search

jonas-koeritz / hfa-dissector

Wireshark Lua dissector for the Siemens/Unify CorNet-IP (HFA) protocol
GNU General Public License v2.0
2 stars 5 forks source link

X-Link Container #1

Open arianmares opened 8 years ago

arianmares commented 8 years ago

Do you have any information about the data structure of this?

jonas-koeritz commented 8 years ago

I don't have information on this by now, I will rewrite this in the near future as some assumptions have been proven wrong in specific cases. This is useful for general debugging work, but not usable as a full protocol spec. Especially the authentication (hash algorithm) is not known by now.

arianmares commented 8 years ago

Your information regarding HFA was the only I've found. I am using it to decode caller/called IDs in a recording software which I develop. Until the last IP phones generation, the information in screen messages was enough, but the last sets with graphic display doesn't use the set display commands but sends these info packed in a X-Link container. I've managed to find the caller ID in such a container but some more infos would be useful. Thank you.

jonas-koeritz commented 8 years ago

The X-Link Containers might contain CSTA (ASN.1) encoded data.

arianmares notifications@github.com schrieb am Di., 21. Juni 2016, 07:33:

Closed #1 https://github.com/jonas-koeritz/hfa-dissector/issues/1.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/jonas-koeritz/hfa-dissector/issues/1#event-698569920, or mute the thread https://github.com/notifications/unsubscribe/AGL1i8INr0m-5fssSu8L-YK6PKKLvYrPks5qN3eZgaJpZM4I4XsM .

arianmares commented 8 years ago

I've studied some captured data. All I can say is that the data is definitely not valid BER, CER, or DER, nor is it one of the XML rules (XER, EXER, CXER). It could be PER, but needs a schema. No idea if this is a path to follow (looking for a schema). Any thoughts?

jonas-koeritz commented 8 years ago

I will try to setup a phone on debug log level and make assumptions based on timing. The basic packet structure is a bit off in the current code too, I noticed this when reviewing log files of a phone. This must be addressed in the future too. My code is messy and needs a rewrite too ;)

arianmares notifications@github.com schrieb am Do., 14. Juli 2016, 18:13:

I've studied some captured data. All I can say is that the data is definitely not valid BER, CER, or DER, nor is it one of the XML rules (XER, EXER, CXER). It could be PER, but needs a schema. No idea if this is a path to follow (looking for a schema). Any thoughts?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232713740, or mute the thread https://github.com/notifications/unsubscribe/AGL1i0n858ipw9WmNNFn0C7TIZIDFtdLks5qVmASgaJpZM4I4XsM .

arianmares commented 8 years ago

I can send you some pcap files, in some x-link containers some caller ID data can be identified, but nothing else. Also, I am not a C++ wizzard but I can do decent coding, if you need some help, just let me know.

La 07/14/2016 08:08 PM, Jonas Köritz a scris:

I will try to setup a phone on debug log level and make assumptions based on timing. The basic packet structure is a bit off in the current code too, I noticed this when reviewing log files of a phone. This must be addressed in the future too. My code is messy and needs a rewrite too ;)

arianmares notifications@github.com schrieb am Do., 14. Juli 2016, 18:13:

I've studied some captured data. All I can say is that the data is definitely not valid BER, CER, or DER, nor is it one of the XML rules (XER, EXER, CXER). It could be PER, but needs a schema. No idea if this is a path to follow (looking for a schema). Any thoughts?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub

https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232713740, or mute the thread

https://github.com/notifications/unsubscribe/AGL1i0n858ipw9WmNNFn0C7TIZIDFtdLks5qVmASgaJpZM4I4XsM .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232728910, or mute the thread https://github.com/notifications/unsubscribe/ARNtHxYdM3qT-0HllK4khPwZ0WucnV_lks5qVm0JgaJpZM4I4XsM.

jonas-koeritz commented 8 years ago

The current code is written in LUA only and I would like to keep it this way until the protocol is fully reverse engineered. Would you attach the pcap files and some information on what happened during the capture?

arianmares notifications@github.com schrieb am Do., 14. Juli 2016, 19:44:

I can send you some pcap files, in some x-link containers some caller ID data can be identified, but nothing else. Also, I am not a C++ wizzard but I can do decent coding, if you need some help, just let me know.

La 07/14/2016 08:08 PM, Jonas Köritz a scris:

I will try to setup a phone on debug log level and make assumptions based on timing. The basic packet structure is a bit off in the current code too, I noticed this when reviewing log files of a phone. This must be addressed in the future too. My code is messy and needs a rewrite too ;)

arianmares notifications@github.com schrieb am Do., 14. Juli 2016, 18:13:

I've studied some captured data. All I can say is that the data is definitely not valid BER, CER, or DER, nor is it one of the XML rules (XER, EXER, CXER). It could be PER, but needs a schema. No idea if this is a path to follow (looking for a schema). Any thoughts?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub

< https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232713740 , or mute the thread

< https://github.com/notifications/unsubscribe/AGL1i0n858ipw9WmNNFn0C7TIZIDFtdLks5qVmASgaJpZM4I4XsM

.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub < https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232728910 , or mute the thread < https://github.com/notifications/unsubscribe/ARNtHxYdM3qT-0HllK4khPwZ0WucnV_lks5qVm0JgaJpZM4I4XsM .

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232738699, or mute the thread https://github.com/notifications/unsubscribe/AGL1iwu7aNk1qkqS6dhMbbjxF3H6wONgks5qVnVxgaJpZM4I4XsM .

arianmares commented 8 years ago

Yes, will try to do it this evening or tomorrow morning.

La 07/14/2016 09:05 PM, Jonas Köritz a scris:

The current code is written in LUA only and I would like to keep it this way until the protocol is fully reverse engineered. Would you attach the pcap files and some information on what happened during the capture?

arianmares notifications@github.com schrieb am Do., 14. Juli 2016, 19:44:

I can send you some pcap files, in some x-link containers some caller ID data can be identified, but nothing else. Also, I am not a C++ wizzard but I can do decent coding, if you need some help, just let me know.

La 07/14/2016 08:08 PM, Jonas Köritz a scris:

I will try to setup a phone on debug log level and make assumptions based on timing. The basic packet structure is a bit off in the current code too, I noticed this when reviewing log files of a phone. This must be addressed in the future too. My code is messy and needs a rewrite too ;)

arianmares notifications@github.com schrieb am Do., 14. Juli 2016, 18:13:

I've studied some captured data. All I can say is that the data is definitely not valid BER, CER, or DER, nor is it one of the XML rules (XER, EXER, CXER). It could be PER, but needs a schema. No idea if this is a path to follow (looking for a schema). Any thoughts?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub

<

https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232713740

,

or mute the thread

<

https://github.com/notifications/unsubscribe/AGL1i0n858ipw9WmNNFn0C7TIZIDFtdLks5qVmASgaJpZM4I4XsM

.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <

https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232728910

, or mute the thread <

https://github.com/notifications/unsubscribe/ARNtHxYdM3qT-0HllK4khPwZ0WucnV_lks5qVm0JgaJpZM4I4XsM

.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub

https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232738699, or mute the thread

https://github.com/notifications/unsubscribe/AGL1iwu7aNk1qkqS6dhMbbjxF3H6wONgks5qVnVxgaJpZM4I4XsM .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232744764, or mute the thread https://github.com/notifications/unsubscribe/ARNtH3tJPiqQxpb2BylMr6aUQfdExUeAks5qVnp9gaJpZM4I4XsM.

jonas-koeritz commented 8 years ago

I got a first idea, the contents could be HDLC with SS7 signalling inside. I will try to verify this tomorrow.

jonas-koeritz commented 8 years ago

Another possibility is H.225.0 User to User information elements. This appears to be much more probable!

arianmares commented 8 years ago

Could you, please, give me an email address so I can send the pcap file, the size exceeds the github mailbox.

La 07/15/2016 02:02 AM, Jonas Köritz a scris:

Another possibility is H.225.0 User to User information elements. This appears to be much more probable!

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232817258, or mute the thread https://github.com/notifications/unsubscribe-auth/ARNtHx-Lm1IB2NQdmU3z6V9dBuh-DYvyks5qVr_9gaJpZM4I4XsM.

arianmares commented 8 years ago

Yes, as I said, looks like ASN.1 PER encoding, but still need a schema...

La 07/15/2016 02:02 AM, Jonas Köritz a scris:

Another possibility is H.225.0 User to User information elements. This appears to be much more probable!

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232817258, or mute the thread https://github.com/notifications/unsubscribe-auth/ARNtHx-Lm1IB2NQdmU3z6V9dBuh-DYvyks5qVr_9gaJpZM4I4XsM.

jonas-koeritz commented 8 years ago

jonas.koeritz@gmail.com

arianmares notifications@github.com schrieb am Fr., 15. Juli 2016, 07:22:

Yes, as I said, looks like ASN.1 PER encoding, but still need a schema...

La 07/15/2016 02:02 AM, Jonas Köritz a scris:

Another possibility is H.225.0 User to User information elements. This appears to be much more probable!

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub < https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232817258 , or mute the thread < https://github.com/notifications/unsubscribe-auth/ARNtHx-Lm1IB2NQdmU3z6V9dBuh-DYvyks5qVr_9gaJpZM4I4XsM .

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/jonas-koeritz/hfa-dissector/issues/1#issuecomment-232862156, or mute the thread https://github.com/notifications/unsubscribe-auth/AGL1iwrBTgGyrw-ZdEIDLvuYkGn6uG39ks5qVxkCgaJpZM4I4XsM .