Telovix Docs

Appearance

Telecom and O-RAN Overview

The telecom sensor flavor adds network function role detection, 5G and O-RAN protocol parsing, per-NF SLO monitoring, and WG11 compliance evidence to the standard Telovix sensor.

Requires: Telecom sensor flavor and telecom Console vertical. See Standard vs Telecom Flavor to confirm your setup.

Where to start

If you are...Start here
Deploying the telecom sensor for the first timeStandard vs Telecom Flavor to choose the correct binary, then Sensor: VM / Bare Metal or Sensor: Kubernetes (Helm)
Monitoring AMF, SMF, or UPF (5G Core)5G Core (AMF / SMF / UPF)
Monitoring O-DU, gNB-CU, or Near-RT RIC (O-RAN)O-RAN Architecture (DU / CU / RIC)
Monitoring GTP-U tunnels and PFCP sessions (user plane)User Plane (GTP-U / PFCP)
Monitoring NGAP, F1AP, or E2AP (RAN signaling)RAN Signaling (NGAP / F1AP / E2AP)
Checking NF availability and SLO breach statusSLO and Resource Monitoring
Evaluating O-RAN WG11 compliance postureO-RAN WG11 Compliance
Verifying that specific detections fire on O-RAN nodesThreat Exercises
Diagnosing opaque TLS coverage on SBI interfacesTLS Visibility
Monitoring Diameter, RADIUS, or SIP in a mixed 4G/5G environmentLegacy Protocols (Diameter / RADIUS / SIP)

What the telecom flavor adds

When you deploy the telecom sensor and enable the telecom Console vertical, the following capabilities become active:

On the sensor:

  • NF role detection from port binding patterns, process names, binary paths, and gRPC service detection
  • Protocol parsing for NGAP, PFCP, GTP-U, F1AP, E1AP, XnAP, E2AP, SCTP, Diameter, RADIUS, SIP, SBI/HTTP2, NAS5G, M3UA, IKEv2
  • Per-NF SLO monitoring with breach detection and MTTR tracking
  • TLS uprobe coverage for NF-to-NF encrypted traffic (OpenSSL, Go TLS, BoringSSL)
  • O-RAN WG11 security checks (E2 peer verification, O1 management interface monitoring, xApp baseline)
  • NF-specific process integrity monitoring and privilege escalation detection
  • Telecom anomaly scoring combining protocol violations, SLO breaches, and behavioral signals

In the Console:

  • The Telco navigation section (hidden on standard vertical)
  • Fleet filtering and grouping by NF role
  • Protocol KPI dashboards (NGAP procedure success rates, PFCP session metrics)
  • NF resource history (hourly CPU, memory, power per role)
  • O-RAN WG11 compliance framework
  • AI assistant telecom tools (NGAP KPIs, SLO status, telco snapshot, NF inventory)

NF role detection

The sensor detects the network function role of running processes automatically using four signal types:

1. Port binding analysis

PortProtocolRole indicated
8805 UDPPFCPSMF (no GTP-U) or UPF (with GTP-U)
2152 UDPGTP-UUPF (combined with PFCP)
38412 SCTPNGAPAMF (listens) or gNB (connects)
38472 SCTPF1APgNB-CU-CP
38462 SCTPE1APgNB-CU-CP or gNB-CU-UP
38422 SCTPXnAPgNB (Xn interface)
36412 SCTPS1APeNB or MME
36421 SCTPE2APNear-RT RIC (listens) or E2 Node
36422 SCTPE42xApp (connects to Near-RT RIC)
3868 / 5658 TCP/SCTPDiameterDiameter Node
5060 / 5061 TCP/UDPSIPIMS Node
2905 SCTPM3UASIGTRAN Gateway
319/320 UDPPTPPTP Node
830 TCPNETCONFOAM Endpoint
7777, 29500–29599 TCPSBIAny 5G Core NF

2. Process name heuristics: binary names such as smf, upf, amf, nrf are matched case-insensitively.

3. Binary path patterns: paths like /opt/open5gs/, /usr/local/open5gc/, /opt/ericsson/, /opt/nokia/, /opt/srsenb/ indicate vendor-specific NF implementations.

4. gRPC service detection: listening on port 7777 (Open5GS/Free5GC SBI default) or observing h2c HTTP/2 frames on SBI ports confirms a 5G Core NF.

