Appearance
RAN Signaling (NGAP / F1AP / E2AP)
The telecom sensor monitors RAN control-plane signaling - NGAP, F1AP, E1AP, XnAP, E2AP, and SCTP - at the process level, recording procedure outcomes, KPIs, and anomalies for each monitored interface.
Requires: Telecom sensor flavor.
NGAP (NG Application Protocol)
Standard: 3GPP TS 38.413
Interface: N2 between gNB and AMF
Transport: SCTP port 38412, PPID 60
NGAP is the primary control-plane protocol between the radio access network and the 5G Core. The sensor monitors NGAP at both the gNB and AMF, decoding APER PDU headers and extracting IEs for procedures relevant to security and operations.
Procedures monitored
| Procedure | Code | What the sensor captures |
|---|---|---|
| InitialUEMessage | 15 | UE context, NAS PDU, RAN-UE NGAP ID |
| DownlinkNASTransport | 11 | NAS PDU delivery to UE |
| UplinkNASTransport | 46 | NAS PDU from UE to AMF |
| InitialContextSetup | 14 | Bearer setup success and failure |
| UEContextRelease | 41 | Context teardown event and latency |
| HandoverPreparation | 12 | Inter-AMF handover initiation and failure |
| NGSetup | 21 | N2 interface setup and failure |
NGAP KPIs
| KPI | Target | Alert |
|---|---|---|
| InitialContextSetupFailure rate per gNB | < 0.1% | Exceeded |
| UEContextRelease teardown latency | Tracked | Spike |
| Handover success rate per AMF | Tracked | Drop below baseline |
| NGSetup failure count per gNB | 0 | Any failure |
KPI history is stored in the ngap_kpi_history ClickHouse table. The AI assistant get_ngap_kpis tool queries procedure success rates and durations from this table.
NGAP heartbeat fields
Each heartbeat from a node with an NGAP interface includes:
ranap_report: decoded NGAP eventsngap_kpi_report: aggregated KPI values for the interval
NGAP anomaly interpretation
High InitialContextSetupFailure rates from a specific gNB may indicate bearer setup failure, UE authentication issues, or a signaling flood. NGSetup failures indicate the gNB cannot register with the AMF; this may reflect network policy changes, IP routing changes, or active security filtering. Unexpected UEContextRelease without a preceding UEContextReleaseRequest from the network side indicates premature teardown.
F1AP (F1 Application Protocol)
Standard: 3GPP TS 38.473
Interface: F1 between gNB-CU-CP and gNB-DU
Transport: SCTP port 38472, PPID 60
F1AP is used in disaggregated gNB deployments where the CU-CP and DU run as separate components.
Procedures monitored
| Procedure | What the sensor captures |
|---|---|
| F1SetupRequest / F1SetupResponse | DU registration with CU-CP; setup success and failure count |
| InitialULRRCMessageTransfer | UE RRC context establishment from DU |
| DLRRCMessageTransfer | CU-CP to DU RRC message containing NAS or mobility information |
F1AP anomalies
| Anomaly | Meaning |
|---|---|
| Repeated F1SetupFailure | DU cannot register with CU-CP; radio coverage loss or configuration mismatch |
| RRC context lost unexpectedly | Bearer failure or DU process crash during active UE session |
E1AP (E1 Application Protocol)
Standard: 3GPP TS 38.463
Interface: E1 between gNB-CU-CP and gNB-CU-UP
Transport: SCTP port 38462, PPID 60
E1AP manages bearer contexts between the control-plane and user-plane CU components.
Procedures monitored
| Procedure | What the sensor captures |
|---|---|
| E1SetupRequest / E1SetupResponse | CU-UP registration with CU-CP |
| BearerContextSetupRequest / Response | Data bearer creation; outcome and latency |
| BearerContextModification | QoS or routing change on an existing bearer |
E1AP metrics
- Bearer setup latency per CU-UP
- Bearer setup failure count
- Bearer modification rate
XnAP (Xn Application Protocol)
Standard: 3GPP TS 38.423
Interface: Xn between neighboring gNBs
Transport: SCTP port 38422, PPID 60
XnAP coordinates inter-gNB handovers and neighbor registration.
Procedures monitored
| Procedure | What the sensor captures |
|---|---|
| XnSetupRequest / XnSetupResponse | Neighbor gNB registration |
| HandoverRequest / HandoverResponse | Inter-gNB handover; success and failure |
| UEContextRelease | Tunnel cutover after handover completion |
XnAP anomalies
| Anomaly | Meaning |
|---|---|
| Handover success rate drop | Degraded radio conditions or inter-gNB signaling fault |
| Unexpected UEContextRelease from peer gNB | Premature teardown; possible protocol violation or peer crash |
E2AP (E2 Application Protocol)
Standard: O-RAN Alliance WG3
Interface: E2 between E2 agent (gNB) and Near-RT RIC
Transport: SCTP port 36421
E2AP carries RAN telemetry and control between E2 agents and the Near-RT RIC. xApps connect to the Near-RT RIC via SCTP port 36422 (E42 interface).
Procedures monitored
| Procedure | What the sensor captures |
|---|---|
| E2 Setup | E2 agent registration with RIC; RANfunctions advertised (CellID, UEID, PRB) |
| RIC Subscription | RIC subscription request; subscription ID, action type (report, insert, policy) |
| RIC Indication | E2 node metric sample sent to RIC triggered by subscription |
| RIC Control | RIC control action sent to E2 node (e.g., handover trigger) |
E2AP metrics
| Metric | SLA |
|---|---|
| Cell-level PRB utilization | Tracked |
| Beam state and interference | Tracked |
| UE-level SINR and CQI | Tracked |
| RIC response time | < 100ms |
E2AP events appear in the e2ap_report heartbeat field. The oran_report field provides the aggregated O-RAN overview.
NAS 5G (Non-Access Stratum)
Standard: 3GPP TS 24.501
Transport: Encapsulated inside RRC, delivered to gNB, relayed to AMF via NGAP
NAS messages carry UE registration, authentication, and session management between the UE and the AMF. The sensor decodes NAS content where it is visible in NGAP payloads.
Message types observed
| Message type | Context |
|---|---|
| Registration | UE registers with network (Home or Roaming) |
| Service Request | Existing UE requesting a new service |
| Authentication Challenge | AMF challenge to UE |
| PDU Session Establishment | UE requests a data session |
NAS anomalies
| Anomaly | Meaning |
|---|---|
| Registration rejection with CAUSE_IMEI_NOT_ACCEPTED | Device hit a blacklist; may indicate stolen device or policy enforcement |
| Repeated authentication failures | Credential attack or authentication sync failure |
| Session setup failures | Policy or QoS misconfiguration downstream |
SCTP (Stream Control Transmission Protocol)
Standard: RFC 9260
Role: Transport layer for NGAP, F1AP, E1AP, XnAP, E2AP, Diameter, and M3UA
All RAN control-plane protocols run over SCTP. The sensor monitors SCTP associations independently of the upper-layer protocol, providing transport-level visibility that complements protocol-level decoding.
What the sensor decodes
- SCTP common header: source and destination port, verification tag, checksum
- Chunk types: DATA (0x00), I-DATA (0x40 for interleaved), INIT, INIT-ACK, SACK, ABORT, SHUTDOWN
- Fragment reassembly using stream ID, sequence number (SSN or MID), and B/E flags
Association tracking
Each SCTP association is tracked as a 4-tuple (src_ip:port to dst_ip:port) with state (ESTABLISHED, SHUTDOWN, CLOSED) and per-stream counters:
- Message count per stream
- Loss count per stream
- RTT samples per association
SCTP metrics
| Metric | Anomaly trigger |
|---|---|
| Association churn rate | Rapid INIT/SHUTDOWN cycling |
| Chunk loss rate | SACK gaps indicating packet loss |
| RTT samples | Latency increase or spike |
| Abort reason codes | Non-zero count |
SCTP anomalies
| Anomaly | Meaning |
|---|---|
| Spurious INIT during active session | Association restart; indicates attack or crash loop |
| Multiple ABORT chunks | Protocol violations; may indicate signaling attack |
| Unexpected stream reset | Bearer failure or peer-initiated teardown |
SCTP state is available in the sctp_inventory and sctp_health_report heartbeat fields.
