Wireshark-dev: Re: [Wireshark-dev] decoding thru unencrypted VPN tunnel

From: Bill Fassler <bill.fassler@xxxxxxxxx>
Date: Tue, 13 Mar 2007 13:03:26 -0700 (PDT)
Sure, here is one typical packet. In this particular case the VPN protocol (PPP?) is 5 bytes and in the beginning of this payload: The final byte (value of 18 here) is apparently a sequence number as it increases by one in each packet. The middle 3 bytes aren't overly informative and I assume this is because the encryption key is set to NULL for debug purposes. I would have thought that the first byte (0x30) would identify the VPN overhead protocal, but I'm not sure. The reset past those 5 bytes are encapsulated IP traffic which should resolve down to
RTP audio. Let me know if there is anything else that could be helpful.

0000  30 00 00 00 18 45 00 00 c8 00 00 40 00 3f 11 26   0....E.....@.?.&
0010  e2 0a 0a 00 16 0a 0a 00 1a 05 98 04 d8 00 b4 3b   ...............;
0020  63 80 00 00 07 08 5e 8f db a1 f8 0f 55 7d 7b 7b   c.....^.....U}{{
0030  7d 7d 7e ff 7f 7e fe fc fd fc fe ff fd fe 7e 7b   }}~..~........~{
0040  7a 7d fe fd fc fe 7e 7f fd fb fa fd fe fe fe 7e   z}....~........~
0050  7c 7b 7b 7d 7e 7f fe fd ff fe fc fe 7b 7c ff 7e   |{{}~.......{|.~
0060  7e fe fe fe fe fd fe fe fe 7e 7c 7c 7e ff 7f fe   ~........~||~...
0070  7f 7e fd fc fe ff fc fd fe fe ff 7f 7e 7b 7b 7b   .~..........~{{{
0080  7e fe fc fc fe 7d 7c 7f fe ff 7d 7c fd fa fc fd   ~....}|...}|....
0090  7f 7e fe ff 7f 7d 7f fe fe fe 7e 7d 7b 7c fe fc   .~...}....~}{|..
00a0  fc fe 7e 7d 7e 7f fe 7e 7e fc fc fb fd 7e 7f fb   ..~}~..~~....~..
00b0  fc 7f 7e 7d 7b 7c 7d 7d 7d 7e 7d 7e fe fd fe 7e   ..~}{|}}}~}~...~
00c0  fe fd fe 7e 7c 7b 7f fc fa fc fd fb fa            ...~|{.......


Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:
On Tue, Mar 13, 2007 at 10:47:44AM -0700, Bill Fassler wrote:

> My traffic is encapsulated in a VPN tunnel, when it is unencrypted I
> can see the start of the IP protocol 5 bytes into the payload. The
> first 5 bytes are overhead protocols for the tunnel itself (some form
> of PPP I believe). In any event I could care less at this time about
> those 5 bytes and I don't even understand that protocol enough at the
> moment to dissect and decode it (nor am I interested).

It would be best to build a dissector that understands these top 5 bytes
and figures out that the payload is IP. Could you send a packet trace
with a few packets in it, so maybe we could help figure out what the
protocol is?


Steve
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev


No need to miss a message. Get email on-the-go
with Yahoo! Mail for Mobile. Get started.

Attachment: example_vpn_traffic.pcap
Description: 3574317221-example_vpn_traffic.pcap