Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Redback Lawful Intercept Dissector

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Florian Lohoff <flo@xxxxxxxxxx>
Date: Thu, 10 Apr 2008 17:21:23 +0200
On Thu, Apr 10, 2008 at 10:21:28AM -0400, Jeff Morriss wrote:
> Andrew Feren wrote:
> >I've recently started getting a number of false positive hits from the new
> >Redback Lawful Intercept heuristic.  I was going to try and tighten up the
> >heuristic a bit, but I can't find any sort of protocol specification.
> >
> >Basically I use some protocols that start with a 32 bit version number. 
> >However since the version numers are all well below 65,535 the first two
> >bytes are always 0.  The Redback heuristic sees this as an end of header
> >marker and returns true.
> >
> >My thought was to return false if the first avptype is an end of header
> >marker, but without a protocol spec I can't be sure that this is actually 
> >an
> >invalid redback packet.
> >
> >Anyone have any more details?
> 
> The dissector came in via 
> http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2320
> 
> I'm not sure if Florian is a member of this list or not.  Florian, can 
> you provide some pointers?  (What about the Wiki page I asked for after 
> checking in the dissector?)

I thought about packets beeing all zero after the patch got added 
and that might end up beeing taken by the redbackli dissector
accidentally.

I'll try to cook up a patch tonight which checks for the existance of some 
"essential" avp's ...

Basically the protocol is non published and i reverse engineered it
from traces. Its a packet header for forwarding lawful intercept traffic
from a RedBack Smartedge Router to some device which passes the traffic
onto some government bodies. To differentiate the different lawful
intercept session one can either use a "label" and/or a "lawful intercept
id". At least one of those two and a sequence number should be present
before an "eoh" avp ...

Attached a simple trace - the traffic is artificial which is the cause
for the udp packet encapsulated being broken ...

Flo
-- 
Florian Lohoff                  flo@xxxxxxxxxx             +49-171-2280134
	Those who would give up a little freedom to get a little 
          security shall soon have neither - Benjamin Franklin

Attachment: redbackli-example.pcap
Description: application/cap

Attachment: signature.asc
Description: Digital signature

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube