Tuesday, 15 May 2012

mobile - Can anyone guess what protocol these packets belong to? -


We see that these packets should be injected into FTP-DTP channels during a downlink file transfer over Telstra's NXTG mobile network. Used to be. We are not sure whether these are network-level packets, like injecting our 3G modem (HC25 based) or something like a firewall stream.

Using a tool we saw that the preparation of PPP fails with protocol length errors, so they most likely have the possibility of mobile network packets.

I hope someone will have to identify the signature of the packet so that I can pursue it with the appropriate vendor.

There is definitely one format for these packets: -

Packet 1: 00 00 00 24C4B8 7B1A0907F 43 0f a1 08 00 45 00 01 10 F 4 4 00 00 40 06 2 F13 CB 7 A 9 DE 9 7 BD DD 71 7 7 A ADE 04 06 8 C 61 5 A A 9 01 F 7 0 CEB 50 10 FF FF 58 B900 00

Packet 2: 00 00 00 24C4B8 7B1A00907F 43 0 FA1 08 00 45 00 00 FF 6B 50 00 00 40 06 B 8 22 CB 7 A 9 DE 9 7 BD DD 71 7 7A Aad 04 06 8 C 61 7 B 82 01 F 7 C EB 50 10 FF FF A3 79 00 00

Packet 3: 00 00 00 24c4b8 7b1a01 90 7f 43ff 0f 080045 00 02 205b 50 00 00 40 06 C7 01 CB7A 9DE 9 7BDD 71 527A Ed 04 068C61 7C 59 01F7CEB 50 10FF FF E250D 00 00

< P> Packet 4: 00 00 00 24c4b8 7b1a00 90f 43ff0a1 08 00 45 00 01 38d8 52 00 00 40 06 4a7 cb 7a 9d E 9 7BD 71 527A AAD 04 068C 62 42F 9 01F7 0 CEB 50 10FF FF 20 91 00 00 Packet 5: 00 00 00 24C4B8 7 B1A 00 90 7F 43 FE 08 08 45 45 00 00 D08 00 00 40 06 D6 49 CB 7 A 9 DE 9 7 BD DD 71 7 7 7 EE 04 08 4b FB 0 B8F350D51 1A 50 10FF FF E988 00 00

< P> These are common Eepi look like packets but the front was tagged with two additional 00 bytes. It is not certain why this will happen, but they appear from 00-90-7f-43-0f-a1 (watchguard) to 00-24-C4-B8-7B-1A (Cisco).

IP header 45 00 01 10F 4 4 00 00 40 06 2F13 CB7A9DE 9 7BD052 52

TCP header 7A Ed 04 06 8C 61 5D A 9 01 F7 is 0c EB 50 10FF FF 58B 9 00 00

so you can get the remaining details from there.


No comments:

Post a Comment