Hi
My name is Damir and I am a founder of a Croatian based company called
*Socket d.o.o. *
We are currently working on an *ETSI compliant Lawful
Interception*solution; It is a
work in progress but we already have couple of clients in need of this
solution.
The problem with *LI*is that governments impose the law on the *ISPs*and
other
Communication Provides (*CSPs*), making them obliged to purchase the *LI *
software or implement it themselves. These system are standardized to
some degree
by the European Telecommunications Standards Institute (*ETSI*), but
that is just
the first part of the story.
*L**I* systems are quite complex but from the perspective of *LEAs*(Law
Enforcement Agencies),
they consist of *2 parts; Backend*and *Frontend*. *Backend*is actually
what is normally called
a *GUI*or a *Web Interface*, so the reversal of terminology can be a bit
confusing at times.
*ELEE*software is a data interception (*Fronted*) system that passively
tracks *IP traffic*
and delivers the data of interest to *LEAs*. The format of that delivery
if defined by *ETSI*;
they describe everything in great detail by using *ASN.1*notation which
is then encoded using
*BER *when sent by wire.
*Why do we need a new DLT? *We would like to offer *ELEE*solution to our
customers (*ISPs* and/or *CSPs)*,
but *LEAs*are also a vital part of this *2-part business*. *LEAs* are
quite prone to having lots of issues
with data analysis (*Backend part*) software, which is quite odd since
they also follow *ETSI* governed
standards. Some even demand a regular *PCAP*format for data delivery due
to complete lack of *Backend*
software. *LI *data delivery comprises both *packet data* and intercept
*metadata* which is completely
*unrelated to network stack. *Thisis also one of the reasons to ask for
a *new DLT.*
*ELEE *solution supports *PCAP*, *BER*and *ELEE/PCAP.*We created our own
protocol which is transferred using
*SCTP*and is registered with *IANA**with SCTP PPID 65*. We would like to
offer a way to analyze *ELEE/PCAP
*
format with *Wireshark*and bring *LI*capabilities to a well established
network analysis software.
That would also be very interesting to *LEAs*; they would be able to use
*Wireshark *as their official *
*
*Backend* data analysis tool. They use different terminology and fields
to inspect data, and that
is what *ELEE/PCAP *is all about; *bridging**the gap between **LI**and
**PCAP**. *
I have already created a dissector for *Wireshark* to be able to debug
and analyze our internal SCTP traffic
and inspect aggregated network data for which I use Wireshark's
*WTAP_ENCAP_USER0 *Like Layer Type.
Unfortunately, I don't have the documentation/specification for
*ELEE/PCAP* ready just yet, but that would come
later on. I would like to get an official *DLT*for our product
(*LINKTYPE_ELEE*), just like we got *
*
*SCTP PPID from IANA*. The protocol and the dissector would be used
mainly by *LEAs*and I don't think it would
cause any harm to *tcpdump* and/or *Wireshark* community to get closer
to being able to provide Lawful Interception
features. The plan is to include the dissector in the official
*Wireshark* version when it's finished.
Sorry for the long summary, I just wanted to give you a little intro and
not cause any headaches or tech rage.
I have also attached a PDF slideshow of our product which you may or may
not find interesting. The interesting
part is: We will be the first to offer *LI* systems on *ARM* based *SBCs
(*Single Board Computers).
Company info:
*https://sudreg.pravosudje.hr/registar/f?p=150:28:0::NO:28:P28_SBT_MBS:080973259*
Website(temp until the project is finished): *http://socket.hr*
IANA SCTP PPID 65:
*https://www.iana.org/assignments/sctp-parameters/sctp-parameters.xhtml#sctp-parameters-25*
P.S.
You can find some tshark output for the *ELEE/PCAP* protocol dissector
(both IRI and CC, the only two main PDU types)
*Example tshark output for IRI:*
Frame 1: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits)
Encapsulation type: USER 0 (45)
Arrival Time: May 10, 2019 20:21:59.2065333272 CEST
[Expert Info (Note/Sequence): Arrival Time: Fractional second
2065333272 is invalid, the valid range is 0-1000000000]
[Arrival Time: Fractional second 2065333272 is invalid, the
valid range is 0-1000000000]
[Severity level: Note]
[Group: Sequence]
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1557512519.2065333272 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 161 bytes (1288 bits)
Capture Length: 161 bytes (1288 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: elee]
ELEE Protocol
Protocol version: 1
PDU type: Target PDU (1)
Source node: elee.ppd.node_1
Destination node: .
