Home
/
Blog
/
Research

SS7 traffic analysis with Wireshark

While Wireshark provides a good overview of packets coming from traditional IP traffic, in the telecom context, SS7 traffic is more complex to analyze.

Research
Apr 4, 2013
SS7 traffic analysis with Wireshark

The primary usage of wireshark is to visualize packets coming from traditional IP traffic, that is why default wireshark settings provides a relatively good overview of IP packets for most of the use cases.

The problem is that this configuration is not at all suitable for specific needs of Telecom traffic analysis, and does not give you a quick vision when you are working on an SS7 Pcap.

Here is an example of SS7 traffic using default wireshark settings:

Labs_wireshark_no_color_rules_mobicents

With default wireshark configuration:

  • You cannot see the interesting addresses in packet list view due to different addressing in SS7 and multiple layers involved.
  • You see only one color for all different SS7 traffic types, because wireshark pre-configures coloring only for standard protocols.

Why SS7 traffic is more complex to analyze

First, SS7 Addressing is more complex than IP :
Instead of only IP + port tuples to represent endpoints of IP communication, in SS7 you use Global Titles (GT), Point Codes (PC or SPC) and Sub-System Numbers (SSN), that can be used as follow:

  • Global Title (GT)
  • Global Title + Sub-System Number (GT + SSN)
  • Point Code (PC)
  • Point Code + Sub-System Number (PC + SSN)
  • Sub-System Number (SSN)

Secondly, their are much more network layers involved in Telecom traffic than on usual IP only traffic. On typical SS7 traffic you face in order:

  • Ethernet
  • Multiprotocol Label Switching (MPLS)
  • Internet Protocol (IP)
  • Stream Control Transmission Protocol (SCTP)
  • MTP Level 3 (MTP3) User Adaptation Layer (M3UA)
  • Signalling Connection Control Part (SCCP)
  • Transaction Capabilities Application Part (TCAP)
  • Mobile Application Part (MAP)

Each of these layer contains more parameters compared to IP.

Besides, many small packet flags are critically important, such as M3UA Network Indicator (Coded on 1 Byte, it represents the type of SS7 link : Internal, National or International).

CUSTOMIZE YOUR WIRESHARK

Customize Wireshark columns

You can customize the display columns of Wireshark to show GT and SSN in the packet list view, and do this in a separate profile to have different views on your packet depending of your activity.

wireshark_ss7_columns_anon

How to configure column display (wireshark >= 1.8.0)

  1. Create a new profile : Go to “Edit > Configuration Profiles”, click on Add and call it “SS7″.
  2. Add a column: Right click on the packet list view column titles and go in “Column Preferences”. In this window, click on “Add” to add a column, and set it’s name by clicking on it in the columns list.
  3. Set the field type in the “Field Type” of your new column, select “Custom”. Now you can enter your wireshark expression in “Field Name”, for example sccp.calling.digits or sccp.called.ssn.
  4. Click on “Apply”: you will have your new column in your Wireshark packet list view.

NOTE: This can be generalized to any Wireshark expression, so you can display any data you want from the pcap in the columns view.

wireshark_ss7_columns_conf

Exporting / Importing columns setting

The following file stores the configuration for your Wireshark profile:

/home/user/.wireshark./profiles/SS7/preferences

Example:


[...]
# Packet list column format.
# Each pair of strings consists of a column title and its format.
gui.column.format:
	"No.", "%m",
	"Time", "%t",
	"cgGT", "%Cus:sccp.calling.digits:0:R",
	"cgSSN", "%Cus:sccp.calling.ssn:0:R",
	"cdGT", "%Cus:sccp.called.digits:0:R",
	"cdSSN", "%Cus:sccp.called.ssn:0:R",
	"Protocol", "%p",
	"Length", "%L",
	"Info", "%i"
[...]

Customize Wireshark coloring rules

To get a better overview of the SS7 traffic and identify types of messages just by looking quickly at them, you can customize wireshark coloring rules. Each rule is defined by one filter (using the same syntax as usual wireshark display filters), and a set of 2 colors (foreground and background colors).

Here is an overview of 4 basic coloring rules applied on typical SS7 traffic:

Labs_wireshark_color_rules_04_anon

On the above screenshot, MAP layer is identified by yellow or green background color, whether the message is a MAP invoke (request) or MAP returnResultLast (answer).TCAP Abort (cancellation of TCAP dialog due to error) has a pink background, and TCAP Begin (initialization of TCAP dialog) has a light blue background (Not visible on the screenshot).

How to configure coloring rules (wireshark >= 1.8.0)

  1. Go to “View > Coloring Rules”.
  2. Click on “New” to add a new rule.
  3. Enter a wireshark display filter in “String:” text box. For example, to match MAP invoke messages you can use the filter “gsm_map.old.Component == 1″.
  4. Choose one foreground and one background color for this filter, then click “OK”

NOTE: coloring rules will be tried in order until one filter matches, top filter having the highest priority.

Labs_wireshark_color_rules_02

Exporting / Importing coloring rules

  1. Go to “View > Coloring Rules”.
  2. Optional: select one or more filtering rules to export by clicking on them. (Ctrl + Click to select multiple filters).
  3. Click on “Export”.
  4. Choose an output filename and optionally check the box “Export only selected filters”.

You will get a file # DO NOT EDIT THIS FILE!  It was created by Wireshark

@MAP ReturnResultLast@gsm_map.old.Component == 2@[61023,65535,29648][0,0,0]

@MAP Invoke@gsm_map.old.Component == 1@[37006,53439,22070][0,0,0]

@TCAP abort@tcap.abort@[65535,52907,60113][0,0,0]

@TCAP begin@tcap.begin@[36382,59634,65535][0,0,0]

This file can then be used to import coloring rules on another host.

That’s it ! Don’t hesitate to comment with you’re own Wireshark tricks.

In a future blogpost, we’ll see how to use Wireshark to edit a PCAP, in order to forge packets or anonimize a PCAP file.

Summary
Titre H2
Titre H3
Download our whitepaper

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Be informed

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers’ lives much harder on mobile networks

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Towards Harmonization: Mapping EU Telecom Security Regulations and their evolution

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
News & investors info

Our latest news

All our news
Product news

New Press Release - P1 Security Reboots with Bold New Vision and Ambition

Press Release from P1 Security about their renewed vision and ambition for mobile network security
Learn more
Research

[Release] QC Super v2

QCSuper is a tool which enables, for research purposes, to capture the contents of radio communication exchanges between your phone's antenna and your Mobile Operator's radio network (RAN). QCSuper has enabled many telecom, mobile and security researchers to perform an analysis of the radio packets (frames) through saving these to the Packet Capture File format (PCAP, with GSMTAP encapsulation) and enabling to use the great Wireshark tool to conduct analysis and research.
Learn more
Research

5G SUPI, SUCI and ECIES

P1 Security breaks down the 3GPP definition of a subscriber’s identity protection scheme, for 5G networks.
Learn more
View all
let’s talk

We are eager to discuss your mobile network security topics. Please reach out.

Contact us
Join the team