Looking at some my recent logs to which this post refers:
05838.0 ABC7: Unid 0734 USB MIL 188-141 2G-ALE ABS5 handshake, voice auth-id
then STANAG-5066 HMTP over STANAG-4285 1200bps/S (06Sep16)
05838.0 ABC7: Unid 0738 USB MIL 188-141 2G-ALE ABD1 handshake, voice auth-IDs exchange then STANAG-5066 HMTP over STANAG-4285 1200bps/S (06Sep16)
05838.0 ABC7: Unid 0747 USB MIL 188-141 2G-ALE ABG6 handshake, voice auth-IDs exchange then STANAG-5066 data over STANAG-4285 1200bps/S (06Sep16)
05838.0 ABC7: Unid 0804 USB MIL 188-141 2G-ALE ABF2 handshake, voice radio-check, auth-IDs exchange then STANAG-5066 data over STANAG-4285 1200bps/S (08Sep16)
05838.0 ABC7: Unid 0818 USB MIL 188-141 2G-ALE ABk4 handshake, voice auth-IDs exchange then STANAG-5066 data over STANAG-4285 1200bps/S (06Sep16)
The bistream after S4285 decoding exhibits a 1776 bit length period, or 222 bytes (fig. 4) that matches the length of the data only D_PDU (see later)
Data only D_PDUs may transport plain text or GZIPped files such as .eml, .txt and others: in this case I extract an email whose study offers interesting insights (fig. 5)
1. email domains are not routable ones ("asdf.123" and "jklp.123");
2. use of generic user names user1@asdf.123,user1@jklp.123 (maybe tests?). And about the users, voice comms are in a "formal" English, sometimes with a wrong pronunciation (i.e. "five" pronunced as "faìv" with accent on "i");
3. email headers say that a Linux SuSe system is used: "Received: from linux.site ([127.0.0.1]) by linux.site with ESMTP (CROZ ESMTP/HMTP Gateway) Gecko/20111101 SUSE/3.1.16 Thunderbird/3.1.16". Note the use of HMTP protocol.
4. the attachment name is in Slavic language: "image/jpeg name="PRILOG 5 - PRILOG ZA SLANJE E-MAILA.jpg".
As said, the HMTP (HF Message Transfer Protocol) is used as messaging protocol rather than the FTP-oriented protocols such as CFTP and (H)BFTP. Shortly, HMTP performs IP over HF and defines a mode of operation very similar to standard SMTP pipe-lining that minimizes number of turnarounds (to two for a small message). It also fixes options to maximize interoperability without the need for service negotiation. HMTP is defined in Annex F of STANAG-5066.
As a final note, protocol analyzers (and not protocol 'classifiers') are very powerful tools that allow to go back to the structure in which the data bits are arranged. Indeed, in addition to extract and uncompress the .eml file, the analyzer also splits the data blocks in files and retuns back a text file (OutInfo.txt) containing a complete and detailed report of the STANAG-5066 D_PDUs that are involved in the transfer:
This way the SIGINT enthusiasts have the chance to study protocols looking at examples from practice and not only from books, as shown in the following figure just related to the signal in the matter:
(to be continued in a next post)05838.0 ABC7: Unid 0734 USB MIL 188-141 2G-ALE ABS5 handshake, voice auth-id
then STANAG-5066 HMTP over STANAG-4285 1200bps/S (06Sep16)
05838.0 ABC7: Unid 0738 USB MIL 188-141 2G-ALE ABD1 handshake, voice auth-IDs exchange then STANAG-5066 HMTP over STANAG-4285 1200bps/S (06Sep16)
05838.0 ABC7: Unid 0747 USB MIL 188-141 2G-ALE ABG6 handshake, voice auth-IDs exchange then STANAG-5066 data over STANAG-4285 1200bps/S (06Sep16)
05838.0 ABC7: Unid 0804 USB MIL 188-141 2G-ALE ABF2 handshake, voice radio-check, auth-IDs exchange then STANAG-5066 data over STANAG-4285 1200bps/S (08Sep16)
05838.0 ABC7: Unid 0818 USB MIL 188-141 2G-ALE ABk4 handshake, voice auth-IDs exchange then STANAG-5066 data over STANAG-4285 1200bps/S (06Sep16)
"ABC7", likely the main station, establishes a link with each outstation ("ABK4","ABG6",..) using 188-141 2G-ALE and then forwards e-mails using STANAG-5066 HMTP at data link layer and STANAG-4285 as HF waveform (fig. 1).
