Nothing Special   »   [go: up one dir, main page]
Scribd Logo
Upload

Welcome to Scribd!

  • 80 views

    Mobile Analyzer Trace Log Messages (Part 2) : Chin Gang Wu, Application Engineer 2 February 2015 Confidential

    Uploaded by

    Chin GangWu
    The document provides an overview of common UMTS terminology used in Mobile Analyzer trace logs and how to interpret decoded messages seen in the logs. It discusses the UMTS protocol stack with a focus on layer 3 messages. It includes examples of location update messages in the CS domain and GPRS attach messages in the PS domain, showing the call flows and contents of messages like attach request, attach accept, and includes decoding of key IEs like routing area identification, P-TMSI signature and allocated P-TMSI.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    Mobile Analyzer Trace Log Messages (Part 2) : Chin Gang Wu, Application Engineer 2 February 2015 Confidential

    Uploaded by

    Chin GangWu
    80 views30 pages
    The document provides an overview of common UMTS terminology used in Mobile Analyzer trace logs and how to interpret decoded messages seen in the logs. It discusses the UMTS protocol stack with a focus on layer 3 messages. It includes examples of location update messages in the CS domain and GPRS attach messages in the PS domain, showing the call flows and contents of messages like attach request, attach accept, and includes decoding of key IEs like routing area identification, P-TMSI signature and allocated P-TMSI.

    Original Description:

    Original Title

    TraceLogMessages_Part2

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides an overview of common UMTS terminology used in Mobile Analyzer trace logs and how to interpret decoded messages seen in the logs. It discusses the UMTS protocol stack with a focus on layer 3 messages. It includes examples of location update messages in the CS domain and GPRS attach messages in the PS domain, showing the call flows and contents of messages like attach request, attach accept, and includes decoding of key IEs like routing area identification, P-TMSI signature and allocated P-TMSI.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    80 views30 pages

    Mobile Analyzer Trace Log Messages (Part 2) : Chin Gang Wu, Application Engineer 2 February 2015 Confidential

    Uploaded by

    Chin GangWu
    The document provides an overview of common UMTS terminology used in Mobile Analyzer trace logs and how to interpret decoded messages seen in the logs. It discusses the UMTS protocol stack with a focus on layer 3 messages. It includes examples of location update messages in the CS domain and GPRS attach messages in the PS domain, showing the call flows and contents of messages like attach request, attach accept, and includes decoding of key IEs like routing area identification, P-TMSI signature and allocated P-TMSI.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    of 30

    Mobile Analyzer Trace Log Messages

    (Part 2)
    Chin Gang Wu, Application Engineer locate, communicate, accelerate
    2nd February 2015
    Confidential
    Objectives
    - Introduction to common UMTS terminology used in Mobile Analyser

    - Interpretation of decoded messages seen in trace logs

    Slide 2
    UMTS / GSM Network

    CS Core

    PS Core

    Figure 1: Network Diagram

    Slide 3
    UMTS Protocol Stack

    Figure: UMTS Protocol Stack

    Focus in this presentation will be on layer 3 messages in


    Mobile Analyser trace logs

    Slide 4
    Exercise #1:
    Make a MO call and find all the call control messages as shown in the following call
    flow diagram.

    Figure: MO call establishment

    Slide 5
    Location Update Messages (CS only)
    UE UTRAN MS C/VLR HLR
    [15490] URRC_EST_REQ (Location updating request)
    Loca tion Update Re que st
    [15670] URLC_RRC_TM_DATA_REQ (RRC Connection Request)
    Se nd Authe ntica tion Info
    [15759] URLC_RRC_UM_DATA_IND (RRC Connection Setup)
    [15950] URLC_RRC_AM_DATA_REQ (RRC Connection Setup Complete)
    S e nd Authe ntica tion Info. ACK
    AUTH req
    [16478] URRC_DATA_IND (Authentication Request)
    [16600] URRC_DATA_REQ (Authentication Response) AUTH re s p
    Upda te Location
    [16655] URLC_RRC_AM_DATA_IND (Security Mode Command)
    [16692] URLC_RRC_AM_DATA_REQ (Security Mode Complete) Inse rt s ubs criber da ta

