PCAP Library

I personally get a lot of value out of seeing a correct reference PCAP, so I assembled a set of good ones here for anyone working on LTE.

Network Topology: All the different components here (the HSS, MME, SGW, PGW, and PCRF) are running on the same physical machine and communicate with each other over the loopback interface. The HSS listens on for a connection from the MME. The MME uses to communicate with the HSS, and listens on for control-plane communication (S1AP) from the eNB. The SGW listens on for communication from the MME, and also listens on for data-plane communication (GTP) from the eNB. The PGW listens on for both user-and data-plane communication from the SGW, and uses when it has to query the PCRF. The PCRF listens on

PCAP 0 – System setup and UE attach without any information in the database

PCAP 0: This first one is a full PCAP of a phone trying to attach without any information loaded. First, the MME sets up a connection to the HSS, and the PGW to the PCRF,over Diameter (see the Capabilities-Exchange messages). Next, the eNB comes online and contacts the MME (see the S1SetupRequest/Response messages). Then, a UE tries to connect: it exchanges some initial signaling with the MME, and then after the MME queries the HSS, it responds with an Attach Reject.

PCAP 1 – UE Attach with incorrect key information

PCAP 1: In this PCAP, the phone was added to the database, but with an incorrect key. It gets a bit farther before failing – note the Authentication Failure message.

PCAP 2 – Successful Initial Attach

PCAP 2: This PCAP shows a successful initial attach. Note that Packet 11 shows a “Sync Failure” but this is normal, and you will see this the very first time a new SIM connects to the network. This is because on first attach, the network does not have any valid SQN for the SIM, so they use a “Sync Failure” to establish the first working SQN. If you’re curious as to why this is the case, or just want to learn more about LTE security and SQNs in general, I recommend Nick’s article on USIM Authentication as well as Sudheesh’s article on LTE Authentication.

PCAP 3 – Handset reattach

PCAP 3: If a phone detaches and reattaches to the network, it can reuse the existing security handshake. Hence, this call-flow is shorter and lacks some of the messages of the above call-flow. Running a production network, you will probably see this call flow much more frequently than any other ones.

PCAP 4 – IMS APN and Initial SIP Register

PCAP 4: In this PCAP, the phone is configured for VoLTE (powered by the IMS system) as well as Internet data traffic. IMS requires that the phone establish a separate PDN connection (with APN name “ims”) to the EPC. You can see this happen as soon as the default PDN is established – note the “PDN Connectivity Request” in Packet 28, followed by all the PDN establishment signaling through Packet 42. For clarity, we assigned the handset has a different IP address for each PDN, so that we can easily tell the difference between traffic on the default “internet” PDN ( and traffic on the “ims” PDN ( Finally, the phone uses the “ims” PDN to send a SIP REGISTER request to the address of the P-CSCF, which was provided to it during the PDN establishment handshake (specifically, Packet 38).

You can download all of these PCAPs as a ZIP file here.

%d bloggers like this: