tcpdump mailing list archives
New official link-layer type request
From: Damir Franusic <damir.franusic () gmail com>
Date: Sat, 11 May 2019 16:26:34 +0200
HiMy name is Damir and I am a founder of a Croatian based company called *Socket d.o.o. * We are currently working on an *ETSI compliant Lawful Interception*solution; It is a work in progress but we already have couple of clients in need of this solution.
The problem with *LI*is that governments impose the law on the *ISPs*and other
Communication Provides (*CSPs*), making them obliged to purchase the *LI *software or implement it themselves. These system are standardized to some degree by the European Telecommunications Standards Institute (*ETSI*), but that is just
the first part of the story.*L**I* systems are quite complex but from the perspective of *LEAs*(Law Enforcement Agencies), they consist of *2 parts; Backend*and *Frontend*. *Backend*is actually what is normally called a *GUI*or a *Web Interface*, so the reversal of terminology can be a bit confusing at times.
*ELEE*software is a data interception (*Fronted*) system that passively tracks *IP traffic* and delivers the data of interest to *LEAs*. The format of that delivery if defined by *ETSI*; they describe everything in great detail by using *ASN.1*notation which is then encoded using
*BER *when sent by wire.*Why do we need a new DLT? *We would like to offer *ELEE*solution to our customers (*ISPs* and/or *CSPs)*, but *LEAs*are also a vital part of this *2-part business*. *LEAs* are quite prone to having lots of issues with data analysis (*Backend part*) software, which is quite odd since they also follow *ETSI* governed standards. Some even demand a regular *PCAP*format for data delivery due to complete lack of *Backend* software. *LI *data delivery comprises both *packet data* and intercept *metadata* which is completely *unrelated to network stack. *Thisis also one of the reasons to ask for a *new DLT.*
*ELEE *solution supports *PCAP*, *BER*and *ELEE/PCAP.*We created our own protocol which is transferred using *SCTP*and is registered with *IANA**with SCTP PPID 65*. We would like to offer a way to analyze *ELEE/PCAP
*format with *Wireshark*and bring *LI*capabilities to a well established network analysis software. That would also be very interesting to *LEAs*; they would be able to use *Wireshark *as their official *
**Backend* data analysis tool. They use different terminology and fields to inspect data, and that is what *ELEE/PCAP *is all about; *bridging**the gap between **LI**and **PCAP**. *
I have already created a dissector for *Wireshark* to be able to debug and analyze our internal SCTP traffic and inspect aggregated network data for which I use Wireshark's *WTAP_ENCAP_USER0 *Like Layer Type. Unfortunately, I don't have the documentation/specification for *ELEE/PCAP* ready just yet, but that would come later on. I would like to get an official *DLT*for our product (*LINKTYPE_ELEE*), just like we got *
**SCTP PPID from IANA*. The protocol and the dissector would be used mainly by *LEAs*and I don't think it would cause any harm to *tcpdump* and/or *Wireshark* community to get closer to being able to provide Lawful Interception features. The plan is to include the dissector in the official *Wireshark* version when it's finished.
Sorry for the long summary, I just wanted to give you a little intro and not cause any headaches or tech rage. I have also attached a PDF slideshow of our product which you may or may not find interesting. The interesting part is: We will be the first to offer *LI* systems on *ARM* based *SBCs (*Single Board Computers).
Company info: *https://sudreg.pravosudje.hr/registar/f?p=150:28:0::NO:28:P28_SBT_MBS:080973259*
Website(temp until the project is finished): *http://socket.hr*IANA SCTP PPID 65: *https://www.iana.org/assignments/sctp-parameters/sctp-parameters.xhtml#sctp-parameters-25*
P.S.You can find some tshark output for the *ELEE/PCAP* protocol dissector (both IRI and CC, the only two main PDU types)
*Example tshark output for IRI:* Frame 1: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits) Encapsulation type: USER 0 (45) Arrival Time: May 10, 2019 20:21:59.2065333272 CEST[Expert Info (Note/Sequence): Arrival Time: Fractional second 2065333272 is invalid, the valid range is 0-1000000000] [Arrival Time: Fractional second 2065333272 is invalid, the valid range is 0-1000000000]
