my hobby dabbles at examining network traces

Neels Hofmeyr

Playlists: 'osmodevcon2024' videos starting here / audio

Often I get a 3GPP related network trace (pcap), and have to manually gather leads to find out what exactly is going on in it. I have tried different ways to automate the analysis part, and will share what I ended up with.

I'll show my little tools that I played with to trace and visualize GSM network activity.
Immature as all of it is, maybe it is interesting to share and form a vision of a helpful tool.

For example, when the task is to find out: at which network edge of a call leg do the RTP packets drop.
First I need to know the chain of RTP ports that one particular subscriber uses.
Then I need to count RTP packets arriving at each of them.

Another example, there are a bunch of {PFCP,MGCP} conversations, setting up the user plane vectors.
Are all the ports configured correctly? I have to read through the entire {PFCP,MGCP} session to overlay all the bits that form the final result.

Another example, in a very active network, a particular voice call has a problem. How do I efficiently examine only those packets that are directly related to this particular TMSI / IMSI / RTP packet / RSL-ChanRef / ...