Ethereal-dev: RE: [Ethereal-dev] implementing a dissector for PPP sent over a CDMA1x data netw

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Michael Lum" <mlum@xxxxxxxxxxxxx>
Date: Fri, 5 Dec 2003 08:21:23 -0800
With respect to the standards you can probably get those free

at www.3gpp2.org

(NOTE the "2").

The numbering will be different but the title should be the same
and there may be a cross-reference to the TIA/EIA title.

> -----Original Message-----
> From: ethereal-dev-bounces@xxxxxxxxxxxx
> [mailto:ethereal-dev-bounces@xxxxxxxxxxxx]On Behalf Of Guy Harris
> Sent: Friday, December 05, 2003 12:35 AM
> To: Chris Greening
> Cc: ethereal-dev@xxxxxxxxxxxx
> Subject: Re: [Ethereal-dev] implementing a dissector for PPP sent over a
> CDMA1x data network
>
>
> On Thu, Dec 04, 2003 at 11:14:15AM -0000, Chris Greening wrote:
> > We are trying to add support to ethereal for data captured off a CDMA
> > 1x data network.
> >
> > Most of the packets we capture contain PPP encapsulated in HDLC
> > framing.  Instead of the usual 0x880b identifier for PPP we get 0x8881.
> > So far, we've modified ethereal to accept this value and strip off the
> > HDLC framing and almost all of our packets are decoded correctly.
> >
> > However, every so often we receive three packets in a row that look
> > like the one below.  The strange thing about this packet is that there
> > is no HDLC framing, and the encapsulated IP packet seems to be
> > truncated.
> >
> > This is happening to about 20% of the packets that we are sniffing.
> > We've tried it with several different sniffers (Network Associates
> > Sniffer and Agilent Advisor) on a highly loaded network and on a test
> > network with minimal load and get the same results.
> >
> > Does anyone have any ideas on how (or if) we can decode the data?
> > We're not sure if the data is some symptom of a problem on the network
> > or just a symptom of how limited our knowledge of the protocol is.
> >
> > Frame 765 (66 bytes on wire, 66 bytes captured)
> > Ethernet II, Src: 08:00:3e:03:02:01, Dst: 00:07:4f:87:90:1c
> > Internet Protocol, Src Addr: 10.160.31.69 (10.160.31.69), Dst
> Addr: 10.160.31.107 (10.160.31.107)
> > Generic Routing Encapsulation
> > Point-to-Point Protocol
> >    Protocol: IP (0x0021)
>
> OK, so this is PPP encapsulated inside GRE.
>
> > Internet Protocol
> >    Version: 0
> >    Header length: 8 bytes (bogus, must be at least 20)
> >
> > 00 07 4f 87 90 1c
>
> Destination MAC address for the Ethernet packet.
>
> > 08 00 3e 03 02 01
>
> Source MAC address.
>
> > 08 00
>
> Ethernet type IP.
>
> > 45
>
> IP version/header length; 4 means IPv4, 5 means 5 words or 20 bytes of
> header.
>
> > 00
>
> IP type-of-service.
>
> > 00 30
>
> IP total length, 48 bytes - minus 20 bytes for header, that's 28 bytes.
>
> > 1d 68
>
> IP ID.
>
> > 00 00
>
> IP flags and fragment offset - no fragmentation.
>
> > 40
>
> IP Time-to-live.
>
> > 2f
>
> IP protocol - GRE.
>
> > 09 48
>
> IP header checksum.
>
> > 0a a0 1f 45
>
> Source IP address.
>
> > 0a a0 1f 6b
>
> Destination IP address.
>
> > 20 00
>
> GRE flags and version.  "Key Present" is set, other flags aren't, and
> version number is 0.
>
> > 88 81
>
> GRE protocol type - an Ethernet type; 8881 is, according to
>
> 	http://standards.ieee.org/regauth/ethertype/type-pub.html
>
> registered to "TIA", in Arlington, Virginia, USA.  I assume that's the
> Telecommunications Industry Association:
>
> 	http://www.tiaonline.org/
>
> but I have no idea what they're using it for.  (The various Google
> searches I tried found nothing
>
> > 00 00 00 91
>
> GRE Key field.
>
> > Encapsulated IP packet:
> >
> >                               21 02 01 00 10 02
> > 06 00 2d 0f 00 03 06 0a a0 1f 63 64 08 7e fe 11
> > d3 01
>
> Whatever it is, it's not IP - there's no 45, or even any 4x for x >= 5,
> in there.
>
> If that's what follows the GRE Key field, that's a PPP packet:
>
> > 21
>
> PPP protocol type - IP.
>
> > 02 01 00 10 02
> > 06 00 2d 0f 00 03 06 0a a0 1f 63 64 08 7e fe 11
> > d3 01
>
> That's the encapsulated packet, whatever the heck it is.
>
> Searching through the TIA's list of standards:
>
> 	http://www.tiaonline.org/standards/tia_catalog.pdf
>
> for "cdma" found standard TSB115:
>
>
http://www.tiaonline.org/standards/search_results2.cfm?document_no=TSB115

	Document #: TSB115

	Title: cdma2000(R) Wireless IP Architecture Based on IETF
	    Protocols (2000)

	Committee: TR-45.6

	Published: December 1, 2000

	Category: Telecommunications

	Description: This document describes the packet data system
	    architecture for a third generation wireless system based on
	    IMT-2000

I've no idea whether that standard describes what's going on with
Ethernet type 8881 or not.  You might want to look through the TIA
catalog of standards, but note that

	1) the standards cost money

and

	2) they appear to send you to Global Engineering Resources for
	   the standard, and the Global Engineering Resources site lists
	   the CD-ROM price as $76.00 and the download price as "N/A",
	   which I fear means "you can only get this on a CD-ROM, you
	   can't get it downloaded".

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev