辅导 Analyze 2G/3G/4G traffic using Wireshark 网络安全
Lab12
Cellular Networks
Note: You need to submit a detailed lab report, with screenshots, to describe what you have done and what you have observed. You also need to provide explanations for the observations that are interesting or surprising. Finally, answer all questions in the lab instructions if there are any.
Task: Analyze 2G/3G/4G traffic using Wireshark
Step 1, download the pcap file and open it using Wireshark. This capture was realized on a Sony Xperia Z, switching manually between the 2G, 3G and 4G, generating SMS, calls and some data traffic.
Step 2,
The first few packets use LTE RRC and RRC, answer the following questions.
What is RRC for? What is the difference between LTE RRC and RRC?
When the “Protocol” column of Wireshark starts to display “RRC”, it indicates that the phone is switching from 4G to 3G. Why can we say that?
Step 3,
Packet No. 12-14 shows a complete LTE RRC connection establishment procedure. Go deep into the packets and answer the following questions.
Find IDs: s-TMSI, MMC, MNC, MME Group ID, MME Code, m-TMSI. What are they? What is the purpose of assigning these multiple identifiers to one subscriber/terminal?
Step 4,
Packet No. 16-17 shows an LTE RRC connection detachment procedure. Then the phone switches to 3G. In the first packet of 3G, packet No. 18, we find it is a BCCH-BCH message.
Broadcast Control CHannel (BCCH) is used by the antenna to broadcast its general characteristics (which operator it belongs to, which frequencies it supports, which area it is in, etc.) in chunks called SIBs (System information blocks).
In the following packet No. 21, please show what you find about the identity of the operator.
Step 5,
Now let’s go to packet No. 78.
The phone listens to the cell tower broadcasts and it looks at the SIBs. It selects the operators you are authorized to connect to. It will also compare signal strength with other antennas.
Then the phone starts with layer-1 only handshake, which is not captured in this file. When the handshake finishes, it sends its first uplink RRC packet: the RRCConnectionRequest. That’s our packet No. 78.
Answer the following questions.
What IDs do you find in this packet? What do these IDs mean?
Why does the phone send TMSI instead of IMSI? What does this indicate?
What is the reason for opening this connection? Besides this reason, list other scenarios that a phone can apply for a connection.
In packet No. 79, please find the RNTI (Radio Network Temporary Identity) which is the primary identifier for the newly established connection.
Finally, RRCConnectionSetupComplete message contains information about the phone (the band it supports, its 2G/3G/4G capabilities, the encryption algorithms it supports, etc.). This is the end of RRC handshake.
During this connection establishment, do you find any sign of IP address? Why? Will you see IP addresses if the network is 5G? Why?
Step 6,
Packet No. 81 is CS (Circuit-Switched) domain, No.82 is PS (Packet-Switched) domain.
What kind of payload do you think is transferred within packet No. 81 and 82? Why?
Step 7,
Let’s go to packet No.222. Message “Service Request” means the phone wants to create an Internet connection. In the jargon of 3G, an Internet connection is called a “PDP (Packet Data Protocol) context”.
After SecurityMode is set, the phone wants an IP address in packet No. 228. Please show the evidence (screenshot) of this request.
The phone gets its IP address later. Please find the message and show the assigned IP address. Hint: look at the name of packet No. 228, find its partner.
Step 8,
Let’s go to packet No.554. Message “MS to Network” means the phone (mobile station) wants to send SMS to the core network.
Packet No. 555 shows the base station wants to identify phone’s ID. What kind of ID does the base station want? Show the ID in the screenshot.
Packet No. 556 responds with the value of this ID. Show the value of the ID in the screenshot.
Step 9,
Packet No. 716 is the beginning of a call. Show through screenshot why we can say that.
Step 10,
According to what we have learned above, please find the point that the phone switches to LTE (4G) using a screenshot.
The early generations of cellular systems were designed to offer mobile voice communication services. With the surge of data services, a packet-switched network for data delivery and a circuit-switched network for voice calls were maintained in both the 2.5G and 3G systems. What is the big leap made by 4G?