[Severity level: Note] [Group: Sequence] [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1557512519.2065333272 seconds [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 161 bytes (1288 bits) Capture Length: 161 bytes (1288 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: elee] ELEE Protocol Protocol version: 1 PDU type: Target PDU (1) Source node: elee.ppd.node_1 Destination node: . Target PDU Lawful interception identifier: dhcp_li_id Target PDU data type: Intercept Related Information (IRI) (1) Sequence number: 0 Timestamp: May 10, 2019 18:21:59.723619839 UTC IRI configuration Active: True Delivery format: ELEE (3) Handover connection: Handover directory: Aggregation factor: 2 Delivery timeout: 0 Communication identifier Operator identifier: Network element identifier: Communication identifier number (CIN): 0 Data part size: 95 IP IRI IRI type: IRI-REPORT (4) Access event type: accessAttempt (0) Target username: 001cbf0dbfd7 Internet access type: Unknown (0) IP version: IPv4 protocol (1) Target IPv4: 0.0.0.0 Target network id: 00:1c:bf:0d:bf:d7 POP port number: 0 Target call-back number: <MISSING> POP IP address: 00000000 Authentication type: AAA provided by DHCP (3) * * *Example tshark output for CC:* Frame 2: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits) Encapsulation type: USER 0 (45) Arrival Time: May 10, 2019 20:21:59.2087542272 CEST[Expert Info (Note/Sequence): Arrival Time: Fractional second 2087542272 is invalid, the valid range is 0-1000000000] [Arrival Time: Fractional second 2087542272 is invalid, the valid range is 0-1000000000]
[Severity level: Note] [Group: Sequence] [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1557512519.2087542272 seconds [Time delta from previous captured frame: 0.022209000 seconds] [Time delta from previous displayed frame: 0.022209000 seconds] [Time since reference or first frame: 0.022209000 seconds] Frame Number: 2 Frame Length: 161 bytes (1288 bits) Capture Length: 161 bytes (1288 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: elee]* * *ELEE Protocol* Protocol version: 1 PDU type: Target PDU (1) Source node: elee.ppd.node_1 Destination node: . Target PDU Lawful interception identifier: test_li_id Target PDU data type: Content of Communication (CC) (2) Sequence number: 0 Timestamp: May 10, 2019 18:27:56.677651565 UTC CC configuration Active: True Delivery format: ELEE (3) Handover connection: Handover directory: Aggregation factor: 10 Delivery timeout: 0 Communication identifier Operator identifier: Network element identifier: Communication identifier number (CIN): 0 Data part size: 60Ethernet II, Src: Cisco_ff:0e:7d (00:1b:53:ff:0e:7d), Dst: Dell_1a:45:8a (00:1a:a0:1a:45:8a)
Destination: Dell_1a:45:8a (00:1a:a0:1a:45:8a) Address: Dell_1a:45:8a (00:1a:a0:1a:45:8a).... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Cisco_ff:0e:7d (00:1b:53:ff:0e:7d) Address: Cisco_ff:0e:7d (00:1b:53:ff:0e:7d).... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 93.138.2.16, Dst: 213.149.32.10 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0).... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 46 Identification: 0x1f62 (8034) Flags: 0x4000, Don't fragment 0... .... .... .... = Reserved bit: Not set .1.. .... .... .... = Don't fragment: Set ..0. .... .... .... = More fragments: Not set ...0 0000 0000 0000 = Fragment offset: 0 Time to live: 121 Protocol: TCP (6) Header checksum: 0x8d2e [correct] [Header checksum status: Good] [Calculated Checksum: 0x8d2e] Source: 93.138.2.16 Destination: 213.149.32.10Transmission Control Protocol, Src Port: 1414, Dst Port: 110, Seq: 30, Ack: 39, Len: 6
Source Port: 1414 Destination Port: 110 [Stream index: 0] [TCP Segment Len: 6] Sequence number: 30 (relative sequence number) [Next sequence number: 36 (relative sequence number)] Acknowledgment number: 39 (relative ack number) 0101 .... = Header Length: 20 bytes (5) Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window size value: 65497 [Calculated window size: 65497] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x62e2 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 9] [The RTT to ACK the segment was: 0.002911000 seconds] [iRTT: 0.009309000 seconds] [Bytes in flight: 6] [Bytes sent since last PSH flag: 6] [Timestamps] [Time since first frame in this TCP stream: 0.030199000 seconds] [Time since previous frame in this TCP stream: 0.002911000 seconds] TCP payload (6 bytes) Post Office Protocol STAT\r\n Request command: STAT -- Damir Franusic email: damir.franusic () gmail com http://ele2.io/ _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- New official link-layer type request Damir Franusic (May 11)
- Message not available
- Re: New official link-layer type request Damir Franusic (May 11)
- Re: New official link-layer type request Guy Harris (May 11)
- Re: New official link-layer type request Damir Franusic (May 12)
- Re: New official link-layer type request Guy Harris (May 12)
- Re: New official link-layer type request Damir Franusic (May 12)
- Re: New official link-layer type request Guy Harris (May 12)
- Re: New official link-layer type request Damir Franusic (May 12)
- Re: New official link-layer type request Guy Harris (May 17)
- Re: New official link-layer type request Damir Franusic (May 15)
- Re: New official link-layer type request Damir Franusic (May 17)
- Re: New official link-layer type request Damir Franusic (May 11)
- Message not available