    [17303] URRC_DATA_IND (MM Identity Request) Ins ert s ubs criber data ACK

    [17306] URRC_DATA_REQ (MM Identity Response)


    Update Loca tion ACK
    [17498] URRC_DATA_IND (Location updating accept)
    [17507] URRC_DATA_REQ (TMSI Reallocation Complete) S e curity Mode Command

    S e curity Mode Comple te


    REQ – Request, message direction is from UE to Network
    IND – Indication, message direction is from Network to UE Location Update Acce pt

    AM, UM, TM – Acknowledged, Unacknowledged, TMS I Re location Comple te


    Transparent Modes; these are RLC data transfer modes

    Figure: Location Update Call Flow (as shown in


    3GPP TS 32.407)

    Slide 6
    Non Access Stratum (NAS)
    The Non Access Stratum architecture is divided into:
    Circuit Switched (CS) Protocols – MM and CM sub-layers
    Packet Switched (PS) Protocols – GMM and SM sub-layers

    Figure: NAS is divided into CS and PS

    Slide 7
    GPRS Attach Messages
    [2166] SCC: T:2 C: at+cgatt=1
    [2217] GMMAS_ESTABLISH_REQ
    (Attach Request)
    [2396] URLC_RRC_TM_DATA_REQ
    (UL-CCCH: RRC Connection Request)
    [2486] URLC_RRC_UM_DATA_IND
    (DL-CCCH: RRC Connection Setup)
    [2692] URLC_RRC_AM_DATA_REQ
    (UL-DCCH: RRC Connection Setup Complete)
    [2694] URLC_RRC_AM_DATA_REQ
    (UL-DCCH: Initial Direct Transfer Attach Request)
    [2702] GMMAS_ESTABLISH_CNF
    [3054] GMMAS_DATA_IND
    (Attach Accept)
    [3066] GMMAS_DATA_REQ
    (Attach Complete)
    [3068] URLC_RRC_AM_DATA_REQ
    (UL-DCCH: Uplink Direct Transfer Attach Complete)

    [3118] SCC: T:2 L:6 R: OK


    Authentication functions may be performed; they are
    mandatory if no MM context information related to the MS,
    Figure: GPRS attach call flow
    such as IMSI, P-TMSI, CI, and RA exists anywhere in the
    network.

    Slide 8
    GPRS Attach Messages –Authentication and Ciphering

    Figure 22: GPRS attach call flow


    with Authentication & Ciphering

    Slide 9
    GPRS Attach Messages – Attach Request
    length (SDL_Integer): 26

    Skip Indicator : 0
    Protocol Discriminator : Mobility Management for GPRS services (8)
    Message Type value : 1

    ** Attach Request **

    MS network capability | MS Network Capability


    00000011 MS Network Capability length of contents : 3
    1------- GEA1 bits : 1
    -1------ Mobile station supports mobile terminated point to point SMS via dedicated signalling channels : 1
    --1----- Mobile station supports mobile terminated point to point SMS via GPRS packet data channels : 1
    ---1---- the ME has no preference between the use of the default alphabet and the use of UCS2. : 1
    ----01-- SS Screening Indicator : 1
    ------0- The ME does not support SoLSA. : 0
    -------1 used by a mobile station supporting R99 or later version of the protocol : 1
    1------- Mobile station does support BSS packet flow procedures : 1
    -1------ encryption algorithm GEA/2 available : 1
    --1----- encryption algorithm GEA/3 available : 1
    ---0---- encryption algorithm GEA/4 not available : 0
    ----0--- encryption algorithm GEA/5 not available : 0
    -----0-- encryption algorithm GEA/6 not available : 0
    ------0- encryption algorithm GEA/7 not available : 0

    The functions necessary to protect GPRS from hijacking attacks and provide protection from false
    base station attacks in networks that activate ciphering

    Slide 10
    GPRS Attach Messages – Attach Request
    Attach type | Attach Type
    ----0--- R99: No follow-on request pending; R97: spare : 0
    -----001 GPRS attach : 1

