mobile - 谁能猜出这些数据包属于什么协议(protocol)？

Question

我们看到这些数据包在 Telstra 的 NEXTG 移动网络上进行下行文件传输期间被注入(inject)到 FTP-DTP channel 中。我们不确定这些是网络级别的数据包，还是我们的 3G 调制解调器(基于 HC25)的问题，或者是我们的防火墙注入(inject)流中的问题。

使用一个工具，我们注意到 PPP 帧因协议(protocol)长度错误而失败，因此它们很可能是移动网络数据包。

我希望这里有人可以识别数据包的签名，以便我可以与适当的供应商一起追查。

这些数据包肯定有一种格式:-

数据包1:
00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 01 10 f4 4e 00 00 40 06 2f 13 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 61 5d a9 0 1c ff ff 58 b9 00 00

数据包2:
00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 00 ff 6b 50 00 00 40 06 b8 22 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 70 7b 850 1c 04 06 8c 70 7b 850 1c ff ff a3 79 00 00

数据包 3:
00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 02 20 5b 50 00 00 40 06 c7 01 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 61 7c 50c 1 f 61 7c 50c ff ff e2 5d 00 00

数据包4:
00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 01 38 d8 52 00 00 40 06 4a e7 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 62 42 f9 0 1 0 ff ff 20 91 00 00

数据包 5:
00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 00 d0 4d 58 00 00 40 06 d6 49 cb 7a 9d e9 7b d0 71 52 7a ee 04 08 4b 155 0b 1 8f 05 ff ff e9 88 00 00

Answer 1

我将您的数据包跟踪片段转换为 text2pcap 可以理解的格式所以我可以将它们转换成 pcap 格式以便在 Wireshark 中查看(一个非常方便的数据包捕获和分析工具):

粗略的猜测看起来像是某种 IPv4 多播流量。这是我从第一个数据包中得到的信息(其余数据格式错误):

No.     Time        Source                Destination           Protocol Info
      1 0.000000    7b:1a:00:90:7f:43     00:00:00_24:c4:b8     0x0fa1   Ethernet II

Frame 1 (31 bytes on wire, 31 bytes captured)
    Arrival Time: Dec  1, 2009 00:33:05.000000000
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 31 bytes
    Capture Length: 31 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:data]
Ethernet II, Src: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43), Dst: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8)
    Destination: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8)
        Address: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43)
        Address: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    Type: Unknown (0x0fa1)
Data (17 bytes)

0000  08 00 45 00 01 10 f4 4e 00 00 40 06 2f 13 cb 7a   ..E....N..@./..z
0010  9d                                                .
    Data: 080045000110F44E000040062F13CB7A9D