tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

New official link-layer type request

From: Damir Franusic <damir.franusic () gmail com>
Date: Sat, 11 May 2019 16:26:34 +0200
Hi
My name is Damir and I am a founder of a Croatian based company called *Socket d.o.o. * We are currently working on an *ETSI compliant Lawful Interception*solution; It is a work in progress but we already have couple of clients in need of this solution.
The problem with *LI*is that governments impose the law on the *ISPs*and other 
Communication Provides (*CSPs*), making them obliged to purchase the *LI *
software or implement it themselves. These system are standardized to some degree by the European Telecommunications Standards Institute (*ETSI*), but that is just 
the first part of the story.
*L**I* systems are quite complex but from the perspective of *LEAs*(Law Enforcement Agencies), they consist of *2 parts; Backend*and *Frontend*. *Backend*is actually what is normally called a *GUI*or a *Web Interface*, so the reversal of terminology can be a bit confusing at times.
*ELEE*software is a data interception (*Fronted*) system that passively tracks *IP traffic* and delivers the data of interest to *LEAs*. The format of that delivery if defined by *ETSI*; they describe everything in great detail by using *ASN.1*notation which is then encoded using 
*BER *when sent by wire.
*Why do we need a new DLT? *We would like to offer *ELEE*solution to our customers (*ISPs* and/or *CSPs)*, but *LEAs*are also a vital part of this *2-part business*. *LEAs* are quite prone to having lots of issues with data analysis (*Backend part*) software, which is quite odd since they also follow *ETSI* governed standards. Some even demand a regular *PCAP*format for data delivery due to complete lack of *Backend* software. *LI *data delivery comprises both *packet data* and intercept *metadata* which is completely *unrelated to network stack. *Thisis also one of the reasons to ask for a *new DLT.*
*ELEE *solution supports *PCAP*, *BER*and *ELEE/PCAP.*We created our own protocol which is transferred using *SCTP*and is registered with *IANA**with SCTP PPID 65*. We would like to offer a way to analyze *ELEE/PCAP 
*
format with *Wireshark*and bring *LI*capabilities to a well established network analysis software. That would also be very interesting to *LEAs*; they would be able to use *Wireshark *as their official * 
*
*Backend* data analysis tool. They use different terminology and fields to inspect data, and that is what *ELEE/PCAP *is all about; *bridging**the gap between **LI**and **PCAP**. *
I have already created a dissector for *Wireshark* to be able to debug and analyze our internal SCTP traffic and inspect aggregated network data for which I use Wireshark's *WTAP_ENCAP_USER0 *Like Layer Type. Unfortunately, I don't have the documentation/specification for *ELEE/PCAP* ready just yet, but that would come later on. I would like to get an official *DLT*for our product (*LINKTYPE_ELEE*), just like we got * 
*
*SCTP PPID from IANA*. The protocol and the dissector would be used mainly by *LEAs*and I don't think it would cause any harm to *tcpdump* and/or *Wireshark* community to get closer to being able to provide Lawful Interception features. The plan is to include the dissector in the official *Wireshark* version when it's finished.
Sorry for the long summary, I just wanted to give you a little intro and not cause any headaches or tech rage. I have also attached a PDF slideshow of our product which you may or may not find interesting. The interesting part is: We will be the first to offer *LI* systems on *ARM* based *SBCs (*Single Board Computers).
Company info: *https://sudreg.pravosudje.hr/registar/f?p=150:28:0::NO:28:P28_SBT_MBS:080973259* 
Website(temp until the project is finished): *http://socket.hr*
IANA SCTP PPID 65: *https://www.iana.org/assignments/sctp-parameters/sctp-parameters.xhtml#sctp-parameters-25* 

P.S.
You can find some tshark output for the *ELEE/PCAP* protocol dissector (both IRI and CC, the only two main PDU types) 

*Example tshark output for IRI:*

Frame 1: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits)
    Encapsulation type: USER 0 (45)
    Arrival Time: May 10, 2019 20:21:59.2065333272 CEST
    [Expert Info (Note/Sequence): Arrival Time: Fractional second 2065333272 is invalid, the valid range is 0-1000000000]         [Arrival Time: Fractional second 2065333272 is invalid, the valid range is 0-1000000000] 
        [Severity level: Note]
        [Group: Sequence]
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1557512519.2065333272 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 161 bytes (1288 bits)
    Capture Length: 161 bytes (1288 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: elee]

