Geek Answers Handbook

Can anyone guess which protocol these packets belong to?

We see that these packets are introduced into the FTP-DTP channel during the transmission of the downlink file in the Telstra NEXTG mobile network. We are not sure if these are network packets, a problem with our 3G modem (HC25) or something like our firewall injecting into the stream.

Using the tool, we noticed that PPP framing fails with protocol length errors, so they are most likely mobile network packets.

I hope someone here can identify the signature of the packages so that I can pursue this with the appropriate provider.

Definitely the format for these packages: -

Packet1: 00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 01 10 f 4 4e 00 00 40 06 2f 13 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 61 5d a9 01 f7 0c eb 50 10 ff ff 58 b9 00 00

Packet2: 00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 00 ff 6b 50 00 00 40 06 b8 22 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 61 7b 82 01 f7 0c eb 50 10 ff ff a3 79 00 00

Packet3: 00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 02 20 5b 50 00 00 40 06 c7 01 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 61 7c 59 01 f7 0c eb 50 10 ff ff e2 5d 00 00

Packet4: 00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 01 38 d8 52 00 00 40 06 4a e7 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 62 42 f9 01 f7 0c eb 50 10 ff ff 20 91 00 00

Packet5: 00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 00 d0 4d 58 00 00 40 06 d6 49 cb 7a 9d e9 7b d0 71 52 7a ee 04 08 4b fb 0b 8f 03 5d 51 1a 50 10 ff ff e9 88 00 00

+4
source share
4 answers

They look like regular TCP packets, but with two extra 00 bytes marked in front. You do not know why this will happen, but they look from 00-90-7f-43-0f-a1 (Watchguard) to 00-24-c4-b8-7b-1a (Cisco).

IP header 45 00 01 10 f4 4e 00 00 40 06 2f 13 cb 7a 9d e9 7b d0 71 52

TCP Header: 7a ed 04 06 8c 61 5d a9 01 f7 0c eb 50 10 ff ff 58 b9 00 00

So, you can get the rest of the information from there.

+2
source

I converted the packet trace fragment to a format understandable by text2pcap , so I could convert them to pcap format for viewing in Wireshark (a very convenient tool for capturing and analyzing packets):

Looks like some kind of IPv4 multicast traffic with a very crude assumption. Here is what I got from the first package (the rest got the wrong character):

No. Time Source Destination Protocol Info 1 0.000000 7b:1a:00:90:7f:43 00:00:00_24:c4:b8 0x0fa1 Ethernet II Frame 1 (31 bytes on wire, 31 bytes captured) Arrival Time: Dec 1, 2009 00:33:05.000000000 [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 31 bytes Capture Length: 31 bytes [Frame is marked: False] [Protocols in frame: eth:data] Ethernet II, Src: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43), Dst: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8) Destination: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8) Address: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43) Address: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) Type: Unknown (0x0fa1) Data (17 bytes) 0000 08 00 45 00 01 10 f4 4e 00 00 40 06 2f 13 cb 7a ..E....N..@. /..z 0010 9d . Data: 080045000110F44E000040062F13CB7A9D
+6
source

00: 24: c4 is the network adapter from Cisco and 00: 90: 7F is the network adapter from WatchGuard.

From the IEEE OUI Registry .

What help could be ... I don’t know. Perhaps this is an attempt to connect a VPN.

+2
source

As already decoded by others:

  • the first 6 + 6 + 2 bytes identifying NIC and Ethernet II.
  • bytes 0x0800 EtherType says this is IP. http://en.wikipedia.org/wiki/EtherType
  • the next octet starting with nibble "4" is IPv4
  • and etc.
0
source

More articles:


All Articles