I personally get a lot of value out of seeing a correct reference PCAP, so I assembled a set of good ones here for anyone working on LTE.
Network Topology: All the different components here (the HSS, MME, SGW, PGW, and PCRF) are running on the same physical machine and communicate with each other over the loopback interface. The HSS listens on 127.0.0.4 for a connection from the MME. The MME uses 127.0.0.1 to communicate with the HSS, and listens on 10.201.150.41:36412 for control-plane communication (S1AP) from the eNB. The SGW listens on 127.0.0.2:2123 for communication from the MME, and also listens on 10.201.150.41:2152 for data-plane communication (GTP) from the eNB. The PGW listens on 127.0.0.3 for both user-and data-plane communication from the SGW, and uses 127.0.0.1 when it has to query the PCRF. The PCRF listens on 127.0.0.5.
PCAP 0: This first one is a full PCAP of a phone trying to attach without any information loaded. First, the MME sets up a connection to the HSS, and the PGW to the PCRF,over Diameter (see the Capabilities-Exchange messages). Next, the eNB comes online and contacts the MME (see the S1SetupRequest/Response messages). Then, a UE tries to connect: it exchanges some initial signaling with the MME, and then after the MME queries the HSS, it responds with an Attach Reject.
PCAP 1: In this PCAP, the phone was added to the database, but with an incorrect key. It gets a bit farther before failing – note the Authentication Failure message.
PCAP 2: This PCAP shows a successful initial attach. Note that Packet 11 shows a “Sync Failure” but this is normal, and you will see this the very first time a new SIM connects to the network. This is because on first attach, the network does not have any valid SQN for the SIM, so they use a “Sync Failure” to establish the first working SQN. If you’re curious as to why this is the case, or just want to learn more about LTE security and SQNs in general, I recommend Nick’s article on USIM Authentication as well as Sudheesh’s article on LTE Authentication.
PCAP 3: If a phone detaches and reattaches to the network, it can reuse the existing security handshake. Hence, this call-flow is shorter and lacks some of the messages of the above call-flow. Running a production network, you will probably see this call flow much more frequently than any other ones.
PCAP 4: In this PCAP, the phone is configured for VoLTE (powered by the IMS system) as well as Internet data traffic. IMS requires that the phone establish a separate PDN connection (with APN name “ims”) to the EPC. You can see this happen as soon as the default PDN is established – note the “PDN Connectivity Request” in Packet 28, followed by all the PDN establishment signaling through Packet 42. For clarity, we assigned the handset has a different IP address for each PDN, so that we can easily tell the difference between traffic on the default “internet” PDN (10.201.100.2) and traffic on the “ims” PDN (10.201.100.3). Finally, the phone uses the “ims” PDN to send a SIP REGISTER request to the address of the P-CSCF, which was provided to it during the PDN establishment handshake (specifically, Packet 38).
You can download all of these PCAPs as a ZIP file here.