Layer 3 LTE/5G: real-time RRC and NAS decoding β technical guide
Understand and decode Layer 3 messages in LTE and 5G NR: RRC (Radio Resource Control) and NAS (Non-Access Stratum). Message roles, field diagnostics, and capture tools.
Decoding Layer 3 (L3) messages is the most differentiating technical skill for a mobile network engineer. While radio KPIs (RSRP, SINR, throughput) describe the state of the link, L3 messages explain why the network behaved a certain way. This guide covers the fundamentals of Layer 3 in LTE and 5G NR and how to analyze it effectively in the field.
Layer 3 architecture in LTE and 5G NR
The two Layer 3 sub-layers
Layer 3 in mobile networks is divided into two protocol families, depending on the interface:
RRC (Radio Resource Control) β radio interface (Uu)
- Manages the connection between the terminal (UE) and the base station (eNB/gNB)
- Controls radio measurements, handovers, and radio configuration
- Messages carried on the radio control channel (DCCH/BCCH/PCCH)
NAS (Non-Access Stratum) β core interface (S1/N1)
- Manages terminal registration in the core network (MME/AMF)
- Controls data sessions (bearers), authentication, and core mobility
- Messages carried transparently through the RAN
In LTE: the NAS is divided into EMM (EPS Mobility Management) and ESM (EPS Session Management) In 5G NR SA: the NAS is divided into 5G MM (5G Mobility Management) and 5G SM (5G Session Management)
Why Layer 3 is essential for diagnostics
A concrete example: a subscriber complains about repeated call drops inside a building.
The radio KPIs say: average RSRP -95 dBm, SINR 8 dB β acceptable. So why the drops?
The L3 messages reveal: RRC Connection Release with cause loadBalancingTAUrequired β the network is actively offloading terminals to balance the load. This is not a coverage problem; it is a capacity and load-balancing configuration issue.
Without L3 messages, this diagnosis is impossible from radio KPIs alone.
Fundamental RRC messages in LTE
Connection establishment sequence
UE eNB (base station)
| |
|--- RRCConnectionRequest -->| (UE requests a connection)
|<-- RRCConnectionSetup ---| (eNB configures the channel)
|--- RRCConnectionSetupComplete -->| (UE confirms)
|<-- RRCConnectionReconfiguration -| (eNB configures bearers)
|--- RRCConnectionReconfigurationComplete -->|RRCConnectionRequest: contains the UE identifier and the establishment cause (mobile originating, emergency, mobile terminatingβ¦). Analyzing the cause reveals the service type.
RRCConnectionSetup: contains the initial radio configuration (channel, power, HARQ). Verify consistency with the operatorβs configuration.
RRCConnectionReconfiguration: the most informative message. It contains:
- Bearer configuration (QCI, ARP, TEID)
- Measurement configuration (A3, A5, events, periods)
- Serving cell configuration (EARFCN, PCI, band)
- Optionally, the handover command (mobilityControlInfo)
Handover messages
The handover command is contained within an RRCConnectionReconfiguration with the mobilityControlInfo field present. This message includes:
- The target cell (PCI + EARFCN)
- The target radio configuration
- Security key re-derivation parameters (post-handover)
Handover success is confirmed by RRCConnectionReconfigurationComplete on the target cell.
In case of failure: the UE sends RRCConnectionReestablishmentRequest to the nearest available cell, with the cause (handoverFailure, otherFailure, reconfigurationFailure). The failure cause directly guides the corrective action.
Measurement messages
MeasurementReport: sent from the UE to the eNB when a measurement event is triggered (A1, A2, A3, A4, A5, B1, B2). It contains:
- The triggered event identifier
- RSRP/RSRQ of the serving cell
- RSRP/RSRQ of candidate neighbor cells
Analyzing MeasurementReport messages in sequence provides insight into the networkβs handover decisions and helps identify neighbor list issues.
Fundamental NAS messages in LTE (EPS)
Attach sequence
UE MME (core network)
| |
|--- Attach Request ---->| (NAS)
|<-- Authentication Request -|
|--- Authentication Response ->|
|<-- Security Mode Command -|
|--- Security Mode Complete -->|
|<-- Attach Accept ----| (bearers configured)
|--- Attach Complete ---->|Attach Request: contains the IMSI or GUTI (temporary identifier), UE capabilities, and network preferences (LTE/NR). Analyze this message to verify that the UE is registering on the correct PLMN.
Attach Accept: contains the default bearer allocation (QCI, APN, IP address). Confirms successful registration.
Attach Reject: indicates an access denial with an explicit cause:
- Cause 3: IMSI unknown β SIM not provisioned
- Cause 7: EPS services not allowed β subscriber not authorized
- Cause 11: PLMN not allowed β roaming issue
- Cause 22: Congestion β core network overload
ESM messages (data session management)
PDN Connectivity Request / Accept: establishes a data session (default bearer). Verify the allocated APN and quality parameters (QCI 6 for data, QCI 1 for VoLTE voice).
