Project

General

Profile

Actions

Bug #5250

closed

osmo-pcu: CSN.1 decoder failure parsing specific RAcap

Added by pespin over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
-
Start date:
10/07/2021
Due date:
% Done:

100%

Spec Reference:

Description

Seen on a osmo-pcu connected to a third party SGSN+gb-proxy.

Issue reproduced here:
https://gerrit.osmocom.org/c/osmo-pcu/+/25706 WIP: CSN1 RAcap decoding failure

Fix still needs to be worked on.


Files

csn.pcap csn.pcap 6.75 MB keith, 10/15/2021 02:52 AM
bssgp_ra_cap_failure.pcap bssgp_ra_cap_failure.pcap 136 Bytes pespin, 10/19/2021 12:13 PM

Related issues

Related to OsmoPCU - Bug #4955: CSN1 Error observed: NEED_MORE BITS TO UNPACK (-5) at DL_DualCarrierForDTMClosedkeith01/18/2021

Actions
Actions #1

Updated by pespin over 2 years ago

The failing RAcap is actually added here here:
https://gerrit.osmocom.org/c/osmo-pcu/+/25716

Actions #2

Updated by pespin over 2 years ago

pycrate decoding:

$ python
Python 3.9.7 (default, Aug 31 2021, 13:28:12)
[GCC 11.1.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pycrate_csn1dir.ms_ra_capability_value_part import *
>>> data = bytes.fromhex('17b3432b25966200019a42c6620001ba48c662000100')
>>> ms_ra_capability_value_part.from_bytes(data)
>>> print(ms_ra_capability_value_part.show())
<ms_ra_capability_value_part (CSN1List): [
 <(CSN1Ref): <ms_ra_capability_value_part_struct (CSN1List): [
  <(CSN1Alt): { 0001 (access_technology_type) : [
   <access_capabilities (CSN1Ref): <access_capabilities_struct (CSN1List): [
    <length (CSN1Bit): 61>
    <(CSN1List): [
     <access_capabilities (CSN1Ref): <content (CSN1List): [
      <rf_power_capability (CSN1Bit): 4>
      <(CSN1Alt): { 1 : [
       <a5_bits (CSN1Ref): <a5_bits (CSN1List): [
        <a5_1 (CSN1Bit): 1>
        <a5_2 (CSN1Bit): 0>
        <a5_3 (CSN1Bit): 1>
        <a5_4 (CSN1Bit): 0>
        <a5_5 (CSN1Bit): 0>
        <a5_6 (CSN1Bit): 0>
        <a5_7 (CSN1Bit): 0>]>>]}>
      <es_ind (CSN1Bit): 1>
      <ps (CSN1Bit): 1>
      <vgcs (CSN1Bit): 0>
      <vbs (CSN1Bit): 0>
      <(CSN1Alt): { 1 : [
       <multislot_capability (CSN1Ref): <multislot_capability_struct (CSN1List): [
        <(CSN1Alt): { 0 : []}>
        <(CSN1Alt): { 1 : [
         <gprs_multislot_class (CSN1Bit): 12>
         <gprs_extended_dynamic_allocation_capability (CSN1Bit): 1>]}>
        <(CSN1Alt): { 0 : []}>
        <(CSN1Alt): { 0 : []}>
        <(CSN1Alt): { 1 : [
         <egprs_multislot_class (CSN1Bit): 12>
         <egprs_extended_dynamic_allocation_capability (CSN1Bit): 1>]}>
        <(CSN1Alt): { 0 : []}>]>>]}>
      <(CSN1Alt): { 1 : [
       <_8psk_power_capability (CSN1Bit): 2>]}>
      <compact_interference_measurement_capability (CSN1Bit): 0>
      <revision_level_indicator (CSN1Bit): 1>
      <umts_fdd_radio_access_technology_capability (CSN1Bit): 1>
      <umts_3_84_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0>
      <cdma_2000_radio_access_technology_capability (CSN1Bit): 0>
      <umts_1_28_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0>
      <geran_feature_package_1 (CSN1Bit): 1>
      <(CSN1Alt): { 0 : []}>
      <modulation_based_multislot_class_support (CSN1Bit): 0>
      <(CSN1Alt): { 0 : []}>
      <(CSN1Val): 0>
      <gmsk_multislot_power_profile (CSN1Bit): 0>
      <_8_psk_multislot_power_profile (CSN1Bit): 0>
      <multiple_tbf_capability (CSN1Bit): 0>
      <downlink_advanced_receiver_performance (CSN1Bit): 0>
      <extended_rlc_mac_control_message_segmentation_capability (CSN1Bit): 0>
      <dtm_enhancements_capability (CSN1Bit): 0>
      <(CSN1Alt): { 0 : []}>
      <ps_handover_capability (CSN1Bit): 0>
      <dtm_handover_capability (CSN1Bit): 0>]>>
     <(CSN1Ref): []>]>]>>]}>
  <(CSN1Alt): { 1 : [
   <(CSN1SelfRef): <ms_ra_capability_value_part_struct (CSN1List): [
    <(CSN1Alt): { 0011 (access_technology_type) : [
     <access_capabilities (CSN1Ref): <access_capabilities_struct (CSN1List): [
      <length (CSN1Bit): 36>
      <(CSN1List): [
       <access_capabilities (CSN1Ref): <content (CSN1List): [
        <rf_power_capability (CSN1Bit): 1>
        <(CSN1Alt): { 0 : []}>
        <es_ind (CSN1Bit): 1>
        <ps (CSN1Bit): 1>
        <vgcs (CSN1Bit): 0>
        <vbs (CSN1Bit): 0>
        <(CSN1Alt): { 0 : []}>
        <(CSN1Alt): { 1 : [
         <_8psk_power_capability (CSN1Bit): 2>]}>
        <compact_interference_measurement_capability (CSN1Bit): 0>
        <revision_level_indicator (CSN1Bit): 1>
        <umts_fdd_radio_access_technology_capability (CSN1Bit): 1>
        <umts_3_84_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0>
        <cdma_2000_radio_access_technology_capability (CSN1Bit): 0>
        <umts_1_28_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0>
        <geran_feature_package_1 (CSN1Bit): 1>
        <(CSN1Alt): { 0 : []}>
        <modulation_based_multislot_class_support (CSN1Bit): 0>
        <(CSN1Alt): { 0 : []}>
        <(CSN1Val): 0>
        <gmsk_multislot_power_profile (CSN1Bit): 0>
        <_8_psk_multislot_power_profile (CSN1Bit): 0>
        <multiple_tbf_capability (CSN1Bit): 0>
        <downlink_advanced_receiver_performance (CSN1Bit): 0>
        <extended_rlc_mac_control_message_segmentation_capability (CSN1Bit): 0>
        <dtm_enhancements_capability (CSN1Bit): 0>
        <(CSN1Alt): { 0 : []}>
        <ps_handover_capability (CSN1Bit): 0>
        <dtm_handover_capability (CSN1Bit): 0>]>>
       <(CSN1Ref): []>]>]>>]}>
    <(CSN1Alt): { 1 : [
     <(CSN1SelfRef): <ms_ra_capability_value_part_struct (CSN1List): [
      <(CSN1Alt): { 0111 (access_technology_type) : [
       <access_capabilities (CSN1Ref): <access_capabilities_struct (CSN1List): [
        <length (CSN1Bit): 36>
        <(CSN1List): [
         <access_capabilities (CSN1Ref): <content (CSN1List): [
          <rf_power_capability (CSN1Bit): 4>
          <(CSN1Alt): { 0 : []}>
          <es_ind (CSN1Bit): 1>
          <ps (CSN1Bit): 1>
          <vgcs (CSN1Bit): 0>
          <vbs (CSN1Bit): 0>
          <(CSN1Alt): { 0 : []}>
          <(CSN1Alt): { 1 : [
           <_8psk_power_capability (CSN1Bit): 2>]}>
          <compact_interference_measurement_capability (CSN1Bit): 0>
          <revision_level_indicator (CSN1Bit): 1>
          <umts_fdd_radio_access_technology_capability (CSN1Bit): 1>
          <umts_3_84_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0>
          <cdma_2000_radio_access_technology_capability (CSN1Bit): 0>
          <umts_1_28_mcps_tdd_radio_access_technology_capability (CSN1Bit): 0>
          <geran_feature_package_1 (CSN1Bit): 1>
          <(CSN1Alt): { 0 : []}>
          <modulation_based_multislot_class_support (CSN1Bit): 0>
          <(CSN1Alt): { 0 : []}>
          <(CSN1Val): 0>
          <gmsk_multislot_power_profile (CSN1Bit): 0>
          <_8_psk_multislot_power_profile (CSN1Bit): 0>
          <multiple_tbf_capability (CSN1Bit): 0>
          <downlink_advanced_receiver_performance (CSN1Bit): 0>
          <extended_rlc_mac_control_message_segmentation_capability (CSN1Bit): 0>
          <dtm_enhancements_capability (CSN1Bit): 0>
          <(CSN1Alt): { 0 : []}>
          <ps_handover_capability (CSN1Bit): 0>
          <dtm_handover_capability (CSN1Bit): 0>]>>
         <(CSN1Ref): []>]>]>>]}>
      <(CSN1Alt): { 0 : []}>]>>]}>]>>]}>]>>
 <(CSN1Ref): [<spare_bits (CSN1Bit): [0,
  0,
  0,
  0,
  0,
  0,
  0]>]>]>

