The S1 interface can be pretty noisy, which makes it hard to find the info you’re looking for.
So how do we find all the packets relating to a single subscriber / IMSI amidst a sea of S1 packets?
The S1 interface only contains the IMSI in certain NAS messages, so the first step in tracing a subscriber is to find the initial attach request from that subscriber containing the IMSI.
Luckily we can filter in Wireshark to find the IMSI we’re after;
e212.imsi == "001010000000001"
The Wireshark e212 filter filters for ITU-T E.212 payloads (ITU-T E.212 is the spec for PLMN identifiers).
Quick note – Not all IntialUEMessages will contain the IMSI – If the subscriber has already established comms with the MME it’ll instead be using a temporary identifier – M-TMSI, unless you’ve got a way to see the M-TMSI -> IMSI mapping on the MME you’ll be out of luck.
Next up let’s take a look at the contents of one of these packets,
Inside the protocolIEs is the MME_UE_S1AP_ID – This unique identifier will identify all S1 signalling for a single user.
The MME_UE_S1AP_ID is a unique identifier, assigned by the MME to identify which signaling messages are for which subscriber.
(It’s worth noting the MME_UE_S1AP_ID is only unique to the MME – If you’ve got multiple MMEs the same MME_UE_S1AP_ID could be assigned by each).
So now we have the MME_UE_S1AP_ID, we can filter all S1 messaging containing that MME_UE_S1AP_ID, we’ll use this Wireshark filter to get it:
s1ap.MME_UE_S1AP_ID == 2
Boom, there’s a all the signalling for that subscriber.
Alternatively you can just right click on the value and apply it as a filter instead of typing everything in,
Hopefully that’ll help you filter to find what you’re looking for!
Excellent explanation, thank you so much!