This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Public IP addressed datagram within private IP addressed datagram?

0

We are running an OpenSim server on our network to mess around with - default port is UDP 9000. We are seeing packets that don't make a lot of sense to us....even after hours of research.

I found that PCLI will automatically show up on anything transmitting from port 9000 (UDPcast). Within that, there is an IPv4 header that shows two seemingly random public IP addresses well outside of our public range (scr & dst). It contains a typical data segment.

Above that though, where I would expect to find it, is the typical IP datagram, with the correct private IP addresses and ports (192.168.x.x src & dst).

The inside (public) IPv4 datagram includes the protocol "Wideband Expak" -- I can't find any literature on what this is....every search just leads me to lists of IP protocols that includes this in the list, nothing more.

Also - what gives with the public IP addresses? A lot of the traffic surrounding these particular packets is multicast....and I read some on UDPcast, but this doesn't seem to fit the protocol.

Thanks in advance!

asked 29 Oct '14, 12:33

dm123's gravatar image

dm123
11113
accept rate: 0%

It's hard to follow your explanations without a sample capture file. Can you please upload a sample capture file (google drive, dropbox, cloudshark.org) and post the link here?

(30 Oct '14, 04:55) Kurt Knochner ♦

https://www.cloudshark.org/captures/221f46219695

Never knew about this site before...thanks!

(30 Oct '14, 07:28) dm123

Wireshark dissects UDP and TCP based protocols on the basis of ports used. In your case the packet is interpreted as PCLI but it's not PCLI so the dissection is completly bogus. Try configure the PCLI port(to zero) or do "decode as" and specify the protocol that is actually carried in the UDP message or dissect as data.

(30 Oct '14, 07:55) Anders ♦

@Anders -- I wasn't so concerned with the PCLI as I was the public IP addresses that seemed to be wrapped in the private IPs.... for now I am thinking that is part of the UDPcast protocol....but I can't confirm since I can't find info about it

(30 Oct '14, 08:00) dm123

2 Answers:

1

We are running an OpenSim server on our network to mess around with - default port is UDP 9000.

There is a LUA dissector for the OpenSim UDP protocol.

http://opensimulator.org/wiki/LLUDP_Dissector

Please try that to decode your packets.

Regards
Kurt

answered 31 Oct '14, 01:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

@Kurt -- that seems to have worked quite well.

The dissector completely reframed the packets and there are no longer the dual IP addresses. I assume then, that the LLUDP protocol has a larger header than the norm, and Wireshark read it that the extra binary made it appear that there was another IP datagram encapsulated in each packet.

Thanks for the help!

(31 Oct '14, 05:16) dm123

and Wireshark read it that the extra binary made it appear that there was another IP datagram encapsulated in each packet.

actually the problem is, that Wireshark dissected the frames as PCLI, based on the UDP port 9000, which will give random results, because the data is not structured according to PCLI.

(02 Nov '14, 04:19) Kurt Knochner ♦

0

There's not much ready made information available, but a little searching reviled this:

An textual description of the protocol

The protocol spec (as in source code)

A (very) quick glance shows no IP addresses in there other than multicast (obviously). Note that scoping rules for multicast addresses are different than unicast addresses.

It would be a nice project to create an Wireshark dissector for it. An enhancement request (with ref to this post) would be in order.

answered 30 Oct '14, 10:23

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%