarchically distributed database’, which is a formal way of saying that its layers are arranged in a definite order, and that its data is distributed across a wide range of machines (just like the roots of a tree branch out from the main root).
Most companies today have their own dedicated DNS servers to ensure the computers can find each other without problems.
You can notice the detailed information about chosen packet. Following the 7 layer ISO/OSI model, it is possible to analyze each captured frame (which contains mac address) in Data Link layer, packets (which contains IP addresses) in Network layer, protocol details in Transport layer, etc…
Besides simple filtering option Wireshark gives the possibility to combine filters.
In Figure 3 you can see 3 filters used together: source, destination IP and protocol.
Figure 1 Basic Wireshark dataflow
Figure 2 Detailed Wireshark dataflow
3. Nokia cases
In majority of Nokia appliances only low layers (1, 2, 3 and 4) are under investigation. During testing the correctness of connections between specific components must be checked. In case of problems thorough analysis that should be performed in order to find the root cause – the reason, why specific functionality does not work.
3.1 Wireshark in basic BTS connection investigation.
One of the main and most popular Nokia solutions is the BTS (Base Transceiver Station) that consist of:
- System Module – main managing computer
- Radio Module – device responsible for sending and receiving data to, and from user mobile phone.
- ALD (antenna line device) – additional devices improving signal quality
In Figure 4 the basic base station model has been presented.
System Module is connected to MME (Mobility Management Entity) via S1 link, which is a part of EPC (Evolve Packet Core). System Module can also be connected to another System Module via X2 link. System Module is connected with Radio Module via an optical link. Links S1, X2 and link between System Module and Radio Module are physical, optical fibers wherein digital data is transferred.
Figure 3 Filtered Wireshark dataflow
Figure 4 BTS overview
Figure 5 Wireshark filtered dataflow
A heartbeat message in signal processing is a message sent from an originator to a destination that enables the destination to identify if, and when the originator fails, or is no longer available. Usually, heartbeats messages are sent non-stop from the start-up until the shutdown.
In Figure 5 you can see communication between two interfaces with the following IP addresses: 192.168.4.111 and 192.168.4.125. The heartbeat messages are sent and confirmed (ACK) which means that these two devices – in this case System Module and MME – are connected.
3.2 Wireshark in attach procedure.
Nokia, operating in the telecommunication industry – creates and develops LTE and 5G technology. When UE (User Equipment) – sub- scriber’s device – is switched on, the attach procedure is enabled. Below you can see an example of the attach procedure. On the top there are names of system components taking part in this procedure. Arrows indicate the communication process between devices.
Setting Wireshark to a specific interface (IP address) allows you to capture and decode desired packets.
In the picture above you can see packets from Figure 6. Presented Wireshark measurement captured all packets between eNB or UE and MME. It is clear that messages presented in Figure 6 – Attach Request, Authentication Request and Authentication Response are present and have been successfully performed. Also, in Figure 7 in packet no. 10 you can see that the packet retransmission has been executed. Following such an analysis you can easily investigate the attach procedure to find, where communication is interrupted.
3.3 Decoding – Lua scripts
Lua is a script language used for extending functionalities of various applications. Wireshark, in order to decode packets within specific technology, needs information what this specific packet means. Figure 5 presents Wireshark screenshot with no additional tabs, only the basic information has been shown. In Figure 7, you can see messages names that are characteristic for attach procedure in LTE technology. In order to obtain these decoded packets, the specific lua script was necessary. Nokia has invented and is still developing its own sets of lua sctipts for 5G, LTE, IoT, WCDMA and GSM technology.
In network area, a tool that shows what happens between specific interfaces and investigates problems if necessary – so called – sniffer is mandatory. As shown above, Wireshark lets the user capture and analyze data flow, from basic flow presented in a simple view, to extended and thorough investigation of specific packets, between specific interfaces. Among all sniffers available, Wireshark is an opensource, cross platform, and very customizable tool which gives it a great advantage over other available programs and because of that, it is widely used in Nokia Network Company.
 Brown. (1987-12-01). USA Patent No. 4,710,926.
 Hoffman, C. (2017, June 14). How to Use Wireshark to Capture, Filter and Inspect Packets. Retrieved from www.howtogeek.com: https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/
 The DNS Protocol. (n.d.). Retrieved from http://www.firewall.cx/