Aerospace Village - Deep Space Networking
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 374 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/49224 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON Safe Mode5 / 374
11
35
63
70
74
86
90
98
102
103
104
105
106
107
109
110
113
114
117
119
121
122
123
124
126
127
128
130
136
137
138
142
146
151
152
153
154
159
160
161
163
165
166
167
168
169
171
177
189
214
226
231
232
239
240
246
247
250
255
256
265
267
268
269
270
271
272
274
279
280
283
289
290
336
337
344
360
362
363
364
365
367
00:00
Process (computing)Mathematical analysisVideoconferencingSpacetimeComputer fileTracing (software)Fiber bundleCommunications protocol
00:33
UDP <Protokoll>Frame problemIPRevision controlPC CardLevel (video gaming)Source codeStreaming mediaPrice indexTimestampCommunications protocolSet (mathematics)Data typeSimulationNumberInformationUDP <Protokoll>TelecommunicationProcess (computing)Frame problemFiber bundleRight angleComputer fileData transmissionWindowMultiplication signDelay-tolerant networkingSpacetimeBitData conversionComputer animation
03:08
Graph coloringComputer file
03:52
Communications protocolSet (mathematics)Control flowFrame problemRevision controlIPData typeUDP <Protokoll>Cloud computingRouter (computing)Fiber bundleWindowInterior (topology)SimulationAugmented realityMultiplication signFrame problemLengthNumberGreatest elementProfil (magazine)Right angleProcess (computing)Default (computer science)SpacetimeDelay-tolerant networkingComputer animation
04:51
SimulationIn-System-ProgrammierungUDP <Protokoll>Frame problemRevision controlIPComputer fontData conversionDefault (computer science)Set (mathematics)NumberProfil (magazine)Computer animation
05:19
UDP <Protokoll>Communications protocolControl flowFrame problemIPRevision controlInternetworkingBitSource codePrice indexStreaming mediaLengthMereologySimulationMach's principleEmailFiber bundleData typeDelay-tolerant networkingSign (mathematics)Subject indexingRight angleIP addressUDP <Protokoll>EmailLine (geometry)Computer fileContent (media)Data conversionStatisticsTracing (software)CountingField (computer science)NumberWindowStreaming mediaMultiplication signDirection (geometry)Default (computer science)2 (number)Delay-tolerant networkingAddress spaceComputer animation
08:53
Data typeFrame problemCommunications protocolEmailRevision controlData transmissionDelay-tolerant networkingEmailMotion captureField (computer science)Electronic mailing listWindowDelay-tolerant networkingGraph coloringRule of inferenceSchmelze <Betrieb>Right angleOSI modelGreatest elementQuicksortComputer animation
10:04
SimulationFrame problemBitIPRevision controlSigma-algebraDemosceneFiber bundleData typeCommunications protocolSpacetimeOscillationEmailFrame problemNumberGraph coloringCommunications protocolFiber bundleFunctional (mathematics)View (database)Assembly languageInformationEmailExecution unitComputer animation
11:19
Fiber bundleFiber bundleMereologyCartesian coordinate systemCommunications protocolRight angleSet (mathematics)Type theoryFile Transfer ProtocolData storage deviceInformationSurfaceSoftwarePhysical systemComputer fileEmailXML
14:06
Duality (mathematics)Fiber bundleMereologyFrame problemRevision controlIPSigma-algebraData typeCommunications protocolMetropolitan area networkFiber bundleBitInformationFrame problemTotal S.A.NumberEmailPrice indexField (computer science)Type theoryLine (geometry)Entire functionLengthComputer animation
15:31
Control flowIPEmailSet (mathematics)Fiber bundleCommunications protocolData typeFrame problemRevision controlBeta functionWindowSimulationComputer iconFlagDelay-tolerant networkingUser interfaceData transmissionInternetworkingRight angleType theoryField (computer science)Different (Kate Ryan album)Fiber bundleRule of inferenceGraph coloringSet (mathematics)QuicksortNumberLine (geometry)Frame problemComputer animation
17:31
Fiber bundleData typeFlagFrame problemIPRevision controlCommunications protocolControl flowStructural equation modelingMereologyEmailElectronic visual displayAreaFiber bundleRight angleComputer fileField (computer science)Computer animation
18:15
Communications protocolFlagData typeFiber bundleUser interfaceBeta functionFrame problemRevision controlIPEmailStructural equation modelingAnalog-to-digital converterBitFiber bundleGraph coloringRight angleRule of inferenceElectronic visual displayComputer animation
18:59
In-System-ProgrammierungData transmissionFrame problemInternetworkingEmailRevision controlIPFlagData typeCommunications protocolFiber bundleGraph coloringFiber bundleRule of inferenceNumberComputer animation
19:41
Fiber bundleLengthFlagFrame problemIPRevision controlData typeCommunications protocolEmailSimulationWindowIntrusion detection systemFiber bundleRight angleFrame problemComputer animation
20:08
Frame problemIPEmailFlagFiber bundleData typeCommunications protocolRevision controlSimulationPulse (signal processing)Control flowHill differential equationComputer musicFrame problemFiber bundleBitRight angleComputer animation
21:19
Frame problemIPRevision controlEmailFiber bundleCommunications protocolFlagData typeControl flowMetropolitan area networkSimulationInstallable File SystemQuicksortBitFiber bundleTraffic reportingComputer animation
22:03
Frame problemRevision controlIPEmailFiber bundleCommunications protocolFlagData typeSource codeStandard deviationNumberControl flowExplosionDelay-tolerant networkingTimestampBlock (periodic table)Numbering schemeProcess (computing)LengthComputer wormRow (database)Traffic reportingAsynchronous Transfer ModeFiber bundleFrame problemNumberEmailBitComputer wormLine (geometry)Traffic reportingRow (database)System administratorRight angleType theoryGraph coloringRule of inferenceComputer animationSource codeXML
23:02
Block (periodic table)Fiber bundleTraffic reportingRow (database)Computer wormSource codeSingle sign-onExplosionAsynchronous Transfer ModeEmailData typeControl flowDelay-tolerant networkingRevision controlFlagProcess (computing)Numbering schemeTimestampNumberACIDSoftware configuration managementSystem administratorLine (geometry)Row (database)Rule of inferenceGraph coloringType theoryTraffic reportingFiber bundleComputer animationSource codeXML
23:39
Fiber bundleBeta functionRevision controlControl flowEmailFrame problemIPFlagData typeCommunications protocolFiber bundleFrame problemNumberRight angleMereology2 (number)BitCommunications protocolComputer animation
24:56
Fiber bundleFrame problemCommunications protocolFlagData typeFrame problemNumberFiber bundleComputer animation
25:50
Fiber bundleFlagCommunications protocolFrame problemRevision controlIPEmailData typeTorusHausdorff spaceCovering spaceModel checkingWindowMusical ensembleHecke operatorFiber bundle2 (number)Frame problemNumberLengthComputer animation
27:20
Frame problemIPEmailFiber bundleData typeCommunications protocolMusical ensembleRevision controlMenu (computing)Fiber bundleEmailFrame problem2 (number)Moment (mathematics)SpreadsheetQuicksortOverhead (computing)Computer animation
28:57
SummierbarkeitData typeDelay-tolerant networkingCommunications protocolWindowFrame problemEmailACIDFlagControl flowIPRevision controlMassPulse (signal processing)SimulationMaxima and minimaFiber bundleLengthInduktive logische ProgrammierungoutputSpacetimeHecke operatorFiber bundleComputer animation
29:32
Frame problemRevision controlIPEmailFiber bundleData typeCommunications protocolWindowWireless Markup LanguageMach's principlePulse (signal processing)Menu (computing)Analog-to-digital converterAssembly languageStreaming mediaElectronic mailing listFrame problemSoftwareRight angleFiber bundleEmailSign (mathematics)Computer wormComputer animationSource codeXML
30:38
Fiber bundleEmailComputer wormEmailComputer wormData structureFiber bundleCommunications protocolMoment (mathematics)Interface (computing)Slide ruleComputer animation
32:00
Fiber bundleWindowFrame problemCommunications protocolRevision controlSpacetimeAutomorphismSimulationEmailFlagPulse (signal processing)Data typeMereologyIPComputer iconMetropolitan area networkEmailMoment (mathematics)Frame problemNumberFiber bundleComputer animation
32:27
WindowFiber bundleEmailFrame problemCommunications protocolData typeIn-System-ProgrammierungPulse (signal processing)AerodynamicsSpacetimeControl flowRevision controlIPACIDSummierbarkeitDelay-tolerant networkingSimulationMessage passingProcess (computing)Source codeNumbering schemeExplosionTimestampStandard deviationNumberInformationFrame problemFiber bundleEmailComputer animation
32:57
Fiber bundleFrame problemIPRevision controlEmailCommunications protocolMessage passingData typeControl flowNumbering schemeSource codeExplosionStandard deviationNumberFlagBlock (periodic table)Process (computing)Computer wormPulse (signal processing)Computer fileRight angleFiber bundleLengthEmailComputer wormField (computer science)Entire functionWindowComputer animation
34:25
EmailData typeComputer wormFiber bundleBlock (periodic table)Communications protocolSource codeControl flowFlagStandard deviationNumberExplosionProcess (computing)Structural loadComputer iconSimulationSoftwareComputer wormFiber bundleEmailDifferent (Kate Ryan album)Rule of inferenceNumberComputer animation
35:02
Fiber bundleFiber bundleRule of inferenceOSI modelCommunications protocolBitComputer animation
Transcript: English(auto-generated)
00:06
Hi, this is Laura Chappell, and welcome to this video on Deep Space Networking Traffic Analysis. In this video, I'm going to show you how I open up a trace file inside of Wireshark and begin the process of customizing Wireshark for Deep Space Networking Traffic Analysis.
00:24
And we'll go through and learn about the bundle protocol, and we'll learn about the TCP convergence layer. So let's go over to Wireshark and get started. In Wireshark, I've opened up the trace file depicting the Deep Space Networking Traffic.
00:42
Now, we're talking about delay and disruption tolerant networking here, or DTN we simply refer to it as. And in this scenario, we have a host that is sending a bundle of data in bundle segments to another host to be relayed to a third host.
01:04
So let's see what we have in this trace file. First of all, we have some traffic that doesn't have anything to do with our DTN communications. It's this OSPF traffic. So I'm going to get that out of the way. Now, what we're left with are some interesting packets here.
01:22
First of all, these top packets that you see, they're UDP packets. They're kind of sprinkled throughout the trace file. If you were to select one of those packets and look down in the packet bytes window, what you would see is in the data portion, it appears that we have a host
01:41
that is announcing its DTN endpoint ID. So 10.0.0.1 is announcing that its endpoint ID is N1, kind of like its name. On the second packet there, we have 10.0.0.2 announcing its endpoint ID as N2,
02:03
and the next packet 10.0.0.3 announcing its endpoint ID as N3. All right, that information right there is very interesting, but it's not a data transfer process. That is just an announcement. What we're interested in are the TCP CL packets.
02:25
So frame number seven there is the first time we see a TCP conversion slayer packet, and this is just a keep-alive. By looking at these keep-alives, we can get a general idea of which hosts can see which hosts.
02:44
So in frame number seven, we have 10.0.0.3 sending a keep-alive to .4. In the next packet, we have .1 sending a keep-alive to three. In packet nine, we have three sending a keep-alive to one, and then in a little bit further on, we see in packet 19,
03:03
we have .2 sending a keep-alive to four. All right, we can build a picture from this. This is what we know so far. It appears that we have four hosts, and based on the keep-alives, we can see which hosts are talking to which hosts.
03:22
So we can see based on the keep-alive that .1 can see .02, .2 can see four, four can see three, three can see one, but we don't see any keep-alives going between .1 and .4, we don't see any keep-alives between .2 and .3. So perhaps we have something in the way between those two hosts.
03:41
It could be something like a planet. So here I have a picture, one of the various pictures of Venus with a color filter on it. Now let's go back to the trace file. So let's take a look at when data actually begins to be sent here. We see an awful lot of those endpoint ID announcements, and we see a bunch of keep-alives,
04:04
and we see some acknowledgements for those keep-alives. When we get down to frame number 57, that's the first time we see a larger length frame that probably has some data in it. So let's create a profile in Wireshark, and we'll begin the customization process
04:25
to help us analyze deep space networking traffic. So in the bottom right-hand corner on the status bar in Wireshark, it says profile default. I'm going to right mouse click on that column there on the bottom and say new,
04:42
and I'm going to name this profile DTN example, and I'll say okay. Now Wireshark takes me back to the default settings for profiles, and this font is way too small. There's no way I'll be able to see that. So I'm going to zoom in here using the enlarge button on the main toolbar
05:04
until I get to a font size that I like. Now with all of my profiles, I always add one special column. I like to have it up with all the work that I do analyzing traffic, and that column is one that will tell me the conversation numbers in the trace file.
05:24
Wireshark numbers all the UDP conversations, and it numbers all the TCP conversations. It starts numbering each of them at zero, and they are exclusive of each other. I'm going to go into the very first packet in here, and inside the UDP header,
05:40
there is a field called the stream index field, and I want to add this as a column. To add a field as a column, you simply right mouse click on that field and say apply as column. I'm going to right mouse click on that column heading and choose to align center for the contents of that column.
06:01
Now we've started creating this great column, but we're not quite finished yet because our TCP traffic is not showing up with a stream index number. We've only told Wireshark to add a stream index column for UDP. So I'm going to right mouse click on that column header, and I'm going to choose to edit the column.
06:21
And I can see right here that the field that it's based on is UDP.stream, and I'm going to add on to this to say or TCP.stream. It doesn't matter if you do TCP.stream or UDP.stream or this direction, doesn't matter, either way that will work, and I'm going to say okay.
06:42
There we go. Now as conversations are intertwined, it's easier for me to see which conversation I'm currently working in, because I have the conversation number on the left-hand side. So the next thing I want to do is I want to pull out the most active conversations in this trace file.
07:04
I'm going to go up to statistics and conversations, and I'm interested in the most active conversations based on the TCP layer. I'm going to sort based on the byte count from high to low, and there I can see I have two conversations of interest here.
07:22
These top two are what I want to look at. That's data flowing. So I'm going to right mouse click on the very first line here, which is traffic between .3 and .1. I'm going to right mouse click and prepare a filter based on the selected value going in both ways, and then I'm going to go to the second line,
07:44
and I'm going to right mouse click, prepare a filter, and this time I'm going to say or selected, going in both directions. Wireshark builds the filter for me in the background, and I can see exactly what this filter is based on, the IP addresses that it's based on,
08:04
and I'll go ahead and I'll just apply that filter now. So I have two conversations, the top two conversations showing in this trace file. I'm going to go to file, and I'm going to save this as a separate trace file now,
08:21
just these two conversations. I'll go to file, export specified packets, and I'm going to call this DTN example. Now I'm going to open up that trace file called DTN example, because by default, Wireshark only saves the filtered packets.
08:43
So here we go. Now we have some keep alive segments. Let's take a look down in the packet details window. Here we can see we have an Ethernet header, an IP header, a TCP header, and then after the TCP header we have the DTN, TCP convergence layer protocol, or TCP CL.
09:05
It has its own header, and for keep alives all we have is this single little field here saying that it is a keep alive. I want my keep alives to kind of melt into the background here, so I'm going to set up a coloring rule to change the way these show
09:21
up in the packet list pane. So they kind of melt away. I also don't need my capture filter anymore. So in the detail window I'm going to right mouse click on this keep alive packet, and I'm going to colorize this with a filter and create a new coloring rule.
09:40
There's the syntax put in there for this coloring rule, and I'm just going to call it TCP CL keep alive. On the bottom of this coloring rules window I'm going to click the background button, and I'm going to change the background color to sort of a kind of a washed out grayish color, let's say.
10:03
I'll click okay and okay. Now those keep alives have their own background color of this gray showing up. The next thing I want to do is I want to look for anywhere where it says bundle protocol, and I should expand the protocol column
10:24
so you can see what's marked as TCP CL. Frame number 14 shows up, and in the info column it says bundle TCP CL segment, TCP segment of a reassembled protocol data unit. Wireshark's TCP reassembly function is on, and we'll talk about how
10:44
that affects the view in just a little bit. But if we look inside of frame 14, and I'm going to move this up, what we can see is we can see that we have the TCP header, and then right after that,
11:00
Wireshark is telling us that three different segments have been reassembled to create this bundle segment. Let's stop for a moment and let me show you how bundles relate to bundle segments, which relates to TCP segments. So the bundle protocol is essentially an application, and you would have some other
11:28
application that uses it, so let's say you wanted to do FTP across the galaxy. You could do that. You would type in your FTP commands, but that command would go through the bundle protocol to transfer data.
11:42
So we would have a bundle here of data, and bundles need to be transferred around. It could be scientific information. It could be video. It could be pictures of the surface of a planet or something like that. Doesn't matter. You have this big bundle of data, and the bundle protocol is a store and forward protocol.
12:03
Again, it's covered in RFC 5050 if you want to go look up some information about this. But when a bundle of data is going to a target system, it can be split up into bundle segments, and that is what we see in this trace file. In this trace file, the bundle that is being transferred from the first host
12:22
to the relay has split the bundle up into four different segments. When we look at it on the cabling system, it's really strange because we're so used to an application sending down a certain amount of data, and then the TCP segments go all the way to the end of the data and stop.
12:42
That's not the way it's done with the bundle protocol. A TCP segment may have some data from bundle segment A, and it may have some data from bundle segment B inside of it. So you can see that if this first bundle segment is going across the network,
13:02
it's got a TCP segment, another TCP segment, and then part of the third TCP segment is part of segment A. And then, bundle segment B goes out, but part of bundle segment B is sitting in the third TCP segment here. And then we have a TCP segment devoted to bundle segment B, another one,
13:23
and then we only needed part of another TCP segment. But why stop the TCP segment and create a new one? Nope. We will have bundle segment C, and it starts in the middle of a TCP segment. Literally, you will see a header inside of this segment right here.
13:41
Indicating that this new bundle is coming up. Same thing with the final bundle segment. There will be a header right at the beginning of this bundle segment saying that this is the start of a new set. So let's go take a look at these bundle segments as they show up delivered by TCP segments.
14:07
So in the info column, we see on frame number 14, it says, bundle TCP CL segment. And when we click on it, we have an indication here of which packets were required to put together this first bundle segment.
14:23
Frame number 11, frame 13, and frame 14. And the numbers in parentheses are how much data fits into this bundle segment. Now, we can also see below this. This is the TCP convergence header. And unlike the TCP or the TCP CL keep alive, there are more fields.
14:45
There are a total of four fields in this TCP convergence header. So we have the packet type field. So this is data. Then we have, this is indented. So don't get stuck on this. These are not new fields. This is the summary line for these two below.
15:03
There is one bit that would indicate if this is the start of the entire bundle. And there's another bit that indicates if this would be the last packet of the entire bundle. And then we have a line that tells us what that, how, I should say, how large that TCP bundle segment is.
15:23
That is a bundle segment length. So let's do some customization of Wireshark based on these fields. Number one, I want to take the packet type field, and I'm going to right mouse click
15:41
on this and apply this as a column. There we go. It's easy now to see the difference between keep lives there and where data packets are. And then I also want to do the same thing for segment contains start of bundle. I'm going to right mouse click here, and this is the start of bundle packet. So I'm going to apply this as a column, and we can see that it's true.
16:04
I'm going to center align that. And then this next field, segment contains end of bundle, I'm going to add that as a column as well. And I'll center align that. Now it's pretty easy to look through the trace file and see which packets are the start of the bundle.
16:25
And then farther on, we'll be able to see which packets are the end of the bundle. That's the end of the entire bundle, not the bundle set or bundle segment, but the bundle itself. To make it even easier to detect these, I'm going to set up two coloring rules.
16:45
I'm going to set up one coloring rule that turns all packets that are the start of the bundle a green color and then the end of the bundle red. So in frame number 14, I'm going to right mouse click on this line that says segment contains start of bundle.
17:02
And I'm going to choose colorize with filter, new coloring rule. And I, it's already set to a one because this is the start. So I'm going to just name this start of bundle. And then for the background, I'm going to choose sort of a lime greenish.
17:28
Now, by setting that coloring up, it's very easy for me to detect where the start of the bundles are in the trace file. Three of the packets should have matched that. Here's another thing we can do.
17:41
We can right mouse click on that field and just simply prepare a filter based on the selected value. That just puts that filter to detect the start of bundle packets up in my display filter area. And on the far right hand side of the display filter area there's a little plus there.
18:01
I'm going to click that plus and I'm going to turn this into a button. I'm going to give the button a label which is going to be S dash bundle. That to me means start of bundle. I'll say okay. Now I have a button. When I click on it, any packets that have the start of bundle bit set to a one will show up.
18:24
Let me clear out the filter that the button just applied. I want to do the same thing with the end of bundle. I want to give it a color. I'm going to give it a vibrant red and then I'll make a button so I can easily detect the end of bundle and just show those packets.
18:41
Now this packet has the end of bundle bit set to a zero. I'm going to change that to a one when I do my coloring rule. I'm going to change that to a one when I do my display filter button. So I'm going to right mouse click on this packet, prepare, colorize with filter, new coloring rule, name it end of bundle and I'm going
19:06
to give it a background color of this vibrant red. I'll say okay, okay. So now it's very easy. Oh, I forgot to change the number. Oh, well it's good for you to see how to edit coloring rules.
19:23
To edit a coloring rule, we go to view, coloring rules. And I wanted to change this to a one at the end. There we go. All right, so now we can see there's the start of a bundle, there's the end of a bundle.
19:41
There's a start of a bundle and there's the end of a bundle right here. The first start of bundle we see going from 10.0.0.1 to 10.0.0.3. So the first thing we see in here is we see a bundle being transferred
20:01
from .1 to .3 in bundle segments. After that bundle is done, right there, then down on frame 37, we see another bundle starting. And this bundle is from .3 to .4. This is the first bundle being forwarded on by .3.
20:22
So it's being relayed on. And then we see the end of that bundle after it's been relayed. And the very last packet that we see here from 3 going back to 1, it's a little strange.
20:41
It's its own bundle. We can see that the start of bundle is set at true and the end of bundle is set at true. First of all, I want to pop up a button up here for end of, end of bundle. Well, this, I'll use this packet since it has the end of bundle bit set on. I'm going to go inside the TCP convergence layer here, right mouse click.
21:05
I'm just going to prepare it as a filter based on the selected value. There it is. That's what I want to build the button on. So I'm going to click plus and give it a name, eBundle. That means end of bundle to me. So now if I want to see the end of bundle packets only, I can click on the second button.
21:24
I want to see the start. I can click on the first button. I'm going to go ahead and clear this out. Now you'll notice that after this bundle has been relayed from 3 to 4, there's this packet, this strange packet here, where it has the start and end of bundle bits set on.
21:43
That means it's its own little bundle. And this is actually a reporting packet. So let's go inside of it and take a look. Let me bring up this, let's see, I'm going to bring this sort of up so we see it up on top.
22:06
And it is frame 49 we're interested in. And when we look inside of frame number 49, we see the TCP convergence layer indicating that it's the start of a bundle and the end of a bundle also. So we're obviously not transferring a bunch of data here.
22:20
And then we'll see the primary bundle header. And if we look a little bit further in here, we will see a payload header. And beyond this, we have the administrative record. So this is indicating right here that this is a bundle status report.
22:40
That's the purpose of this packet. I don't want this packet to be colored red just because it hit the end of bundle coloring. I want this packet to have its own coloring. So I'm going to right mouse click on the line that says administrative record type, bundle status report. And I'm going to choose to colorize this with a filter, make a new coloring rule.
23:05
There's that line, admin record type one. And I'm just going to say that this is the admin report. I'm going to turn the background yellow for this one. Say okay.
23:22
And now there we go. This is the admin report. And that admin report is being sent from .3 to .1 to say that I successfully delivered the bundle on for you. So now let's go up and just take a look at some of the packets in here and how this works.
23:46
In frame number 14, Wireshark says this is a bundle segment. And sure enough, if we look inside, we can see the data packets that were required to make up this bundle segment, packet 11, packet 13, and packet 14.
24:04
And we can see the amount of data in each of those segments to make up, in each of those TCB segments to make up this bundle segment. And then when we look down at frame number 18, again on the right-hand side, it says bundle TCPCL segment.
24:20
And if we look inside of that frame, we can see which TCP segments were required to make up this bundle segment. And there's the weird one right there. So some of the data that's in packet number 14 is part of bundle segment A,
24:42
whereas some of the data in packet 14 is part of bundle segment B, the second bundle segment. It's very interesting. It's a bit of a different protocol. And if we keep looking down here, and frame number 26,
25:00
frame number 26 is listed here as bundle TCPCL segment. And if we look inside of there, we can see, oh let's see, 14. I think I did that one before. Let's clear that out, and let's go beyond that to the next bundle segment. Oh maybe I didn't.
25:21
I don't remember. So I'm clicking on frame number 26, and in frame 26, oh it just hadn't clicked, I didn't click on frame 26 before. It was still selecting frame number 18. So now I'm on frame number 26 that says some of its data is in frame number 18,
25:43
some of it is in 23, 24, and 26. And then the last bundle segment is actually the one that finishes up the whole bundle. So frame number 32, we can see its data, and if we look down here we can see exactly
26:07
which frames were required, which TCPCL segments were required to get this bundle segment across. Whew, it is pretty, it can be pretty confusing to look at this because we have bundle segments
26:21
and then we have TCPCL segments, and they don't necessarily align. Along the way here we had some acts showing up. So here we have the first bundle segment up here, and then we have an act down here on frame number 20. This frame number 20 act that we see, it is acknowledging receipt of this bundle segment.
26:49
This act down here on frame 27 is going to be acknowledging this bundle segment. The act counts up, so if I look at frame 20 I see an acknowledgement saying act length 4096.
27:05
That was how much data was in the first bundle segment. I go to the next act and it says now I'm acting up to 8192 bytes because it's now acknowledging the second bundle segment.
27:21
We'll see the next act coming up right here. This act is acknowledging the third bundle segment. So this guy is acknowledging this bundle segment, which of course includes those packets. And we can see that it's counted up to 12,288, and then we have the last act here,
27:46
which is counting up also the very last bundle segment. It can be sort of confusing to see what's happening when, especially when we have Wireshark's reassembly feature built into it.
28:03
But what I did was I made a little TCP spreadsheet that goes through what's happening here. We have bundle segment one, or A, bundle segment B, bundle segment C, bundle segment D there. And these are the frames required and the amount of data in each of those frames.
28:22
And we add the data up in the bundle segment. We subtract three for the TCP convergence layer overhead, and that leaves us with the actual segment of data, the amount of data in there. Same thing here on the second one. We, it required four packets to get this across. Subtract the TCP CL overhead, and we're at 4096 here.
28:45
Another 4096 bundle segment, and then the last one isn't quite as long. So I'll bring that back in in a moment when we talk about the bundle header itself. So all of that was the bundle being transferred from 10.0.0.1 to 10.0.0.3.
29:06
And then all of a sudden we see 10.0.0.3 transferring this data over to 10.0.0.4. And the same thing. We have data, data, data, data.
29:21
Interestingly enough, we have some acts that show up later, but for something else. So when we look at this, let's reassemble what is being transferred across this network as this bundle is being relayed.
29:40
We can go into any one of the stream one packets and just right mouse click on the frame in the packet list pane and select follow TCP stream. This is the data that is being transferred by this bundle. At the top of this bundle, you have these at signs, and those are keepalives.
30:09
So when you click on those, you can see, you can click, and that Wireshark will take you to the keepalive packets in the background. What is following that immediately, the next three bytes, is actually the TCP convergence layer for the very first bundle.
30:26
After that, we have a bundle header, and after that, this is all the bundle header, and then after that, we have the payload header. So when we look at our segments going across, we have a bundle header
30:45
that is applied only on the first bundle segment. Every single one of these bundle segments, though, starts with a TCP convergence layer header. That's how we know it's the beginning of a bundle segment.
31:04
The very first bundle will be followed by a bundle header, and then it will be followed by a payload header. So these are the header structures that you would see in something like this. We need to have that TCP CL header in there, because that provides us with the interface
31:24
between TCP and the bundle protocol. It's kind of the shim between the two of them. In this slide, I'm showing you the amount of data that is carried in each one of these TCP segments, and when we add those up, these are the payload values.
31:45
And when you look at the X, we just count up from 4096, then we count up from there until we get to our final value. Let me just finish up by taking you into the bundle header for a moment.
32:04
We're going to go all the way down here to, let's pull frame number 32. This is the last frame of the bundle after it has been forwarded to, oh, wait, nope.
32:22
Nope, that's not the one I want. I want to go up to the first, hang on, I've got a filter on there, no wonder. So let's go, let's go to, it doesn't matter which one of the red packets we go to. They'll basically have this very similar information in them.
32:42
I'm going to go to this frame 46, let's say. That is the final packet of the bundle after it's been forwarded to 10.0.0.4. And let's go into the bundle header, and let me bring the bundle header
33:00
up in that top window, there we go. There are some strange things about the bundle header here. Like, for example, one of the big things that catches people is that this bundle header length field does not include the whole entire bundle header. It includes only the fields that follow the bundle header length field. So the bundle header is actually 49 bytes.
33:28
And then the payload header is another four bytes. So this packet is telling me the last packet of each of the bundle segments.
33:44
And then I can see down here, this is the amount of payload. Now this is different than the final ACK. So if I come up here, and let me just show you what I'm talking about here. This ACK right here that we saw, this ACK says that the amount of payload is 15,272 bytes.
34:12
Sure enough, that's what it is if we add up all of the payload from each of the bundle segments. But when we look inside of a bundle header to see how much payload it thinks has crossed the
34:28
network, it's giving us a different value. It's giving us 15,219. And the way it gets there is we have to subtract out the 49 bytes from the bundle of the bundle header plus the four bytes of the payload header.
34:42
We've got to get rid of 53 bytes from the extra payload headers and bundle header at the front. So that's how we get to that particular number. So I've shown you how we can add columns. I've shown you how we can add buttons into Wireshark.
35:02
And I've shown you how we can add coloring rules into Wireshark to make analyzing the bundle protocol and the TCP convergence layer protocol a little bit easier.