this e-mail was sent previously to development mailing list but it is pending approval for more than a week, so I guess it is OK to (cross)-post it here:
we have a special setup here:
SS7 E1 is converted to SCTP traffic with the following basic schema (I
cannot share capture itself, just in case):
-- there are no
INITs, HEARTBEATs/ACK, SACKs, just DATA chunks sent in both directions
as containers then for the traffic on higher layers .
--each linkset, of which there are many, is represented like this:
1.1.1.1 <-> 2.2.2.2
3.3.3.3 <-> 4.4.4.4
5.5.5.5 <-> 6.6.6.6
etc.
so,
that one and the same IP address is never re-used for several
associations and <-> means bidirectional traffic. All associations
use the same port 2904 on both sides.
vtags used per
direction are last two bytes of the source IP in the least significant
bytes of vtag field, so for the second association it is:
0x00000303 from 3.3.3.3 to 4.4.4.4
and
0x00000404 from 4.4.4.4 to 3.3.3.3
etc.
and TSNs are verified to be accurate too.
Now,
upon selecting the packet from, say 3.3.3.3 to 4.4.4.4 and "Analyse
this Association", we get multi-homed association reported with always
larger vtag reported as part of association, so as a matter of example:
Endpoint 1 is 1.1.1.1 and 3.3.3.3 (vtag 0x00000303)
Endpoint 2 is 2.2.2.2 and 4.4.4.4 (vtag 0x00000404)
so, why does analysis fail here, where it should not ?
Kind Regards
Ariel Burbaickij