ELEE Protocol
    Protocol version: 1
    PDU type: Target PDU (1)
    Source node: elee.ppd.node_1
    Destination node: .
    Target PDU
        Lawful interception identifier: dhcp_li_id
        Target PDU data type: Intercept Related Information (IRI) (1)
        Sequence number: 0
        Timestamp: May 10, 2019 18:21:59.723619839 UTC
        IRI configuration
            Active: True
            Delivery format: ELEE (3)
            Handover connection:
            Handover directory:
            Aggregation factor: 2
            Delivery timeout: 0
        Communication identifier
            Operator identifier:
            Network element identifier:
            Communication identifier number (CIN): 0
        Data part size: 95
        IP IRI
            IRI type: IRI-REPORT (4)
            Access event type: accessAttempt (0)
            Target username: 001cbf0dbfd7
            Internet access type: Unknown (0)
            IP version: IPv4 protocol (1)
            Target IPv4: 0.0.0.0
            Target network id: 00:1c:bf:0d:bf:d7
            POP port number: 0
            Target call-back number: <MISSING>
            POP IP address: 00000000
            Authentication type: AAA provided by DHCP (3)

*
*

*Example tshark output for CC:*

Frame 2: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits)
    Encapsulation type: USER 0 (45)
    Arrival Time: May 10, 2019 20:21:59.2087542272 CEST
    [Expert Info (Note/Sequence): Arrival Time: Fractional second 2087542272 is invalid, the valid range is 0-1000000000]         [Arrival Time: Fractional second 2087542272 is invalid, the valid range is 0-1000000000] 
        [Severity level: Note]
        [Group: Sequence]
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1557512519.2087542272 seconds
    [Time delta from previous captured frame: 0.022209000 seconds]
    [Time delta from previous displayed frame: 0.022209000 seconds]
    [Time since reference or first frame: 0.022209000 seconds]
    Frame Number: 2
    Frame Length: 161 bytes (1288 bits)
    Capture Length: 161 bytes (1288 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: elee]*
*
*ELEE Protocol*
    Protocol version: 1
    PDU type: Target PDU (1)
    Source node: elee.ppd.node_1
    Destination node: .
    Target PDU
        Lawful interception identifier: test_li_id
        Target PDU data type: Content of Communication (CC) (2)
        Sequence number: 0
        Timestamp: May 10, 2019 18:27:56.677651565 UTC
        CC configuration
            Active: True
            Delivery format: ELEE (3)
            Handover connection:
            Handover directory:
            Aggregation factor: 10
            Delivery timeout: 0
        Communication identifier
            Operator identifier:
            Network element identifier:
            Communication identifier number (CIN): 0
        Data part size: 60
Ethernet II, Src: Cisco_ff:0e:7d (00:1b:53:ff:0e:7d), Dst: Dell_1a:45:8a (00:1a:a0:1a:45:8a) 
    Destination: Dell_1a:45:8a (00:1a:a0:1a:45:8a)
        Address: Dell_1a:45:8a (00:1a:a0:1a:45:8a)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)         .... ...0 .... .... .... .... = IG bit: Individual address (unicast) 
    Source: Cisco_ff:0e:7d (00:1b:53:ff:0e:7d)
        Address: Cisco_ff:0e:7d (00:1b:53:ff:0e:7d)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)         .... ...0 .... .... .... .... = IG bit: Individual address (unicast) 
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 93.138.2.16, Dst: 213.149.32.10
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) 
    Total Length: 46
    Identification: 0x1f62 (8034)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 121
    Protocol: TCP (6)
    Header checksum: 0x8d2e [correct]
    [Header checksum status: Good]
    [Calculated Checksum: 0x8d2e]
    Source: 93.138.2.16
    Destination: 213.149.32.10
Transmission Control Protocol, Src Port: 1414, Dst Port: 110, Seq: 30, Ack: 39, Len: 6 
    Source Port: 1414
    Destination Port: 110
    [Stream index: 0]
    [TCP Segment Len: 6]
    Sequence number: 30    (relative sequence number)
    [Next sequence number: 36    (relative sequence number)]
    Acknowledgment number: 39    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window size value: 65497
    [Calculated window size: 65497]
    [Window size scaling factor: -2 (no window scaling used)]
    Checksum: 0x62e2 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 9]
        [The RTT to ACK the segment was: 0.002911000 seconds]
        [iRTT: 0.009309000 seconds]
        [Bytes in flight: 6]
        [Bytes sent since last PSH flag: 6]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.030199000 seconds]
        [Time since previous frame in this TCP stream: 0.002911000 seconds]
    TCP payload (6 bytes)
Post Office Protocol
    STAT\r\n
        Request command: STAT

--
Damir Franusic

email: damir.franusic () gmail com
http://ele2.io/

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: