Capture Diameter Messages without wire-shark.

There are various utilities available on Linux server, but here we are discussing the command that shall give you an exhaustive information for each AVP.

Kindly check tshark is installed. 
[If any other utility is better than tshark,Do share, your suggestions are warmly welcome]

1) tshark -R diameter -V | grep 'Frame\|Arrival Time:\|Internet Protocol Version\|Src Port:\|Diameter Protocol\|Request:\|Command Code:\|AVP:\|Result-Code'


OutPut:

Frame 3534 (268 bytes on wire, 268 bytes captured)
    Arrival Time: Apr 15, 2013 15:47:01.412548000
    Frame Number: 3534
    Frame Length: 268 bytes
    [Frame is marked: False]
Transmission Control Protocol, Src Port: 38275 (38275), Dst Port: avocent-adsap (3871), Seq: 1, Ack: 1, Len: 200
Diameter Protocol
        1... .... = Request: Set
    Command Code: 257 Capabilities-Exchange
    AVP: Origin-Host(264) l=19 f=-M- val=101.134.771.143
    AVP: Origin-Realm(296) l=26 f=-M- val=abc123.ABC.org
    AVP: Host-IP-Address(257) l=14 f=-M- val=101.134.771.143 (101.134.771.143)
    AVP: Vendor-Id(266) l=12 f=-M- val=11
    AVP: Product-Name(269) l=23 f=--- val= Cx Interface
    AVP: Origin-State-Id(278) l=12 f=-M- val=1094807040
    AVP: Supported-Vendor-Id(265) l=12 f=-M- val=10415
    AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP CX/DX (16777216)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=11
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP CX/DX (16777216)
    AVP: Firmware-Revision(267) l=12 f=--- val=1
Frame 3543 (408 bytes on wire, 408 bytes captured)
    Arrival Time: Apr 15, 2013 15:47:01.418472000
    Frame Number: 3543
    Frame Length: 408 bytes
    [Frame is marked: False]
Transmission Control Protocol, Src Port: avocent-adsap (3871), Dst Port: 38275 (38275), Seq: 1, Ack: 201, Len: 340
Diameter Protocol
        0... .... = Request: Not set
    Command Code: 257 Capabilities-Exchange
    AVP: Origin-Host(264) l=28 f=-M- val=abc.xyz.com
    AVP: Origin-Realm(296) l=23 f=-M- val=xyz.com
    AVP: Result-Code(268) l=12 f=-M- val=DIAMETER_SUCCESS (2001)
        AVP Code: 268 Result-Code
        Result-Code: DIAMETER_SUCCESS (2001)
    AVP: Host-IP-Address(257) l=14 f=-M- val=222.222.222.222 (222.222.222.222)
    AVP: Vendor-Id(266) l=12 f=-M- val=10415
    AVP: Product-Name(269) l=11 f=--- val=HSS
    AVP: Inband-Security-Id(299) l=12 f=-M- val=NO_INBAND_SECURITY (0)
    AVP: Firmware-Revision(267) l=12 f=--- val=1
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP CX/DX (16777216)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=Unknown (16777291)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP S13 (16777252)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP S6a (16777251)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP Zh (16777221)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP Sh (16777217)
Frame 3546 (392 bytes on wire, 392 bytes captured)
    Arrival Time: Apr 15, 2013 15:47:01.423330000
    Frame Number: 3546
    Frame Length: 392 bytes
    [Frame is marked: False]


2) Extreme Exhaustive Info. 
   
                    tshark -R diameter -V 


3) Command to capture PCAP file Log-Rotate.



                                    tshark -b filesize:10240 -a files:1000 -w capture.pcap

                   [It shall stop after writing 1000 files.]


tshark -f sctp port 3868 -i eth0 -b filesize:10240 -b duration:300 -w log.pcap
[It shall capture continuously and shall create new file when file size reaches to 10240 or 300 seconds are passed ]


 


Your Comments /Suggestions and Questions are always welcome,  shall clarify with best of knowledge. So feel free to put Questions.
13 comments:

CLR/CLA(Cancel-Location-Request/Answer)


Initiation of CLR from HSS.

CLR (Cancel-Location-Request) triggered by HSS in following scenarios.
1) Subscription is withdrawal for a user (IMSI).
2) To inform previous MME/SGSN about change in location.
3) To inform MME/SGSN about initial attach.



There could be 3 kinds of control nodes 
1) Stand-alone MME
2) Stand-alone SGSN
3) Combined MME/SGSN


1) Subscription is withdrawal for a user (IMSI).
Now let discuss how Subscription withdrawal take place, HSS sends CLR to MME/SGSN or on combined for a IMSI that is already provisioned at HSS and attached at-least once (ULR/ULA successfully performed). Following table shall help you to understand how HSS send CLR and how MME handles it.

 Sent To
Cancellation-type
CLR-Flag
Description
MME-1
SUBSCRIPTION_WITHDRAWAL
 Not Required

SGSN-1
SUBSCRIPTION_WITHDRAWAL
 Not Required

Combined-1
SUBSCRIPTION_WITHDRAWAL
 Not Required
Delete Both data.
CLR-Flag required only when Cancellation type is INITIAL_ATTACH on combined node.


2) To inform previous MME/SGSN about change in location.
When UE moves/changes it location then it may go from one MME area to another, HSS informs old MME about change of location by sending CLR with MME_UPDATE_PROCEDURE so that  context (MM and Bearer context) can be transferred to New MME over s10 interface. Old MME shall delete (MM and Bearer context) data. Following image clears the idea, it is immaterial that MME is of HOME or Foreign.




Similarly UE is attached to SGSN and goes to new SGSN then HSS shall inform old SGSN by sending CLR with SGSN_UPDATE_PROCEDURE so that context can be transferred to New SGSN.Old SGSN shall delete (MM and Bearer context) data.




3) To inform MME/SGSN about initial attach
In case of Initial attach previous node shall not delete the data. while previous node is combined node and CLR Flag "S6a/S6d-Indicator" is set then only MME data to be deleted. CLR with "INITIAL_ATTACH_PROCEDURE " flag shall only be trigger-red when MME sends Initial attach Indication in ULR Flag. Initial attach generally take place in Emergency situations

 Sent To
Cancellation-type
CLR-Flag
Description
MME
INITIAL_ATTACH_PROCEDURE
 Not Required

SGSN
INITIAL_ATTACH_PROCEDURE
 Not Required

Combined
INITIAL_ATTACH_PROCEDURE
S6a/S6d-Indicator
Only MME Data is deleted
CLR-Flag required only when Cancellation type is INITIAL_ATTACH on combined node.
 






Your Comments /Suggestions and Questions are always welcome,  shall clarify with best of knowledge. So feel free to put Questions.

42 comments:
Subscribe to: Posts (Atom)