Tracking and Troubleshooting Mobile Phone Users (IMSI) using the MicroCloud

Posted · Add Comment

The microcloud is one of the fields where s used extensively by mobile network operators. The reasons are manyfold:

  • Data aggregation facilities offered in realtime by the microcloud.
  • Realtime user-to-tunnel mapping.
  • User traffic-to-user correlation.

Unfortunately when a mobile network is populated by million of active users (IMSI), troubleshooting a problem can be a problem. Tools such as wireshark that are used on fixed networks do not work because:

  • The network is distributed, so there is not single sniffing point, but rather it is necessary to deploy our tools across the network that might mean “across a whole country”.
  • There is so much ingress traffic (multi-10 Gbit with modern LTE/4G networks).
  • Traffic is encapsulated in GTP tunnels that will then contain user traffic, so simple BPF filters won’t work.

For this reason we have developed some tools and nProbe extensions that simplify operations.

How to Dump an IMSI traffic on a pcap file

PF_RING comes with a tool named pfwrite that is a simple packet-to-disk tool (in essence it is a very entry-level version of n2disk). Tracking a user/IMSI on a mobile network is a quite dynamic activity as users move, and connect/disconnect from the mobile network. In essence it is like if a PC would change IP addresses several times during the day. We have enhanced nProbe to publis onto the microcloud when a IMSI user changes status so that we can track it.


 Supposing to start nProbe as follows (note that you usually you need to start several nProbe instances in order to monitor a large network, each monitoring a portion o the traffic)

nprobe --tunnel --gtpv1-dump-dir /var/gtpv1/ --redis localhost --ucloud -i dna0

nProbe will publish into the microcloud information about IMSI that connected/disconnected from the mobile network. pfwrite needs to be deployed onto a location where user traffic flows and it is started as

pfwrite -m <IMSI to track> -w imsi.pcap

As soon as it is started up, it will connect to the microcloud (local node) and fetch the GTP tunnels (if known) for the specified IMSI. Then will spawn a thread that subscribes to the microcloud and listens for events concerning the specified IMSI. This way this tool is able to dump on disk the packets of the specified IMSI independently of its status (connected or disconnected from the mobile network) and more important, it is tracked while it changes its status over time. This without restarting the tool, but just exploiting the messages published by nProbe into the microcloud.

Realtime Layer-7 IMSI Traffic Aggregation

nProbe now support an addition flag


(For instance: nprobe --tunnel --gtpv1-dump-dir /var/gtpv1/ --redis localhost --ucloud -i dna0 --imsi-aggregation)

that instructs nProbe to aggregate traffic per IMSI/Application protocol onto the microcloud in realtime with 5 minutes aggregation granularity. This means that whenever a flow is expired, nProbe updates the counter for the flow protocol and the IMSI that has generated the flow.


Through a companion tool, it is possible to put onto crontab the following entry

$ crontab -l|grep ggrega
*/5 * * * * /home/imsi/ --redis localhost  --epoch -2 --outdir /export/working_dir/imsi

that walks the micrcloud every 5 minutes and dumps traffic on disk in text format as follows

# Timestamp IMSI Granularity Protocol Packets Bytes Flows Duration(sec)
1374938100 XXXXX2001106796 300 Unknown 3 298 2 2
1374938100 XXXXX1100485374 300 HTTP 393 283553 13 114
1374938100 XXXXX2001110729 300 SSL 49 14269 10 18
1374938100 XXXXX2001338233 300 Skype 15 1411 1 7
1374938100 XXXXX1101335045 300 DNS 2 385 1 1
1374938100 XXXXX2001931139 300 Viber 17 1487 4 35

Note that we do not have just the number of bytes per IMSI, but also the application protocol discovered by nDPI. In essence you can answer questions like “who’s using Viber on my mobile network?” of “how many active subscribers use Facebook?”.


These are just two examples of what you can do with nprobe and the microcloud. Applications are almost infinite and in realtime. No more latency in your “monitoring answers” but rather know what is happening when it is happening. Without spending a fortune on database clusters or distributed storage infrastructure. All with the power of the microcloud.