User Plane Analysis
Overview
The User Plane Service in AGILITY introduces diagnostics and visibility into user data traffic, expanding beyond control plane analysis. While control plane message exchanges enable session establishment and teardown, user plane messages carry the actual user payload to be transferred. User plane message exchanges vary based on the traffic type in terms of volume, duration and directionality.
This service enables users to analyze and group thousands of data sessions—like DNS query/response, ICMP echo request/echo reply, or HTTPS requests/responses—into meaningful structures for actionable diagnostics.
User plane traffic behaves differently from control plane traffic and needs a tailored approach for analysis:
It includes short sessions, such as an ICMP query, or a TCP or UDP session carrying DNS lookup traffic.
It occasionally includes very long sessions, such as adaptive video streaming traffic carried over HTTPS.
A device can generate thousands of sessions in a short time.
These sessions are best analyzed using a grouped view, based on factors such as GTP-U tunnel endpoint identifier (TEID), IP address, port, and user identifiers.
To make analysis easier, results should include KPIs such as delay, jitter, packet loss, packet reorder, packet retransmission and throughput.
Showing this information in both the UI and API helps users quickly find and understand traffic patterns.
Protocol Coverage
The User Plane service in AGILITY currently supports diagnostics for the following key protocols. These are commonly observed in user traffic and play critical roles establishing connections, resolving services, and content delivery , applications performance.
Supported Protocol(s) | Definition |
|---|---|
DNS (Domain Name System) | DNS translates domain names into IP addresses. AGILITY identifies DNS queries and their corresponding responses, helping users diagnose resolution failures, high latency, or unexpected domain behaviors within user traffic. |
ICMP (Internet Control Message Protocol) | Used primarily for network diagnostics (e.g., ping), ICMP messages help identify connectivity issues and round-trip delays. AGILITY tracks and visualizes ICMP request/response pairs, highlighting any timeouts or anomalies in the flow. |
ICMPv6 (Internet Control Message Protocol for IPv6) | The IPv6 equivalent of ICMP, used for similar purposes—diagnostics and neighbor discovery in IPv6 environments. AGILITY supports ICMPv6 message tracing, which is critical for validating dual-stack and IPv6-only network segments. |
TCP (Transmission Control Protocol) | TCP is the foundation for most internet communication, including HTTPS, email, and file transfers. AGILITY captures TCP handshakes, data transfer, and teardown sequences to diagnose:
|
TLS (Transport Layer Security) | TLS provides encryption and authentication for secure communications over TCP connections. AGILITY analyzes TLS messages looking for errors and indications of problems to diagnose.
|
UDP (User Datagram Protocol) | UDP serves as a connectionless transport protocol that carries primarily DNS traffic for mobile network users. For such users other potential UDP application protocols are QUIC (HTTP/3), SIP and with lesser frequency, NTP, SNMP, TFTP, IPSec in case of machine-machine applications. |
Data Model & Capabilities
The User Plane service in AGILITY uses a structured data model to group, analyze, and report on high-volume traffic efficiently. This model is built around flow-level identifiers and enriched with detailed statistics and diagnostics.
5-Tuple Identification
AGILITY uses the 5-tuple to uniquely identify a TCP/UDP session. A 5-tuple includes:
Source IP address
Destination IP address
Source port
Destination port
Transport protocol (e.g., TCP, UDP)
Why it matters:
This set of values uniquely identifies a traffic flow between two endpoints. It allows AGILITY to organize sessions meaningfully, especially in high-volume environments, and associate related packets across time.
5-Tuple Statistics
AGILITY reports session-level statistics for each 5-tuple group, including:
Total number of packets
Total number of bytes transferred
Session duration
Start and end timestamps
Packet direction breakdown (uplink vs downlink)
Round trip time
Jitter
Packet retransmission percentage
Out of order packet percentage
Packet loss percentage
These statistics give a clear summary of each flow's behavior with respect to the end user application.
5-Tuple Anomalies
AGILITY detects and flags common user plane anomalies at the 5-tuple level, such as:
TCP | Handshake never completed (missing SYN-ACK or ACK) | Half-open attempts, scans, dropped ACKs, or capture missed the third handshake packet |
TCP | Established but no teardown (no FIN/RST) | Connection seen without any close; common when capture ends mid-flow or FINs are lost. |
TCP | Reset before/at start | Immediate RSTs (policy/probe refusal), SYNs answered with RST, or SYN-ACK then RST |
TCP | Reset after established (no data) | Handshake finished then peer aborted with RST before data |
TCP | Reset after established (with data) | Complete (RST) with data – abrupt teardown |
TCP | Teardown by FIN (no data) | Short/empty sessions such as health checks or capture missed payloads |
TCP | FIN seen without handshake | Capture started post-handshake |
TCP | RST seen without handshake | Capture started post-handshake |
TCP | Data seen without handshake | Capture started post-handshake |
TCP | Likely port scan | Scans with odd combinations of messages |
TLS | ClientHello only (server never replied) | Handshake didn’t start on server side (drop, block, timeout) |
TLS | ServerHello without ClientHello | Capture started post-ClientHello |
TLS | Handshake started but never completed | No mutually acceptable cipher/parameters (or policy blocked), or TCP RST |
TLS | Data seen without handshake | Capture started post-handshake |
DNS |
| DNS Retry |
DNS |
| Duplicate DNS Response |
DNS |
| Out-of-Order DNS Response |
DNS |
| DNS Query Flooding |
General |
| no_answer |
These insights help identify potential performance issues, device misbehavior, or network disruptions.
5-Tuple & Subscriber’s Information
To enhance diagnostics, AGILITY correlates user plane data with control plane when available.
Association of user plane flows with subscriber information enriches the five tuples with details such as IMSI, MSISDN, IMEI and APN enables.
Enables assessment of impact on specific subscribers.
Combine AGILITY capabilities to enhance understanding of user traffic in relation to control procedures such as session setup and mobility.
Linking GTP-U tunnels to control-plane signaling for more complete analysis
Control Plane Supported Protocols
AGILITY analyzes messages from the following protocols to identify subscriber information.
DIAMETER
S1AP/NAS-EPS
NGAP/NAS-5GS
GTPv2
PFCP
HTTP2
This integration provides end-to-end visibility for troubleshooting user experience issues at both the control and user plane layers.
Capture Session Metrics
At the overall trace level, AGILITY aggregates metrics across all flows in the PCAP file, currently supporting only Round Trip Time. This provides a high-level view of user plane traffic quality within a capture file.
RTT (Round-Trip Time)
AGILITY calculates Round-Trip Time (RTT) for applicable protocols, such as ICMP or DNS.
RTT measures the time between a request and its corresponding response, helping assess network responsiveness.
Protocol | RTT Calculation Method |
|---|---|
ICMP | Duration between icmp.type == 8(Echo Request) and icmp.type == 0(Echo Reply) |
ICMPv6 | Duration between icmpv6.type == 128(Echo Request) and icmpv6.type == 129(Echo Reply) |
DNS | Duration between dns.flags.response == 0(Query) and dns.flags.response == 1(Response) |
TCP | Uses |
Accessing the User Plane Service
Running a User Plane Analysis
Start a new Analysis by uploading a trace file or selecting one via the UI or API.
In the Service dropdown, select User Plane along with any other combination of services to focus the analysis on user data traffic.
Click Run Analysis. You’ll be redirected to the Analysis Hub once processing is complete.
Select your analysis from the dropdown to check your insights.
In the Analysis Hub:
If the analysis includes multiple services, use the service dropdown to switch to the User Plane view.
If the analysis is specific to the User Plane, the User Plane view will open by default.
Page Structure
The User Plane service page is thoughtfully organized into the following sections to help you navigate and analyze data efficiently:
Dashboard
Presents key insights through summary cards and visual charts for a quick overview. Below is a detailed breakdown of the key elements you’ll find within this section:
Element Name | Description |
|---|---|
Total Packets | The total number of packets captured or processed within the analysis timeframe. |
Time Range | The span between the earliest and latest captured packet timestamps in the dataset. |
Total Duration (secs) | The total length of the capture or session, measured in seconds. |
5-Tuple Flows | The count of unique flows identified by the combination of source IP, destination IP, source port, destination port, and protocol. |
Subscribers Detected | The number of unique subscribers identified in the traffic, based on identifiers like IMSI, MSISDN, or IP address. |
Tunnels Detected | The total number of user plane tunnels (e.g., GTP tunnels) found within the data. |
Top Issues | A bar chart highlighting the most significant problems or anomalies detected during analysis. |
Protocol Distribution | A pie chart showing the proportion of traffic by different protocols detected. |
KPIs | A list of the Key Performance Indicators detected. |
Packet Size Distribution | A pie chart showing the range and frequency of packet sizes within the capture. |
Round-Trip Time (RTT) | A line chart illustrating the average time taken for messages to travel from source to destination and back, assessing network responsiveness. |
Table View
Displays the same insights in a structured table, organized by individual flows. Below is a detailed breakdown of the key elements you’ll find within this section:
Element Name | Description |
|---|---|
Flows | A unique identifier for individual data flows between network endpoints, including Source and Destination IPs, UE IP, Protocol, and any available anomaly details. |
UDP Stream | The specific UDP session associated with the flow, identified by stream number. |
GTP TEID | Tunnel Endpoint Identifier used to track GTP-U user plane tunnels. |
Application | The transport or application protocol used in the flow. |
Total Traffic A → B (KB) | The total amount of data transferred from source (A) to destination (B), measured in kilobytes. |
Start Time | Timestamp marking when the flow began. |
Duration (ms) | Total length of time the flow was active, measured in milliseconds. |
Flows
Displays detailed information, including diagnostics and KPIs, about a flow selected from the list or dropdown. Below is a comprehensive breakdown of the key elements you’ll find in this section:
Element Name | Description |
|---|---|
Frame | The unique number identifying the message within the capture file. |
Timestamp | The exact time when the message was captured. |
Source IP | The IP address of the sender of the message. |
Destination IP | The IP address of the receiver of the message. |
Message | The content or type of the message, detailing the communication or protocol data. |
The Flow Summary provides a concise overview of the selected flow from the Table View. In other words, the Table View lists all flows, and the Flow Summary displays detailed information for the flow you choose.
What’s Coming Next
Enhance user experience, navigation, and data insights.