    Slide 11
    GPRS Attach Messages – Attach Request
    DRX Parameter | DRX Parameter
    00001000 SPLIT PG CYCLE value: 8
    0000---- R99 - CN Specific DRX cycle length coefficient not specified by the MS. R97-spare : 0
    ----0--- Split pg cycle on CCCH is not supported by the mobile station : 0
    -----011 max. 4 sec non-DRX mode after transfer state : 3

    P-TMSI or IMSI | Mobile identity


    00000101 Mobile identity length of contents : 5
    1111---- Identity digit 1 : 15
    ----0--- odd/even indic: even number of identity digits and also
    when the TMSI/P-TMSI is used : 0
    -----100 Type of identity : TMSI/P-TMSI : 4
    1100---- Identity digit 3 (most significant bits) : 12
    ----1010 Identity digit 2 : 10
    0000---- Identity digit 5 : 0
    ----0110 Identity digit 4 : 6
    0101---- Identity digit 7 : 5
    ----1111 Identity digit 6 : 15
    0100---- Identity digit 9 : 4
    ----0011 Identity digit 8 (least significant bits) : 3
    ........ Identity digit value : 0xCA065F43

    Slide 12
    GPRS Attach Messages – Attach Request
    Old routing area identification | Routing area identification
    0010---- Mobile country code, digit 2
    ----0101 Mobile country code, digit 1
    SingTel Singapore
    1111---- spare (two digit MNC)
    ----0101 Mobile country code, digit 3
    0001---- Mobile network code, digit 2
    ----0000 Mobile network code, digit 1
    ........ Mobile country code : 525
    ........ Mobile network code : 01
    00000001 LAC, Location area code : 1
    01010111 LAC, Location area code (continued) : 87
    ........ LAC, Location area code value : 343 (0x157)
    00000001 RAC, Routing area code : 1

    MS Radio access capability | MS Radio Access capability


    00010000 MS RA capability length of contents : 16

    The purpose of the routing area identification information element is to provide an


    unambiguous identification of routing areas within the GPRS coverage area.

    Slide 13
    GPRS Attach Messages – Attach Accept
    length (SDL_Integer): 1C

    Skip Indicator : 0
    Protocol Discriminator : Mobility Management for GPRS services (8)
    Message Type value : ?  What is this value?

    ** Attach Accept **

    Force to standby | Force to standby


    0------- spare : 0
    -000---- Force to standby not indicated : 0
    Attach result | Attach Result
    ----1--- No follow-on proceed : 1
    -----001 GPRS only attached : 1
    Periodic RA update timer | GPRS Timer
    010----- Unit: value is incremented in multiples of decihours : 2
    ---01001 Timer value : 9 decihours  How many minutes is 9 decihours?
    Spare half octet | Spare half octet
    0000---- Spare Half Octet : 0
    Radio priority for SMS | Radio Priority
    ----0--- spare : 0
    -----100 priority level 4 (lowest) : 4

    Slide 14
    GPRS Attach Messages – Attach Accept
    Routing area identification | Routing area identification
    0010---- Mobile country code, digit 2
    ----0101 Mobile country code, digit 1
    1111---- spare (two digit MNC)
    ----0101 Mobile country code, digit 3
    0001---- Mobile network code, digit 2
    ----0000 Mobile network code, digit 1
    ........ Mobile country code : 525
    ........ Mobile network code : 01
    00000001 LAC, Location area code : 1
    01010111 LAC, Location area code (continued) : 87
    ........ LAC, Location area code value : 343 (0x157)
    00000001 RAC, Routing area code : 1

    P-TMSI signature | P-TMSI signature


    00011001 P-TMSI signature IEI : 25
    10100011 P-TMSI signature value(most significant) : 163
    00110111 P-TMSI signature value : 55
    00101111 P-TMSI signature value(least significant) : 47
    ........ P-TMSI signature value : 10696495 (0xa3372f)