4G S1AP (S1 Application Protocol)
Standard: 3GPP TS 36.413
Interface: S1 between eNB and MME
Transport: SCTP port 36412
S1AP is the 4G equivalent of NGAP. The sensor detects S1AP bindings on port 36412 and assigns the eNB or MME role based on whether the process listens or connects. Protocol-level decoding follows the same APER approach as NGAP. S1AP-specific procedure KPIs (InitialContextSetup, UEContextRelease, HandoverPreparation) are tracked with the same logic as their NGAP counterparts.
Console views for RAN signaling
RAN view
In the Console, go to Telco > RAN. The page shows RAN node inventory with detected interfaces, current KPI status, SLO state, and anomaly risk level per node.
Protocol analytics
In the Console, go to Telco > Protocol Analytics. The page shows a cross-protocol view: SCTP association health, NGAP procedure success rates, F1AP and E1AP setup metrics, and E2AP subscription state.
NGAP KPIs via AI assistant
Ask the AI assistant: "Show NGAP KPIs for the last 24 hours."
The get_ngap_kpis tool queries the ngap_kpi_history table and returns procedure success rates, failure counts, and duration distributions.
Filtering runtime events by signaling role
In the Console, go to Activity > Runtime Events. Use the NF Role filter and the Event Kind filter to scope results. For example, select role gnb and event kind network_connect to see NGAP-related connection events on gNB nodes, or select role near_rt_ric to see all runtime events on Near-RT RIC nodes.
Port reference
All RAN and adjacent signaling ports detected by the telecom sensor:
| Port | Protocol | Standard | Role indicated |
|---|---|---|---|
| 38412 SCTP | NGAP | 3GPP TS 38.413 | AMF (listener) or gNB (connector) |
| 38472 SCTP | F1AP | 3GPP TS 38.473 | gNB-CU-CP or gNB-DU |
| 38462 SCTP | E1AP | 3GPP TS 38.463 | gNB-CU-CP or gNB-CU-UP |
| 38422 SCTP | XnAP | 3GPP TS 38.423 | gNB (Xn interface) |
| 36421 SCTP | E2AP | O-RAN WG3 | Near-RT RIC (listener) or E2 Node |
| 36422 SCTP | E42 | O-RAN WG3 | xApp (connector to Near-RT RIC) |
| 36412 SCTP | S1AP | 3GPP TS 36.413 | eNB or MME (4G) |
| 3868 / 5658 TCP/SCTP | Diameter | RFC 6733 | Diameter Node, CHF, HSS, PCRF |
| 2905 SCTP | M3UA | RFC 4666 | SIGTRAN Gateway |
| 5060 / 5061 TCP/UDP | SIP | RFC 3261 | IMS Node |
| 1812 / 1813 UDP | RADIUS | RFC 2865/2866 | RADIUS Server, AUSF, UDM |
Operational guidance
SCTP multi-homing: SCTP supports multi-homed associations where a single association spans multiple IP addresses. The sensor tracks the primary address tuple. If a failover occurs to a secondary address, the sensor will observe a new 4-tuple and may treat it as a new association. This is expected behavior and does not indicate an anomaly.
NGAP KPI baseline: InitialContextSetupFailure rates vary by deployment. The 0.1% SLA target is a starting point. On dense urban deployments with high UE density, this rate may legitimately be higher. Review the baseline before enabling alert thresholds.
E2AP timing sensitivity: E2AP carries real-time RAN control actions. The RIC response time SLA is < 100ms. Any enforcement action on a Near-RT RIC process that introduces latency above this threshold could affect scheduling decisions. Use audit mode on Near-RT RIC nodes before enabling enforcement.
SCTP abort monitoring: SCTP ABORT chunks carry reason codes that can distinguish protocol violations from operational shutdowns. Monitor abort reason codes in the sctp_health_report field. A spike in ABORT chunks with non-standard reason codes on NGAP associations warrants immediate investigation.
Further reading
- O-RAN Architecture (DU / CU / RIC)
- 5G Core (AMF / SMF / UPF)
- Telecom Overview
- O-RAN WG11 Compliance
- Network View
- 3GPP TS 38.413 - NG Application Protocol (NGAP)
- 3GPP TS 38.473 - F1 Application Protocol (F1AP)
- 3GPP TS 38.463 - E1 Application Protocol (E1AP)
- O-RAN WG3 - E2 Application Protocol (E2AP)
- RFC 9260 - Stream Control Transmission Protocol (SCTP)