Confidence scoring

Each role classification includes a confidence score from 0.0 to 1.0:

ConfidenceMeaning
0.9 or higherHigh confidence: used for alerts, SLO calculations, and compliance checks
0.5 to 0.9Medium: informational, further evidence being gathered
Below 0.5Low: not yet classified; additional heartbeats expected

Console auto-promotion

When a generic_linux or unclassified sensor sends heartbeat data containing a telecom NF inventory, the Console automatically promotes the sensor’s declared role:

  • Detected 5G Core NFs (AMF, SMF, UPF, PCF, AUSF, UDM, UDR, NRF, SCP, BSF, NSSF) promote to telecom_core
  • Detected RAN nodes (gNB variants, CU-CP, CU-UP, DU) promote to telecom_ran

Auto-promotion only upgrades from generic_linux, generic, or unknown. It never downgrades a sensor that already has a specific telecom role assigned.

Supported network functions

5G Core (3GPP SA Release 15+)

RoleFull nameSLO targetEnrollment value
AMFAccess and Mobility Management Function99.999%amf
SMFSession Management Function99.999%smf
UPFUser Plane Function99.999%upf
NRFNetwork Repository Function99.99%nrf
UDMUnified Data Management99.99%(auto-detected)
UDRUnified Data Repository99.99%(auto-detected)
PCFPolicy Control Function99.9%pcf
AUSFAuthentication Server Function99.99%ausf
NEFNetwork Exposure Function99.9%(auto-detected)
CHFCharging Function99.9%(auto-detected)
BSFBinding Support Function99.9%(auto-detected)
NSSFNetwork Slice Selection Function99.9%(auto-detected)
NWDAFNetwork Data Analytics Function99.0%(auto-detected)
SMSFShort Message Service Function99.0%(auto-detected)
SEPPSecurity Edge Protection Proxy99.0%(auto-detected)
LMFLocation Management Function99.0%(auto-detected)
GMLCGateway Mobile Location Centre99.0%(auto-detected)
AFApplication Function99.0%(auto-detected)

4G / EPC

RoleFull nameSLO target
MMEMobility Management Entity99.999%
SGWServing Gateway99.999%
PGWPacket Data Network Gateway99.999%
HSSHome Subscriber Server99.99%
PCRFPolicy and Charging Rules Function99.0%

O-RAN and RAN

RoleFull nameSLO targetEnrollment value
gNB-CU-CPgNB Central Unit Control Plane99.9%cucp
gNB-CU-UPgNB Central Unit User Plane99.9%cuup
gNB-DUgNB Distributed Unit99.9%o_du
gNBgNB N2 endpoint99.9%(auto-detected)
eNBeNodeB (4G)99.9%(auto-detected)
Near-RT RICNear-Real-Time RAN Intelligent Controller99.9%near_rt_ric
xAppO-RAN xApp (E42 client)99.0%(auto-detected from port 36422)
E2 NodeE2 interface endpoint99.9%(auto-detected)
O-RUO-RAN Radio Unit99.0%o_ru

Infrastructure and support

RoleFull nameDetection signal
IMS NodeIP Multimedia SubsystemSIP port 5060/5061
SIGTRAN GatewaySS7/SIGTRAN transportM3UA port 2905
Diameter NodeDiameter peerPort 3868/5658
RADIUS ServerRADIUS authenticationPort 1812/1813
OAM EndpointOperations and MaintenanceNETCONF port 830
PTP NodePrecision Time ProtocolPort 319/320 UDP
TelecomProcessGeneric telecom binaryName/path heuristic

Fallback

ValueUse when
generic_linuxNode needs telecom flavor but explicit classification is deferred

Do not leave production NF workloads at generic_linux permanently. Accurate role assignment unlocks role-specific policy packs, dashboards, protocol monitoring, and compliance controls from the first heartbeat.

SLO monitoring

The sensor monitors NF availability against these 3GPP TS 22.261 targets:

Availability targetRoles
99.999% (5-nines)AMF, SMF, UPF, MME, SGW, PGW
99.99% (4-nines)NRF, AUSF, UDM, UDR, HSS
99.9% (3-nines)PCF, CHF, BSF, NSSF, NEF, gNB variants, Near-RT RIC
99.0% (2-nines)All others

A breach alert fires after the NF has been observed for at least 300 seconds and the availability falls below its target. The sensor tracks Mean Time To Repair using a sliding window of the last 10 recovery samples. Breach alerts are suppressed for 3,600 seconds after firing to prevent alert storms.

Operational workflow

  1. Install the telecom flavor and declare the node role during sensor enrollment using the Console enrollment wizard.
  2. Validate in the Fleet view that the sensor shows the correct NF role classification.
  3. Assign a policy pack aligned to the role (O-DU, O-CU, O-Cloud baselines).
  4. Use the Telecom views to compare protocol behavior, topology, and resource trends before enabling containment on critical functions.

::: note Declare the node role explicitly during enrollment instead of relying on auto-detection. Accurate roles improve dashboards, pack suggestions, and the relevance of telecom-specific detections from the first heartbeat. :::

Further reading

Released under the Telovix Commercial License.

Copyright © 2024–present Telovix