Hello all,
we have a special setup here: SS7 E1 is converted to SCTP traffic with the following basic schema (I cannot share capture itself, just in case):
-- there are no INITs, HEARTBEATs/ACK, SACKs, just DATA chunks sent in both directions as containers then for the traffic on higher layers .
--each linkset, of which there are many, is represented like this:
1.1.1.1 <-> 2.2.2.2
3.3.3.3 <-> 4.4.4.4
5.5.5.5 <-> 6.6.6.6
etc.
so, that one and the same IP address is never re-used for several associations and <-> means bidirectional traffic. All associations use the same port 2904 on both sides.
vtags used per direction are last two bytes of the source IP in the least significant bytes of vtag field, so for the second association it is:
0x00000303 from 3.3.3.3 to 4.4.4.4
and
0x00000404 from 4.4.4.4 to 3.3.3.3
etc.
and TSNs are verified to be accurate too.
Now, upon selecting the packet from, say 3.3.3.3 to 4.4.4.4 and "Analyse this Association", we get multi-homed association reported with always larger vtag reported as part of association, so as a matter of example:
Endpoint 1 is 1.1.1.1 and 3.3.3.3 (vtag 0x00000303)
Endpoint 2 is 2.2.2.2 and 4.4.4.4 (vtag 0x00000404)
so, why does analysis fail here, where it should not ?
Kind Regards
Ariel Burbaickij