This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to dissect T1 Circuit Emulation CEM Traffic?

0

Can wireshark interpret the CEM traffic, I have the below topology

R1 -- T1 ---- R2 ---- CEM xConnect over ethernet ---- R3 --- T1 R4

I am capturing the packets between R2 - R3 and I want to see the T1 alarms, CEM header etc But all I see is raw data after the xconnect label Is there a way or any extension to make wireshark interpret this

asked 24 Aug '16, 20:29

vaibhav's gravatar image

vaibhav
6112
accept rate: 0%

edited 25 Aug '16, 05:00

sindy's gravatar image

sindy
6.0k4851


One Answer:

0

Dissector of almost any protocol can be added to Wireshark using C or Lua, but you need to know the protocol specification or, if not available, gather sufficient data to reverse engineer it. For Circuit over Packet, several standards exist, and Cisco may be using one of them as well as their proprietary one. Enough capture data and knowledge of the original payload which was coming from the TDM side (i.e. which timeslots were idle and which had a call on them during the capture) should reveal the truth. But this only applies if compression is switched off, otherwise you have to decompress the data before analysing the Circuit over Packet frame structure, which may require some reverse engineering as well.

The next question, however, is what you want to do with the extracted payload? The logical view of T1 is a bundle of point-to-point byte streams. The contents of most of them is not further structured (voice call), or carries some kind of direct serial data (common channel signalling, G4 fax or other digital services), or carries some kind of serial data modulated onto an analogue carrier (modem, G3 fax). To process any of these, you would need to place a tap at the output of the basic dissector, collecting the bytes belonging to your stream from the individual CoP frames and rendering them in some form (an .au file, for example) for further processing.

As for the T1 alarms - depending on the CoP standard used, the alarms may be either detected at the router performing the encapsulation and sent as logical signals over the packet network instead of the normal payload-carrying packets (to save bandwidth), or the encapsulating router may just transparently forward the contents of the T1. In the latter case, you'd e.g. have to process several (tens of) frames to conclude that there is AIS in the T1.

All in all, while Wireshark is a great tool to help you in the reverse engineering, I doubt whether it makes sense to implement all the analysis layers as given above into it. In fact, my doubt was so deep that I've decided to receive and parse the CoP packets using a task-specific application, so I can e.g. interpret the CCS to identify start and end of a call on a given timeslot, save each call into a separate .au file, and save the CCS into a pcap file so that I could use Wireshark to read it. But your application may be completely different (CAS for example, or digital services on the timeslots) so writing your own tailor-made application is probably your best way forward.

answered 25 Aug '16, 05:00

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%