fig. 1 |
I already posted about sending e-mail over HF, browse the Data Link tag, but worth publish this example for three good reasons:
1) the used HF wavefom is STANAG-4285 rather than MS188-110A/B STANAG-4539;
2) the "messaging" software is an HMTP system (although email is sent using zipped files)
3) the email client (and likely the STANAG-5066 controller/gateway too) is Linux rather than MS Outlook/Windows.
1) the used HF wavefom is STANAG-4285 rather than MS188-110A/B STANAG-4539;
2) the "messaging" software is an HMTP system (although email is sent using zipped files)
3) the email client (and likely the STANAG-5066 controller/gateway too) is Linux rather than MS Outlook/Windows.
The operational configuration of a 2G HF system based on 188-141A, STANAG-5066 and STANAG-4285 could sound a bit strange since in BRASS scenarios we are used to see ship/shore links put in place using a pool of known frequencies or MRL circuits, and, in land scenarios, 188-141A almost always followed by 188-110A/B STANAG-4539 waveforms.
I want to mean that, although many fleets make use of 188-141 technology (Venezuelan Navy, Chilean Navy, Iraqi Navy, Maltese Navy,... Italian GdF Corp too), its use in conjunction with STANAG-4285 is a bit unusual, at least in Europe.
fig. 2 - S4285 frame obtained from the analysis of the received signals |
The bistream after S4285 decoding exhibits a 1776 bit length period, or 222 bytes (fig. 4) that matches the length of the data only D_PDU (see later)
fig. 3 - receiving data from modem on COM3 (note the synchronous settings for port COM3) |
fig. 4 - S5066 1176-bit period (222 bytes) |
fig. 5 |
2. use of generic user names user1@asdf.123,user1@jklp.123 (maybe tests?). And about the users, voice comms are in a "formal" English, sometimes with a wrong pronunciation (i.e. "five" pronunced as "faìv" with accent on "i");
3. email headers say that a Linux SuSe system is used: "Received: from linux.site ([127.0.0.1]) by linux.site with ESMTP (CROZ ESMTP/HMTP Gateway) Gecko/20111101 SUSE/3.1.16 Thunderbird/3.1.16". Note the use of HMTP protocol.
4. the attachment name is in Slavic language: "image/jpeg name="PRILOG 5 - PRILOG ZA SLANJE E-MAILA.jpg".
As said, the HMTP (HF Message Transfer Protocol) is used as messaging protocol rather than the FTP-oriented protocols such as CFTP and (H)BFTP. Shortly, HMTP performs IP over HF and defines a mode of operation very similar to standard SMTP pipe-lining that minimizes number of turnarounds (to two for a small message). It also fixes options to maximize interoperability without the need for service negotiation. HMTP is defined in Annex F of STANAG-5066.
As a final note, protocol analyzers (and not protocol 'classifiers') are very powerful tools that allow to go back to the structure in which the data bits are arranged. Indeed, in addition to extract and uncompress the .eml file, the analyzer also splits the data blocks in files and retuns back a text file (OutInfo.txt) containing a complete and detailed report of the STANAG-5066 D_PDUs that are involved in the transfer:
STANAG-5066 D_PDUs belonging to frames 19 and 20 (out000.dat file) |
No comments:
Post a Comment