English 中文(简体)
Can anyone guess what protocol these packets belong to?
原标题:

We see these packets being injected in an FTP-DTP channel during a downlink file transfer on Telstra s NEXTG mobile network. We are not sure if these are network level packets, a problem with our 3G modem (HC25 based) or something like our firewall injecting in the stream.

Using a tool we noticed that the PPP framing fails with protocol length errors, so they are mostly likely mobile network packets.

I am hoping someone here can identify the signature of the packets so that I can chase this up with the appropriate vendor.

There is definitely a format to these packets: -

Packet1: 00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 01 10 f4 4e 00 00 40 06 2f 13 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 61 5d a9 01 f7 0c eb 50 10 ff ff 58 b9 00 00

Packet2: 00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 00 ff 6b 50 00 00 40 06 b8 22 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 61 7b 82 01 f7 0c eb 50 10 ff ff a3 79 00 00

Packet3: 00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 02 20 5b 50 00 00 40 06 c7 01 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 61 7c 59 01 f7 0c eb 50 10 ff ff e2 5d 00 00

Packet4: 00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 01 38 d8 52 00 00 40 06 4a e7 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 62 42 f9 01 f7 0c eb 50 10 ff ff 20 91 00 00

Packet5: 00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 00 d0 4d 58 00 00 40 06 d6 49 cb 7a 9d e9 7b d0 71 52 7a ee 04 08 4b fb 0b 8f 03 5d 51 1a 50 10 ff ff e9 88 00 00

最佳回答

These look like ordinary TCP packets but with two extra 00 bytes tagged on at the front. Not sure why that would happen, but they appear to be from 00-90-7f-43-0f-a1 (Watchguard) to 00-24-c4-b8-7b-1a (Cisco).

IP header is 45 00 01 10 f4 4e 00 00 40 06 2f 13 cb 7a 9d e9 7b d0 71 52

TCP header is 7a ed 04 06 8c 61 5d a9 01 f7 0c eb 50 10 ff ff 58 b9 00 00

So you can get the rest of the details from there.

时间:2009-12-01 00:52:12
问题回答

I converted your packet trace snippet into a format understood by text2pcap so I could convert them into the pcap format for viewing in Wireshark (a very handy packet capture and analysis tool):

Looks like some sort of IPv4 multicast traffic at a very rough guess. Here s what I got from the first packet (rest came up as malformed):

No.     Time        Source                Destination           Protocol Info
      1 0.000000    7b:1a:00:90:7f:43     00:00:00_24:c4:b8     0x0fa1   Ethernet II

Frame 1 (31 bytes on wire, 31 bytes captured)
    Arrival Time: Dec  1, 2009 00:33:05.000000000
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 31 bytes
    Capture Length: 31 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:data]
Ethernet II, Src: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43), Dst: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8)
    Destination: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8)
        Address: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43)
        Address: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    Type: Unknown (0x0fa1)
Data (17 bytes)

0000  08 00 45 00 01 10 f4 4e 00 00 40 06 2f 13 cb 7a   ..E....N..@./..z
0010  9d                                                .
    Data: 080045000110F44E000040062F13CB7A9D
时间:2009-12-01 00:39:05

00:24:c4 is a NIC from Cisco and 00:90:7F is a NIC from WatchGuard.

From the IEEE OUI Registry.

How much help that might be ... don t know. Might therefore be an attempted VPN connection.

时间:2009-12-01 00:38:34

As already decoded by others:

时间:2009-12-01 01:10:54


上一篇:
下一篇:


相关问题
C# Networking API s [closed]

Lately I ve been looking for a good networking API i could possibly use and/or reference some of the code within, but i have mere luck searching for some on Google/Bing. Hopefully somebody here has ...

时间:2009-11-16 21:40:08 回答:4 展示:1
Listen to a port that is in use [duplicate]

Possible Duplicate: Get connecting IP from specified ports that using by other program. If a port is used by a program, is there any way I can listen that port and get the connected IP on that ...

时间:2009-11-15 22:02:25 回答:3 展示:1
Twisted Spread suitable for multiplayer racing sim?

Do you think that Twisted Spread may be suitable (in terms of performance) for a multiplayer racing simulator? The rest of the application is based on Python-Ogre. Can Perspective Broker run upon (...

时间:2009-11-14 01:49:39 回答:2 展示:1
Optimizing a LAN server for a game

I m the network programmer on a school game project. We want to have up to 16 players at once on a LAN. I am using the Server-Client model and am creating a new thread per client that joins. ...

时间:2009-11-13 19:10:50 回答:1 展示:1
multicast ip address - blocked in call to recvfrom

i am writing a simple multicast application. i intend to run it on localhost. i have done the following: char *maddr; . . . sendfd = socket(...); struct sockaddr_in sasend; sasend.sin_family = ...

时间:2009-11-08 19:01:06 回答:1 展示:1
Java HTTPAUTH

我试图把桌面应用程序连接起来,我是同D.icio.us api @ Delicious Alan书写的,简单地向他们提供我的用户名和密码,并请他把书记上写给我......。

时间:2009-11-07 16:03:37 回答:5 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全