Menu
▾
▴
#13 fix for direct input from avm fritzbox
Hello,
i'm not a professional programmer, but i've written a fix for direct capture from avm fritzbox with fritzdump.sh.
I've inserted this before the 802.1Q VLAN filters.
// PPPoE if ((offset_to_ip == 14) && ntohs(*((uint16_t*)((char*)pkt_data + offset_to_ip - 2))) == 0x8864) { header_ip = (iphdr *)((char*)pkt_data + offset_to_ip + 8); } // PPPoE with VLAN if ((offset_to_ip == 14) && ntohs(*((uint16_t*)((char*)pkt_data + offset_to_ip - 2))) == 0x8100 && ntohs(*((uint16_t*)((char*)pkt_data + offset_to_ip + 2))) == 0x8864) { header_ip = (iphdr *)((char*)pkt_data + offset_to_ip + 12); }
This works very nice, but corrently only for IPv4 traffic.
On IPv6 traffic i get this:
Can't get ip/port from SDP: v=0 o=user 1932150 1932150 IN IP6 2001:16b8:4102:d1fe:9a9b:cbff:fe56:fc96 s=call c=IN IP6 2001:16b8:4102:d1fe:9a9b:cbff:fe56:fc96 t=0 0 m=audio 7078 RTP/AVP 8 0 2 102 100 99 97 101 a=sendrecv a=rtpmap:2 G726-32/8000 a=rtpmap:102 G726-32/8000 a=rtpmap:100 G726-40/8000 a=rtpmap:99 G726-24/8000 a=rtpmap:97 iLBC/8000 a=fmtp:97 mode=30 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=rtcp:7079 a=ptime:20 Skipping udp packet 2001:8d8:104:0:212:227:124:68:46344->2001:16b8:4102:d1fe:9a9b:cbff:fe56:fc96:7078 Can't get ip/port from SDP: v=0 o=tsbc-frnk-de56 0 1 IN IP6 2001:8d8:104:0:212:227:124:68 s=sip call c=IN IP6 2001:8d8:104:0:212:227:124:68 t=0 0 a=rtpengine:c92eac1594bd m=audio 46344 RTP/AVP 8 101 a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv a=rtcp:46345 a=ptime:20 Skipping udp packet 2001:8d8:104:0:212:227:124:68:46344->2001:16b8:4102:d1fe:9a9b:cbff:fe56:fc96:7078 Skipping udp packet 2001:8d8:104:0:212:227:124:68:46344->2001:16b8:4102:d1fe:9a9b:cbff:fe56:fc96:7078 Skipping udp packet 2001:16b8:4102:d1fe:9a9b:cbff:fe56:fc96:7078->2001:8d8:104:0:212:227:124:68:46344 Skipping udp packet 2001:8d8:104:0:212:227:124:68:46344->2001:16b8:4102:d1fe:9a9b:cbff:fe56:fc96:7078 Skipping udp packet 2001:16b8:4102:d1fe:9a9b:cbff:fe56:fc96:7078->2001:8d8:104:0:212:227:124:68:46344
Maybe someone who has more knowledge than i and can make it better ;)
Thanks!
Hi Oliver, thanks for reporing this. Would you be able to attach a .pcap file with pppoe ipv4/ipv6 sip packets? Just one packet for each(ipv4/ipv6) would be enough.
When the provider is forcing a dual stack lite tunnel, its nearly impossible for pcapsipdump to find some packets.
Unknown SIP method:''!
Skipping udp packet 2001:16b8:4102:c71e:3a10:d5ff:fe0c:93fc:7078->2001:8d8:104:0:212:227:124:6:23252
Skipping udp packet 2001:16b8:4102:c71e:3a10:d5ff:fe0c:93fc:7078->2001:8d8:104:0:212:227:124:6:23252
Skipping udp packet 2001:16b8:4102:c71e:3a10:d5ff:fe0c:93fc:7078->2001:8d8:104:0:212:227:124:6:23252
Skipping udp packet 2001:16b8:4102:c71e:3a10:d5ff:fe0c:93fc:7078->2001:8d8:104:0:212:227:124:6:23252
Skipping udp packet 2001:16b8:4102:c71e:3a10:d5ff:fe0c:93fc:7078->2001:8d8:104:0:212:227:124:6:23252
Skipping udp packet 2001:8d8:104:0:212:227:124:6:23252->2001:16b8:4102:c71e:3a10:d5ff:fe0c:93fc:7078
Skipping udp packet 2001:16b8:4102:c71e:3a10:d5ff:fe0c:93fc:7078->2001:8d8:104:0:212:227:124:6:23252
Skipping udp packet 2001:8d8:104:0:212:227:124:6:23252->2001:16b8:4102:c71e:3a10:d5ff:fe0c:93fc:7078
So bad :(
Edit:
Added a capture of ds lite tunnel.
Last edit: Oliver Stange 2020-01-17
[r154] should deal with DS-lite and some IPv6 fragmented packets, but latter is quite limited similarly to the IPv4 fragmenation handler - RTP will only be picked up if enough of SDP (m= and c=) are included in first fragment.
Related
Commit: [r154]
Did you test it against the cap file?
Still does not work or do i need to add my fix after fresh svn checkout?
To verify that i have no old stuff i did
rm -fr pcapsipdump-code
rm /usr/sbin/pcapsipdump
Yes, of course. thank you for attaching.
I've integrated your fix as [r152]
With a fresh svn checkout, you should see SIP working on both native IPv6 and IPv4-tunneled-in-IPv6 (as is customary to do in DS-lite). However, RTP will likely still be missing (if SDP is not in the first fragment, like it is in the attached pcap). To make that work, we need teach pcapsipdump to do full segment reassembly. I'll add this on to-do list.
Related
Commit: [r152]
Capture with ds lite still does not work, but with real dual stack it works now, but only on the pppoe interface without vlan (7).
The pppoe interface with vlan gives me masses of this here:
And when i capture the lan interface it works, but now shows me this:
First one (8100 0007 8864 1100 27c3 05d6) appears to be PPPoE inside an 802.1Q VLAN. I've added this in [r155] (untested, I don't have any pcaps with such traffic)
On the LAN:
- Ethernet tag 86dd is IPv6 - added in [r156]
- Ethernet tag 88e1 homeplug (ethernet over powerline) protocol: https://en.avm.de/service/fritzbox/fritzbox-7360/knowledge-base/publication/show/249_Firewall-reports-attacks-on-TCP-port-80-or-14013-or-unsolicited-packets-of-type-0x88e1/
- Ethernet tag 8912 - can't figure this one out. Do you see Wireshark saying anything sensible about those?
Related
Commit: [r155]
Commit: [r156]
Ok some more is working.
Seems IPv4 works without ds lite.
But IPv6 is not working yet neither with or without ds lite.
Here some captures:
Last edit: Oliver Stange 2020-01-17
On IPv6 without ds lite i'm getting this:
Would be very nice if someone can fix this, i really need it for my work.
I tried some tricks with tshark to filter sip/rtp/rtcp only traffic, because it cant filter (-f) from pipe stream.
But the rtp packets are not visible as those. Maybe the same problem as with pcapsipdump.
I found a solution to get working files. Tshark has a option to export PDUs.
This works for me.
Maybe you can add support for this "57 Unknown interface type (252)." so we can pipe from tshark into pcapsipdump :D