    Slide 15
    GPRS Attach Messages – Attach Accept
    Allocated P-TMSI | Mobile identity
    00011000 Mobile identity IEI : 24
    00000101 Mobile identity length of contents : 5
    1111---- Identity digit 1 : 15
    ----0--- odd/even indic: even number of identity digits and also when the TMSI/P-TMSI is used : 0
    -----100 Type of identity : TMSI/P-TMSI : ?  What is this value?
    1100---- Identity digit 3 (most significant bits) : 12
    ----1110 Identity digit 2 : 14
    0000---- Identity digit 5 : 0
    ----0110 Identity digit 4 : 6
    0101---- Identity digit 7 : 5
    ----1111 Identity digit 6 : 15
    0110---- Identity digit 9 : 6
    ----0011 Identity digit 8 (least significant bits) : 3
    ........ Identity digit value : 0xCE065F63
    Equivalent PLMNs | PLMN List
    01001010 PLMN List IEI : 74
    00000011 PLMN List length of contents : 3
    0010---- MCC digit 2, PLMN 1
    ----0101 MCC digit 1, PLMN 1
    1111---- MNC digit 3, PLMN 1
    ----0101 MCC digit 3, PLMN 1
    0111---- MNC digit 2, PLMN 1
    ----0000 MNC digit 1, PLMN 1
    Network feature support | Network feature support
    1011---- Network feature support IEI : 11
    ----0--- LCS-MOLR via PS domain not supported : 0
    -----0-- MBMS not supported : 0
    ------00 Spare

    Slide 16
    PDP Context Activation Messages

    Figure 23: GMM and SM NAS

    Slide 17
    PDP Context Activation Messages - Call Flow

    Figure 24: PDP context activation call flow diagram

    Slide 18
    PDP Context Activation Messages
    Internal PDP Context Activation (Using Internal TCP/IP Stack)
    [10953] SCC: T:2 C: at+upsd=0,1,"e-ideas"
    [10997] SCC: T:2 C: at+upsda=0,3
    [11188] SMREG_PDP_ACTIVATE_REQ (Activate PDP Context Request)
    [11197] GMMSM_UNITDATA_REQ (Activate PDP Context Request)
    [11958] GMMAS_DATA_REQ (Activate PDP Context Request)
    [11960] URLC_RRC_AM_DATA_REQ (UL-DCCH: UL Direct Transfer Activate PDP Context Request)
    [12308] URLC_RRC_AM_DATA_REQ (UL-DCCH: Radio Bearer Setup Complete)
    [12546] URLC_RRC_AM_DATA_IND (DL-DCCH: DL Direct Transfer Activate PDP Context Accept)
    [12567] GMMAS_DATA_IND (Activate PDP Context Accept)
    [12578] GMMSM_UNITDATA_IND (Activate PDP Context Accept)
    [12586] SMREG_PDP_ACTIVATE_CNF (PDP Context Active and RAB Active)

    LISA-U200 CNF – Confirmed


    GMM – GPRS Mobility Management
    Application Internal SM – Session Management
    Processor TCP/IP AS – Access Stratum
    Stack UNITDATA – Session Management Packet Data Unit (SM PDU)
    REG – Registration Services
    REQ – Request, message direction is from UE to NW
    IND – Indication, message direction is from NW to UE

    Slide 19
    PDP Context Activation Messages
    External PDP Context Activation (Using External TCP/IP Stack)
    [19664] SCC: T:2 C: at+cgdcont=1,"IP","e-ideas"
    [19917] SCC: T:2 C: at+cgact=1,1
    [19927] SMREG_PDP_ACTIVATE_REQ (Activate PDP Context Request)
    [19936] GMMSM_UNITDATA_REQ (Activate PDP Context Request)
    [19938] GMMAS_DATA_REQ (Activate PDP Context Request)
    [20299] URLC_RRC_AM_DATA_REQ (UL-DCCH: Uplink Direct Transfer Activate PDP Context Request)
    [20782] URLC_RRC_AM_DATA_REQ (UL-DCCH: Radio Bearer Setup Complete)
    [20879] URLC_RRC_AM_DATA_IND (DL-DCCH: DL Direct Transfer Activate PDP Context Accept)
    [20892] GMMAS_DATA_IND (Activate PDP Context Accept)
    [20894] GMMSM_UNITDATA_IND (Activate PDP Context Accept)
    [20901] SMREG_PDP_ACTIVATE_CNF (PDP Context Active and RAB Active)

    Application LISA-U200 For more information, please


    Processor
    refer to:
    External
    TCP/IP
    Stack 3GPP TS 24.007

    Slide 20
    Activate PDP Context Request
    length (SDL_Integer): 20 The Logical Link Control (LLC) layer is one of two
    sublayers that make up the Data Link Layer of the OSI
    Transaction Identifier : 1 model. The Logical Link Control layer controls frame
    Protocol Discriminator : Session Management (10) synchronization, flow control and error checking.
    Message Type value : ?  What is this value?
    LLC SAPI identifies the SAP used for GPRS data
    ** Activate PDP Context Request **
    transfer at the LLC layer.
    Requested NSAPI | Network service access point identifier
    0000---- Spare : 0
    ----0110 NSAPI 6 : 6 A Network (Layer) Service Access Point
    Requested LLC SAPI | LLC service access point identifier Identifier (NSAPI), is an identifier used in GPRS
    0000---- spare : 0 (cellular data) networks.
    ----0011 LLC SAPI value: SAPI 3 : 3
    It is used to identify a Packet Data Protocol (PDP)
    Requested QoS | Quality of service
    context (a unique data session) in the Mobile
    00001110 Quality of service length of contents : 14
    00------ spare : 0 Station (MS) and in the Serving GPRS Support
    --000--- In MS to network direction: Subscribed delay class : 0 Node (SGSN). It is dynamically selected by the
    In network to MS direction: Reserved MS (however, the MS should ensure that the
    -----000 In MS to network direction: Subscribed reliability class : 0 selected NSAPI is not currently being used by
    In network to MS direction: Reserved another session management entity in the MS).
    0000---- In MS to network direction: Subscribed peak throughput : 0
    When the MS requests a PDP context, it selects an
    In network to MS direction: Reserved
    ----0--- spare : 0 NSAPI that it sends to the SGSN with the request.
    -----000 In MS to network direction: Subscribed precedence : 0
    In network to MS direction: Reserved
    000----- spare : 0
    ---00000 In MS to network direction: Subscribed mean throughput : 0

    Slide 21
    Activate PDP Context Request
    In network to MS direction: Reserved
    000----- In MS to network direction: Subscribed traffic class : 0
    In network to MS direction: Reserved
    ---00--- In MS to network direction: Subscribed delivery orders : 0
    In network to MS direction: Reserved
    -----000 In MS to network direction: Subscribed delivery of erroneous SDUs : 0
    In network to MS direction: Reserved
    00000000 In MS to network direction: Subscribed maximum SDU size : 0
    In network to MS direction: Reserved
    00000000 In MS to network direction: Subscribed maximum bit rate for uplink : 0
    In network to MS direction: Reserved
    00000000 In MS to network direction: Subscribed maximum bit rate for downlink : 0
    In network to MS direction: Reserved
    0000---- In MS to network direction: Subscribed residual BER : 0
    In network to MS direction: Reserved
    ----0000 In MS to network direction: Subscribed SDU error ratio : 0
    In network to MS direction: Reserved
    000000-- In MS to network direction: Subscribed transfer delay : 0
    In network to MS direction: Reserved
    ------00 In MS to network direction: Subscribed traffic handling priority : 0
    In network to MS direction: Reserved
    00000000 In MS to network direction: Subscribed guaranteed bit rate for uplink : 0
    In network to MS direction: Reserved
    00000000 In MS to network direction: Subscribed guaranteed bit rate for downlink : 0
    In network to MS direction: Reserved
    000----- spare : 0
    ---0---- Signallin Indication: Not optimised for signalling traffic : 0
    ----0000 Source Statistics Descriptor: unknown : 0
    00000000 Use the value indicated by the Maximum bit rate for downlink in octet 9 : 0
    00000000 Use the value indicated by the Guaranteed bit rate for downlink in octet 13 : 0

    Slide 22
    Activate PDP Context Request
    Requested PDP address | Packet data protocol address
    00000010 PDP address length of contents : 2
    0000---- spare : 0
    ----0001 PDP type organisation: IETF allocated address : 1
    00100001 PDP type number: IPv4 address : 33
    Access point name | Access point name
    00101000 Access point name IEI : 40 PDP type=IP; this has been defined
    00001000 Access point name length of contents : 8
    00000111 Access point name value : 7
    in command
    01100101 Access point name value : 101 at+cgdcont=1,"IP","e-ideas"
    00101101 Access point name value : 45
    01101001 Access point name value : 105
    01100100 Access point name value : 100
    01100101 Access point name value : 101
    01100001 Access point name value : 97
    01110011 Access point name value : 115

    Slide 23
    Activate PDP Context Accept
    length (SDL_Integer): 1B

    Transaction Identifier : 9
    Protocol Discriminator : Session Management (10)
    Message Type value : 66

    ** Activate PDP Context Accept **

    Negotiated LLC SAPI | LLC service access point identifier


    0000---- spare : 0
    ----0011 LLC SAPI value: SAPI 3 : 3
    Negotiated QoS | Quality of service
    00001110 Quality of service length of contents : 14
    00------ spare : 0
    --010--- Delay class 2 : 2
    -----011 Reliability class: Unacknowledged GTP and LLC; Acknowledged RLC, Protected data : 3
    1001---- Peak throughput: Up to 256 000 octet/s : 9
    ----0--- spare : 0
    -----011 Precedence class: Low priority : 3
    000----- spare : 0
    ---11111 Mean throughput: Best effort : 31
    011----- Traffic class: Interactive class : 3
    ---10--- Delivery order: Without delivery order ('no') : 2
    -----011 Delivery of erroneous SDUs: Erroneous SDUs are not delivered ('no') : 3
    10010110 Maximum SDU size: 1500 octets
    11110100 Maximum bit rate for uplink : 8000 kbps (244)
    11111110 The value is specified in "Maximum bit rate for downlink (extended)" Octet : 254

    Slide 24
    Activate PDP Context Accept
    0111---- Residual Bit Error Rate (BER): 1*10^(-5) : 7
    ----0100 SDU error ratio: 1*10^(-4) : 4
    100000-- Transfer delay : 1000 ms (32)
    ------10 Traffic handling priority: Priority level 2 : 2
    00010000 Guaranteed bit rate for uplink : 16 kbps (16)
    01000000 Guaranteed bit rate for downlink : 64 kbps (64)
    000----- spare : 0
    ---0---- Signallin Indication: Not optimised for signalling traffic : 0
    ----0000 Source Statistics Descriptor: unknown : 0
    01100100 The maximum bit rate for downlink (extended) : 100
    The network shall map this value not explicitly defined onto one of the values defined in this version of the protocol.
    The network shall return a negotiated value which is explicitly defined in this version of the protocol.
    00000000 Use the value indicated by the Guaranteed bit rate for downlink in octet 13 : 0
    Spare half octet | Spare half octet
    0000---- Spare Half Octet : 0
    Radio priority | Radio Priority
    ----0--- spare : 0
    -----010 priority level 2 : 2
    PDP address | Packet data protocol address
    00101011 Packet data protocol address IEI : 43
    00000110 PDP address length of contents : 6
    0000---- spare : 0
    ----0001 PDP type organisation: IETF allocated address : 1
    00100001 PDP type number: IPv4 address : 33
    00001010 Address information: Most significant byte : 10
    10010110 Address information: continued : 150
    01100010 Address information: continued : 98
    11100011 Address information: Least significant byte : 227

    Slide 25
    Detach Request Messages

    Figure 25: GMM NAS

    Slide 26
    Detach Request Messages

    Figure 27: GMM_DETACH_REQ is sent from UE to Network when AT+CPWROFF command is executed

    Slide 27
    Detach Request Messages

    Table 2: Detach type information element

    Slide 28
    References
    1. 3GPP TS 24.007 Mobile radio interface signalling layer 3; General Aspects
    http://www.3gpp.org/DynaReport/24007.htm

    2. 3GPP TS 24.008 Mobile radio interface Layer 3 specification; Core network protocols; Stage 3
    http://www.3gpp.org/DynaReport/24008.htm

    3. 3GPP TS 31.102 Characteristics of the Universal Subscriber Identity Module (USIM) application
    http://www.3gpp.org/DynaReport/31102.htm

    Slide 29
    Thank you!

    locate, communicate, accelerate

    Slide 30

    You might also like