Bearer Modification: dynamic bearer modification (QCI change, guaranteed bitrate). Appears notably during VoLTE transitions (QCI 1 bearer setup before the call).
Deactivate EPS Bearer: bearer deactivation (session end, expiration, congestion). An unexpected deactivation of the voice bearer during a VoLTE call reveals a network-side cause to be identified.
NAS specifics in 5G NR SA
In 5G SA, the NAS evolves significantly:
Registration Request (replaces Attach Request): contains the 5G-MM capabilities and 5G security parameters.
PDU Session Establishment Request (replaces PDN Connectivity): session management is more flexible, with a QoS model based on QoS Flows (5QI) rather than fixed bearers.
Key differences to know:
- The βbearerβ concept is replaced by βQoS Flowsβ (more flexible)
- 5G authentication uses EAP-AKAβ or 5G-AKA (more secure)
Registration Rejectmessages replaceAttach Rejectβ cause codes remain similar
How to capture and decode Layer 3 messages in practice
Method 1: Qualcomm DIAG interface (recommended)
The Qualcomm modem DIAG interface exposes complete L3 messages, encoded in ASN.1. Capture via this interface requires:
- Root Android on a Qualcomm device
- DIAG client (diagclient_cli) running as root
- ASN.1 decoder compiled for LTE + NR (libasn1c_lte_rrc.so, libasn1c_nr_rrc.so)
Advantage: access to all L3 messages, with millisecond-accurate timestamps and automatic correlation with radio KPIs from the same instant.
Method 2: QMDL export + offline QCAT
Capture the session in .qmdl format (raw Qualcomm DIAG format) and analyze offline in QCAT/QXDM. This approach is ideal for vendor tickets that require the complete raw trace.
Method 3: Tcpdump on IP interface (NAS only)
For unencrypted NAS messages (initial attach before security key establishment), a tcpdump on the radio interface can capture some messages. Limited in practice to the first steps of attachment.
Practical diagnostics: 5 problems solved with Layer 3
Problem 1: βThe phone connects but no internetβ
Symptom: successful LTE attachment, but no data.
L3 diagnosis: look for ESM messages. If PDN Connectivity Request is sent but PDN Connectivity Reject is received with cause Unknown APN (cause 27) β the APN configured on the phone is incorrect.
Problem 2: βVoLTE calls drop systematicallyβ
Symptom: calls cut after 20-30 seconds.
L3 diagnosis: look for Deactivate EPS Bearer Context Request messages with cause Insufficient bearer resources or Reactivation required. Correlate with GPS location β identify whether the drop always occurs at the same location (coverage problem) or randomly (core problem).
Problem 3: β5G disappears in certain areasβ
Symptom: terminal falls back from 5G NR to LTE for no apparent reason.
L3 diagnosis: look for RRC Release with Redirect to LTE or RRC Reconfiguration that removes the NR configuration (in NSA). Analyze the trigger: A2 threshold reached (serving LTE RSRP too low to maintain the NR link), or network load cause.
Problem 4: βThe phone cannot connect after movingβ
Symptom: after an inter-TAC handover, the terminal takes 30-60 seconds to regain service.
L3 diagnosis: look for a Tracking Area Update Request followed by a TAU Reject (cause 9 - UE identity cannot be derived β MME context issue) or an abnormal delay on the TAU Accept. This often reveals an inter-MME configuration problem or a context synchronization issue.
Problem 5: βVoice quality is degraded despite good signalβ
Symptom: voice MOS < 3.5 despite RSRP -80 dBm and SINR 15 dB.
L3 diagnosis: check SIP/IMS messages (VoLTE layer). Look for unexpected SIP BYE, frequent SIP Re-INVITE (codec renegotiation during the call), or a QCI 1 bearer modification during communication. These messages reveal issues at the IMS core level, not the radio layer.
Conclusion
Layer 3 is the βblack boxβ of the mobile network. Where radio KPIs describe symptoms, L3 messages reveal the causes. For optimization teams, real-time L3 decoding is the skill that makes the difference between a 2-week diagnosis and a 2-hour diagnosis.
Accessing L3 messages in the field no longer requires dedicated equipment costing tens of thousands β a rooted Qualcomm smartphone with an embedded ASN.1 decoder delivers the same raw data as QCAT, directly in the field.
Further Reading
Founder of HiCellTek. 15+ years in telecom, operator side, vendor side, field side. Building the field tool RF engineers deserve.
Request a personalized demo of HiCellTek β 2G/3G/4G/5G network diagnostics on Android.