Hands-on labs are course-buyer only

These 5 hands-on labs are bonus content for students of the O-RAN Course. Enroll once (₹1,799 lifetime) to unlock all labs forever.

Get the course — ₹1,799 Already enrolled? Sign in
O
O-RAN Labs All labs
LAB 03 · INTERMEDIATE

Capture and decode E2AP traffic in Wireshark

~25 minutes Wireshark 3.6+ Requires Lab 01-02
What you'll do. Install the E2AP Wireshark dissector. Spin up a simulated E2 Node (from O-RAN SC). Watch the full E2 Setup → Subscription → Indication exchange flow byte-by-byte. Map each message to the spec you saw in Lesson 08.

0Prerequisites

1Install Wireshark with E2AP dissector

Wireshark 4.0+ ships with built-in E2AP support. If you're on 3.x, you need to install it manually:

# Ubuntu/Debian
sudo apt install wireshark wireshark-doc tshark

# macOS
brew install wireshark

# Check E2AP dissector is loaded
tshark -G dissectors 2>/dev/null | grep -i e2ap

2Deploy the e2sim simulator

O-RAN SC ships e2sim — a C++ binary that simulates an E2 Node (your gNB-CU-CP). It speaks E2AP and can be configured to send KPM indication messages on a timer.

git clone "https://gerrit.o-ran-sc.org/r/sim/e2-interface" e2sim
cd e2sim
docker build -t e2sim:bronze .
kind load docker-image e2sim:bronze --name oran-ric

Then deploy as a pod:

cat > e2sim-pod.yaml <<'EOF'
apiVersion: v1
kind: Pod
metadata: {name: e2sim, namespace: ricplt}
spec:
  containers:
  - name: e2sim
    image: e2sim:bronze
    args: ["-h","service-ricplt-e2term-sctp-alpha.ricplt","-p","36422"]
EOF
kubectl apply -f e2sim-pod.yaml

3Start a packet capture

Capture SCTP traffic on the RIC's e2term pod. Get the pod's container PID first:

POD=$(kubectl -n ricplt get pod -l app=ricplt-e2term-alpha -o jsonpath='{.items[0].metadata.name}')
PID=$(kubectl -n ricplt exec $POD -- cat /proc/1/stat | awk '{print $1}')
sudo nsenter -t $(docker inspect oran-ric-control-plane | grep -i Pid | head -1 | awk '{print $2}' | tr -d ',') -n tcpdump -i any -w /tmp/e2ap-capture.pcap "sctp port 36422"

Alternatively (simpler): use kubectl sniff or expose the e2term port via NodePort and capture from the host.

4Open in Wireshark and apply filter

wireshark /tmp/e2ap-capture.pcap &

Apply filter:

e2ap

You'll see exactly four message types in the first 5 seconds:

MessageDirectionWhat's in it
E2setupRequeste2sim → RICgNB-ID, supported RAN Functions list (KPM, RC, etc.)
E2setupResponseRIC → e2simRIC-ID, accepted RAN Functions, transaction status
RICsubscriptionRequestRIC → e2sim (from hello-xapp)RAN Function ID, Action list (REPORT/CONTROL/INSERT/POLICY)
RICindicatione2sim → RICPer-cell measurements per the subscribed action

5Walk through the E2 Setup

Click on the E2setupRequest. In the bottom pane, expand the tree:

E2AP-PDU
  successfulOutcome
    procedureCode: id-E2setup (1)
    criticality: reject
    value
      E2setupRequest
        protocolIEs (3 items)
          [0] id-GlobalE2node-ID  ← which gNB
          [1] id-RANfunctionsAdded ← what KPM/RC/CCC/NI it can do
          [2] id-E2nodeComponentConfigUpdate

6Examine the subscription

Find the RICsubscriptionRequest. Drill into the RICsubscriptionDetails field. You'll see the eventTriggerDefinition (e.g., periodic 1000ms) and the action list (REPORT action with KPM measurement names).

You're now reading raw O-RAN traffic.You decoded the exact same messages WG3 defines in the E2AP spec. You can do this on any production RIC ↔ gNB link.

7Bonus: track an Indication

Right-click on an RICindication → Follow → SCTP Stream. You see the full conversation. Each Indication contains an indicationMessage field with the actual KPM data (PRB usage, throughput, etc.) — encoded per E2SM-KPM.

Checkpoint

REFERENCES

E2T E2E tests wiki e2sim source ← Course Lesson 08 (E2 interface)
Lab 04 · Up next

Push A1 policy end-to-end

Use A1-mediator to push a TrafficSteering policy · observe reception in your xApp

Continue