5greplay Replays Entire pcap Instead of Single Intended Packet in Offline

[HansJack1999]

I was writing an XML file to specifically replay an Authentication request in offline mode, using 'test2.pcap' as the input. However, upon inspecting the logs and using Wireshark, I noticed that 5greplay had replayed all the packets from the pcap file I provided(There are 1,942 messages in tset2.pcap, and log shows that it replays all 1,942 messages), instead of just the single packet I intended. I don't know what went wrong. Because neither open5gs nor 5greplay has reported any errors. I have no way to start.I would be deeply grateful to anyone who can provide insights or answers to my questions. I used the following command： sudo ./5greplay replay -t test2.pcap -Xforward.nb-copies=1 -Xforward.default=FORWARD > log.txt 2>&1

Here are the rules I used, the log output from 5grepaly, and the input pcap files I used and the pcap files I captured on replay The xml file is as follows：

<beginning>
<embedded_functions><![CDATA[

static void em_forward(
      const rule_info_t *rule, int verdict, uint64_t timestamp,
      uint64_t counter, const mmt_array_t * const trace ){
   const char* trace_str = mmt_convert_execution_trace_to_json_string( trace, rule );
   //forward the original packet (without any modification)
   forward_packet();
}
]]></embedded_functions>
<property property_id="99" type_property="FORWARD"  description="Replay the Authentication request"
    if_satisfied="em_forward"> 
    <event value="COMPUTE" event_id="1" 
        description="Downlink NAS Transport, Authentication request"
           boolean_expression="((ngap.procedure_code == 4) &amp;&amp; (nas_5g.message_type == 86))"/>
</property>

</beginning>

My 5greplay log is as follows:

mmt-5greplay: 5Greplay v0.0.7-eaef12c using DPI v1.7.10 (6dc79073) is running on pid 9174
mmt-5greplay: Overridden value of configuration parameter 'forward.nb-copies' by '1'
mmt-5greplay: Overridden value of configuration parameter 'forward.default' by '0'
mmt-5greplay: MMT-5Greplay 0.0.7 (eaef12c - Dec 13 2023 20:57:47) is verifying 1 rules having 2 proto.atts using the main thread
mmt-5greplay: Registered attribute to extract: 903.1
mmt-5greplay: Registered attribute to extract: 904.2
mmt-5greplay: Analyzing pcap file test2.pcap
        1942 packets received
        1942 messages received
           1 alerts generated
mmt-5greplay: Number of packets being successfully forwarded: 1942, dropped: 0
Number of packets being successfully forwarded: 1942, dropped: 0
 - rule 99 generated 1 verdicts

The following is the pcap file： pcapfile.zip

[HansJack1999]

I also tested the official rules and found that the modification function did not work at all. For example, I used rule 10, but none of the values were changed. 5greplay forwards the entire test2.pcap directly. No new logs appear in the amf log

[nhnghia]

Hi @HansJack1999 ,

If you want to inject only the packets which are satisfait the FORWARD rules, then you should use -Xforward.default=DROP parameter. This parameter will tell 5Greplay to drop any packet which are not satisfait by any rule. The other packets, that are satisfait by a rule, will be dropped (or forwarded) if the rule type is DROP (or FORWARD respectively).

[HansJack1999]

@nhnghia Thank you so much for your assistance!

[HansJack1999]

I used the tool to replay messages from the initial registration to learn about 5G. When I replayed the InitialUEMessage Registration request, 5GReplay indicated that the messages were successfully replayed, and I was able to capture them in wireshark loopback. However, I couldn't find any corresponding entries in the open5gs AMF log.

I utilized all the official rules and attempted to replay the test2.pcap file, which I captured and contains UE initial registration procedure. When I ran the command sudo./5greplay replay -t test2.pcap -Xforward.nb-copies=2000 -Xforward.default=FORWARD > log.txt 2>&1, I encountered the same issue.

Similarly, using the official 5g-sa.pcap and executing the same command yielded no results in the AMF logs. I am uncertain whether the messages replayed by this tool should elicit a response from the 5GC, or if only certain types of messages might cause a system crash.

I'm puzzled about this issue and would greatly appreciate any guidance you could offer.

[nhnghia]

Hi @HansJack1999 ,

If you want to get the same results (e.g., crashed log of AMF), then you should use the same versions of 5Greplay and Open5Gs as the ones in this tutorial.

I did a test, and saw that the new version of Open5Gs AMF does not crash anymore. So I installed Open5GS from source.

Here the commands I used to install Open5GS v2.3.2 (somehow I cannot see v2.3.3 as I tested in the tutorial, but v2.3.2 crashed as well):

Open5Gs v2.3.2:

sudo apt install python3-pip python3-setuptools python3-wheel ninja-build build-essential flex bison git cmake libsctp-dev libgnutls28-dev libgcrypt-dev libssl-dev libidn11-dev libmongoc-dev libbson-dev libyaml-dev libnghttp2-dev libmicrohttpd-dev libcurl4-gnutls-dev libnghttp2-dev libtins-dev libtalloc-dev meson
git clone https://github.com/open5gs/open5gs.git
cd open5gs
git checkout v2.3.2
meson build --prefix=`pwd`/install
ninja -C build
./build/tests/app/5gc

5Greplay v0.0.1

Then I used 5Greplay v0.0.1

wget https://github.com/Montimage/5GReplay/releases/download/v0.0.1/5greplay-0.0.1_Linux_x86_64.tar.gz
tar -xzf 5greplay-0.0.1_Linux_x86_64.tar.gz
cd 5greplay-0.0.1/
wget https://github.com/Montimage/5GReplay/raw/main/docs/docs/tutorial/replay-open5gs/5g-sa.pcap
sudo ./5greplay replay -t 5g-sa.pcap -Xforward.nb-copies=2000 -Xforward.default=FORWARD

Log

Log of 5Greplay (note: its version is v0.0.1)

Log of Open5Gs (note: its version is v2.3.2):

Note: I tested the above commands on Ubuntu server 20.04.6:

$ lsb_release -a
LSB Version:    core-11.1.0ubuntu2-noarch:security-11.1.0ubuntu2-noarch
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:    20.04
Codename:   focal

[HansJack1999]

@nhnghia

Thank you very much for your response！

I am currently using open5gs version v2.6.6. Based on the version you mentioned, I will conduct some additional tests.