For a few days I have been following the 3G traffic that takes place on 6682.0 KHz/USB and I have noticed that many of the transfers are exactly the same length (139 bytes) and follow the same sending formality, ie the protocol used is LDL (3G-HF STANAG-4538) and are retransmitted twice within the same link session.
 |
| Fig. 1 |
The caller node issues a 2-way FLSU_Request Protocol Data Unit (PDU) which conveys the caller node address, priority, and the desired traffic service (packet or circuit mode). The called node responds with a FLSU_Confirm PDU, indicating the ability to continue with the requested traffic service. As it's known, FLSU protocol use the BW5 waveform.
Both the caller and called alternate sending LDL PDUs, with the caller sending data using the LDL Data Send PDU (BW3), and the called responding with the LDL ACK/NAK PDU (BW4). This process continues until all data has been transferred error-free, as indicated by the caller sending redundant LDL End Of Message (EOM) PDU’s. Immediately after the LDL transfer is complete, both stations iunitiate the Fast Traffic Management (FTM) protocol to negotiate further traffic. This gives the called node an opportunity to send data in the reverse direction. After a the Link Timeout has occurred, the last station to receive an LDL transfer terminates the link by sending an FLSU_Term PDU. It's worth noting that after the EOM PDUs, both nodes remain linked (!) and given that the caller has already completed its data transfer, it is up to the called node to deliver any packet traffic it has, or to terminate the link if it doesn't have traffic to send. Note that:
- the EOM PDU indicates to the receiving station that the data transfer will be terminated;
- the Term PDU indicates to the receiving station the sender’s departure from the current link.
in EMCON scenarios the link termination is up to the caller node
 |
| Fig. 2 |
In these recordings, packet-mode service and LDL160 protocol are used. Before analyzing the bitstreams let's see how an LDL packet is built.
The "original" datagram to be sent is split into fixed-length segments which will be processed into packets by the chosen LDL protocol. An LDL data packet is defined as a fixed-length sequence of n-byte data segment (n = 32,64,96,...,512) followed by a 17-bit Sequence Number plus an 8-bit Control Field (presently unused). During the construction of the LDL BW3, a 32-bit Cyclic Redundancy Check (CRC) value is computed across the data bits of each data packet and then appended. Then, 7 flush bits having the value 0 are added to ensure that the encoder is in the all-zero state upon encoding the last flush bit. Sumarizing, the on-air length of a LDLn burst is computed in bit as 8n + 64 (n = 32,64,96,...,512 bit), in this case (LDL160, n = 160) 1334 bit or 168 bytes.
That said, lt's go back to two decoded LDL packets (belonging to the same link session) by inspecting their last 64 bits (17-bit Sequence Number + 8-bit Control Field + 32-bit CRC + 7 flush bits):
 |
| Fig. 3 |
Let's try to analyze the 139 bytes messages. As indicated by the value of the bits 5-0 (all 0s, Packet Number #0) and SOM/EOM bits (all 1s) the original datagram consists of only one packet, the Packet Byte Count field (bits 14-6) indicates that the user bytes are 139 thus the remaining 21 bytes are filled with 0s.
0000000000000000000000000000000010000000100000001011010001111000
0110101001111000011010100111100001101010011110000000000001011000
1011101001011000101110100101100010111010010110001011101011010010
1010001111010011100111110000100101010011101000110011010010101101
0110100100111000000101000100011001100010011001010001100010111100
0110010010100001001101111111111100011001101100011001010001010011
1001010110000111011010110010100100001001110101111101000100100111
1010110000001010010010100101011000010100000001000100011001110110
1100110001101100001101110001011100011010110101101010010101010101
0001011010001100000011010111111111110110111000110001111001111110
1101100010101100011000010000111011001100111001101101011110011010
0111111010011110001001000010011100100000000010101011100111010110
0110111110101011111110110100010001110011100001001010100001100101
0011000110100011000111111011111101011000111001001010010101011100
0111010011110011000010100011010001111110100101101001100101001010
1010001000110100111100000101011110100010010110111101001101000101
0001110110100001011010010111100001101010011110000110101001111000
0110101001111000010000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000101000101110110111001010011111111001011110000000000000000
The analysis of the bitstreams shows that each datagram is always sent twice (Figs 4,5): I don't know if it's due to a negative ACK sent back by the reiceiver or rather a usual way of doing to give redundancy and reliability to the system.
 |
| Fig. 4 |
 |
| Fig. 5 |
After the removal of the 31-byte encapsulation added by the Harris "Citadel" cripyographic engine
00 00 00 00 01 01 2D 1E 56 1E 56 1E 56 1E 00 1A 5D 1A 5D 1A 5D 1A 5D (header)
1E 56 1E 56 1E 56 1E 02 (tail)
the resulting datagrams consist of 108 bytes. Such messages are very frequent(!), also sent using the circuit-mode service and MS-110A as traffic waveform. Sometimes it's occured to see that the 139-byte encrypted message is split into five packets and then sent using LDL32 [1] or even 9 times repeated using LDL160 [2], as shown in the Sequence Number fields in Figure 6
 |
| Fig. 6 |
https://disk.yandex.com/d/Ug94lJ40coIUDg
[1] https://yadi.sk/d/PvOS5FbM3H96Wz
[2] https://yadi.sk/d/_SCU3U073GzPf9
No comments:
Post a Comment