Ethereal-dev: Re: [Ethereal-dev] implementing a dissector for PPP sent over a CDMA 1x data net
On Thu, Dec 04, 2003 at 11:14:15AM -0000, Chris Greening wrote:
> We are trying to add support to ethereal for data captured off a CDMA
> 1x data network.
>
> Most of the packets we capture contain PPP encapsulated in HDLC
> framing. Instead of the usual 0x880b identifier for PPP we get 0x8881.
> So far, we've modified ethereal to accept this value and strip off the
> HDLC framing and almost all of our packets are decoded correctly.
>
> However, every so often we receive three packets in a row that look
> like the one below. The strange thing about this packet is that there
> is no HDLC framing, and the encapsulated IP packet seems to be
> truncated.
>
> This is happening to about 20% of the packets that we are sniffing.
> We've tried it with several different sniffers (Network Associates
> Sniffer and Agilent Advisor) on a highly loaded network and on a test
> network with minimal load and get the same results.
>
> Does anyone have any ideas on how (or if) we can decode the data?
> We're not sure if the data is some symptom of a problem on the network
> or just a symptom of how limited our knowledge of the protocol is.
>
> Frame 765 (66 bytes on wire, 66 bytes captured)
> Ethernet II, Src: 08:00:3e:03:02:01, Dst: 00:07:4f:87:90:1c
> Internet Protocol, Src Addr: 10.160.31.69 (10.160.31.69), Dst Addr: 10.160.31.107 (10.160.31.107)
> Generic Routing Encapsulation
> Point-to-Point Protocol
> Protocol: IP (0x0021)
OK, so this is PPP encapsulated inside GRE.
> Internet Protocol
> Version: 0
> Header length: 8 bytes (bogus, must be at least 20)
>
> 00 07 4f 87 90 1c
Destination MAC address for the Ethernet packet.
> 08 00 3e 03 02 01
Source MAC address.
> 08 00
Ethernet type IP.
> 45
IP version/header length; 4 means IPv4, 5 means 5 words or 20 bytes of
header.
> 00
IP type-of-service.
> 00 30
IP total length, 48 bytes - minus 20 bytes for header, that's 28 bytes.
> 1d 68
IP ID.
> 00 00
IP flags and fragment offset - no fragmentation.
> 40
IP Time-to-live.
> 2f
IP protocol - GRE.
> 09 48
IP header checksum.
> 0a a0 1f 45
Source IP address.
> 0a a0 1f 6b
Destination IP address.
> 20 00
GRE flags and version. "Key Present" is set, other flags aren't, and
version number is 0.
> 88 81
GRE protocol type - an Ethernet type; 8881 is, according to
http://standards.ieee.org/regauth/ethertype/type-pub.html
registered to "TIA", in Arlington, Virginia, USA. I assume that's the
Telecommunications Industry Association:
http://www.tiaonline.org/
but I have no idea what they're using it for. (The various Google
searches I tried found nothing
> 00 00 00 91
GRE Key field.
> Encapsulated IP packet:
>
> 21 02 01 00 10 02
> 06 00 2d 0f 00 03 06 0a a0 1f 63 64 08 7e fe 11
> d3 01
Whatever it is, it's not IP - there's no 45, or even any 4x for x >= 5,
in there.
If that's what follows the GRE Key field, that's a PPP packet:
> 21
PPP protocol type - IP.
> 02 01 00 10 02
> 06 00 2d 0f 00 03 06 0a a0 1f 63 64 08 7e fe 11
> d3 01
That's the encapsulated packet, whatever the heck it is.
Searching through the TIA's list of standards:
http://www.tiaonline.org/standards/tia_catalog.pdf
for "cdma" found standard TSB115:
http://www.tiaonline.org/standards/search_results2.cfm?document_no=TSB115
Document #: TSB115
Title: cdma2000(R) Wireless IP Architecture Based on IETF
Protocols (2000)
Committee: TR-45.6
Published: December 1, 2000
Category: Telecommunications
Description: This document describes the packet data system
architecture for a third generation wireless system based on
IMT-2000
I've no idea whether that standard describes what's going on with
Ethernet type 8881 or not. You might want to look through the TIA
catalog of standards, but note that
1) the standards cost money
and
2) they appear to send you to Global Engineering Resources for
the standard, and the Global Engineering Resources site lists
the CD-ROM price as $76.00 and the download price as "N/A",
which I fear means "you can only get this on a CD-ROM, you
can't get it downloaded".