Actions #3

Updated by pespin over 2 years ago

I fixed a CSN1 definition which was wrong in related place, but it's not really the one causing the CSN1 decoding issue:
https://gerrit.osmocom.org/c/osmo-pcu/+/25718 rlcmac: Fix CSN1 definition for DownlinkDualCarrierCapability_r7_t in MS RA cap

I think the issue comes from the fact that our CSN1 decoder keeps decoding "MS RA capability 1" even after going through "Length in bits: 0x3d (61)", hence taking the bit "1" as part of "MS RA capability 1" when in reality it's from next one? Not sure really. This needs to be counted manually I guess.

Actions #4

Updated by pespin over 2 years ago

  • Related to Bug #4955: CSN1 Error observed: NEED_MORE BITS TO UNPACK (-5) at DL_DualCarrierForDTM added
Actions #5

Updated by keith over 2 years ago

This CSN decoder is some strange stuff to get one's head around....

With the attached pcap, maybe it helps to take a look at these filters:

gsm_rlcmac.ms_ra_capability_value_choice ==7  || (!gsmtap_log.string == "Choice MS_RA_capability_value_Choice = 7 | " && gsmtap_log.string contains "Choice MS_RA_capability")

or indeed:
gsm_rlcmac.ms_ra_capability_value_choice !=7  || (!gsmtap_log.string == "Choice MS_RA_capability_value_Choice = 7 | " && gsmtap_log.string contains "Choice MS_RA_capability")

There are no RA CAP packets that wireshark decodes with anything other than ms_ra_capability_value_choice 7 yet we log various of them.

Similar:

gsmtap_log.string == "Exist_EGPRS_multislot_class = 0 | " || gsm_rlcmac.ul.egprs_multislot_class_exist == 0

Again, all packets are decoded with gsm_rlcmac.ul.egprs_multislot_class_exist 1, Yet we have two Log messages of Exist_EGPRS_multislot_class = 0

I think these two Log message also apply to the only two packets that match:

gsmtap_log.string == "u.Content length = 53 | " 

Actions #6

Updated by pespin over 2 years ago

Attaching pcap file containing only 1 packet, the one containing the problematic RAcap.

Actions #7

Updated by pespin over 2 years ago

I submitted a patch for wireshark porting one of the fixes I did so far (doesn't solve the issue at hand on its own):
https://gitlab.com/wireshark/wireshark/-/merge_requests/4706

Actions #8

Updated by pespin over 2 years ago

Should be fixed by following commits:
https://gerrit.osmocom.org/c/osmo-pcu/+/25716 csn1: Add unit test showing RadioAccess Capability decoding failure
https://gerrit.osmocom.org/c/osmo-pcu/+/25830 csn1: Avoid failing if optional DownlinkDualCarrierCapability_r7 is missing
https://gerrit.osmocom.org/c/osmo-pcu/+/25831 csn1: Avoid storing existance bit as true if content was actually NULL

Once merged, we should port those to wireshark.

Actions #9

Updated by keith over 2 years ago

With these patches I am no longer seeing the CSN1 errors on a site where they were prominent

Actions #10

Updated by pespin over 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 90

I submitted a port for those patches in wireshark's gitlab:
https://gitlab.com/wireshark/wireshark/-/merge_requests/4736

Actions #11

Updated by pespin over 2 years ago

  • Status changed from Feedback to Resolved
  • % Done changed from 90 to 100

wireshark PR merged. Done here, closing ticket.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)