Target PDU
Lawful interception identifier: dhcp_li_id
Target PDU data type: Intercept Related Information (IRI) (1)
Sequence number: 0
Timestamp: May 10, 2019 18:21:59.723619839 UTC
IRI configuration
Active: True
Delivery format: ELEE (3)
Handover connection:
Handover directory:
Aggregation factor: 2
Delivery timeout: 0
Communication identifier
Operator identifier:
Network element identifier:
Communication identifier number (CIN): 0
Data part size: 95
IP IRI
IRI type: IRI-REPORT (4)
Access event type: accessAttempt (0)
Target username: 001cbf0dbfd7
Internet access type: Unknown (0)
IP version: IPv4 protocol (1)
Target IPv4: 0.0.0.0
Target network id: 00:1c:bf:0d:bf:d7
POP port number: 0
Target call-back number: <MISSING>
POP IP address: 00000000
Authentication type: AAA provided by DHCP (3)
*
*
*Example tshark output for CC:*
Frame 2: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits)
Encapsulation type: USER 0 (45)
Arrival Time: May 10, 2019 20:21:59.2087542272 CEST
[Expert Info (Note/Sequence): Arrival Time: Fractional second
2087542272 is invalid, the valid range is 0-1000000000]
[Arrival Time: Fractional second 2087542272 is invalid, the
valid range is 0-1000000000]
[Severity level: Note]
[Group: Sequence]
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1557512519.2087542272 seconds
[Time delta from previous captured frame: 0.022209000 seconds]
[Time delta from previous displayed frame: 0.022209000 seconds]
[Time since reference or first frame: 0.022209000 seconds]
Frame Number: 2
Frame Length: 161 bytes (1288 bits)
Capture Length: 161 bytes (1288 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: elee]*
*
*ELEE Protocol*
Protocol version: 1
PDU type: Target PDU (1)
Source node: elee.ppd.node_1
Destination node: .
Target PDU
Lawful interception identifier: test_li_id
Target PDU data type: Content of Communication (CC) (2)
Sequence number: 0
Timestamp: May 10, 2019 18:27:56.677651565 UTC
CC configuration
Active: True
Delivery format: ELEE (3)
Handover connection:
Handover directory:
Aggregation factor: 10
Delivery timeout: 0
Communication identifier
Operator identifier:
Network element identifier:
Communication identifier number (CIN): 0
Data part size: 60
Ethernet II, Src: Cisco_ff:0e:7d (00:1b:53:ff:0e:7d), Dst: Dell_1a:45:8a
(00:1a:a0:1a:45:8a)
Destination: Dell_1a:45:8a (00:1a:a0:1a:45:8a)
Address: Dell_1a:45:8a (00:1a:a0:1a:45:8a)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
Source: Cisco_ff:0e:7d (00:1b:53:ff:0e:7d)
Address: Cisco_ff:0e:7d (00:1b:53:ff:0e:7d)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 93.138.2.16, Dst: 213.149.32.10
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0)
Total Length: 46
Identification: 0x1f62 (8034)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 121
Protocol: TCP (6)
Header checksum: 0x8d2e [correct]
[Header checksum status: Good]
[Calculated Checksum: 0x8d2e]
Source: 93.138.2.16
Destination: 213.149.32.10
Transmission Control Protocol, Src Port: 1414, Dst Port: 110, Seq: 30,
Ack: 39, Len: 6
Source Port: 1414
Destination Port: 110
[Stream index: 0]
[TCP Segment Len: 6]
Sequence number: 30 (relative sequence number)
[Next sequence number: 36 (relative sequence number)]
Acknowledgment number: 39 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window size value: 65497
[Calculated window size: 65497]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x62e2 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 9]
[The RTT to ACK the segment was: 0.002911000 seconds]
[iRTT: 0.009309000 seconds]
[Bytes in flight: 6]
[Bytes sent since last PSH flag: 6]
[Timestamps]
[Time since first frame in this TCP stream: 0.030199000 seconds]
[Time since previous frame in this TCP stream: 0.002911000 seconds]
TCP payload (6 bytes)
Post Office Protocol
STAT\r\n
Request command: STAT
--
Damir Franusic
email: damir.franu...@gmail.com
http://ele2.io/
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
