Thank you Neels!
The "logfile /tmp/foo" did gave an error message saying "unrecognized option".
I'm going to look at DNS packets going through a GGSN to try and find ways to detect DNS tunnels, do you have any recommendations how to do this? I do not have the time or resources to use real UE's so I hope to simulate it on a computer using VMs or something like that.
I have looked at this: http://openbsc.osmocom.org/trac/wiki/OpenBSC_GPRS as an idea of how to set up the testbed, but I do not know which of the nodes I really need. Do you have any idea?
Regards Terje Kristoffer Skow
2016-02-29 18:50 GMT+01:00 Neels Hofmeyr nhofmeyr@sysmocom.de:
Hey Terje,
On Mon, Feb 29, 2016 at 12:46:30PM +0100, Terje Kristoffer Hybbestad Skow wrote:
Does this mailinglist also regard openGGSN?
Yes, the Osmocom community has adopted maintenance of OpenGGSN, even though it wasn't written "here".
If so do I have some questions. I have problem setting it up correctly.
To test the basic openggsn I used to do something like this:
sudo -s
LD_LIBRARY_PATH=/usr/local/lib ./git/openggsn/ggsn/ggsn -f -c ./localggsn.conf &
./git/openggsn/sgsnemu/sgsnemu --createif -l 127.0.0.1 -r 127.0.0.2
With localggsn.conf as
listen 127.0.0.2 net 127.0.0.0/24 pcodns1 8.8.8.8 logfile /tmp/foo
The above works on linux because it allows implicitly creating the 127.*.*.* interfaces. On other OSes, you'd have to create those first on one of your network interfaces.
See http://git.osmocom.org/openggsn/tree/examples/ggsn.conf for more config options.
I'd recommend to use wireshark to see what packets are transmitted back and forth, if you're not already doing that.
I've "recently" implemented GTPhub, which relays GTP, e.g. through a NAT. If that's of interest too, call again, and I can give you an example config for testing sgsnemu -> gtphub -> openggsn, too.
To actually relay data through the tunnel interface that is created, AFAIK you first need to send a Create PDP Context message to the GGSN. Maybe read http://git.osmocom.org/openbsc/tree/openbsc/tests/gtphub/gtphub_test.c For testing real data, I used an actual sysmoBTS with a "special" SIM card instead of sgsnemu, because here in the lab that was easier... :P
Hope to have helped :)
~Neels
--
- Neels Hofmeyr nhofmeyr@sysmocom.de http://www.sysmocom.de/
=======================================================================
- sysmocom - systems for mobile communications GmbH
- Alt-Moabit 93
- 10559 Berlin, Germany
- Sitz / Registered office: Berlin, HRB 134158 B
- Geschäftsführer / Managing Directors: Holger Freyther, Harald Welte
On Tue, Mar 01, 2016 at 11:12:01AM +0100, Terje Kristoffer Hybbestad Skow wrote:
The "logfile /tmp/foo" did gave an error message saying "unrecognized option".
It seems the logfile option was added on 2014-03-23 with commit 9c0ff4fafe4276396125a52c89d36967566fe08c. It may make sense if you build your osmocom stack from the git sources to benefit from the latest fixes.
See http://git.osmocom.org, specifically you'd probably want to clone and build
git://git.osmocom.org/libosmocore git://git.osmocom.org/openggsn
The build steps being for example
autoreconf -fi ./configure make sudo make install
I'm going to look at DNS packets going through a GGSN to try and find ways to detect DNS tunnels, do you have any recommendations how to do this? I do not have the time or resources to use real UE's so I hope to simulate it on a computer using VMs or something like that.
I have looked at this: http://openbsc.osmocom.org/trac/wiki/OpenBSC_GPRS as
The BTS is for communicating with a phone over the air interface. Abis and osmo-nitb are used for voice calls only. The SGSN is needed for real networks, you should be fine with the sgsnemu. So all you need is sgsnemu and openggsn.
You want to figure out how to use the sgsnemu, starting with a route into the tunnel device that sgsnemu opens up. So you need to look at the 'ip route' commands (if you're on linux). I guess you won't need VMs; granted, it might make it easier to avoid circular routes (to IP addresses that should only be seen on the GGSN side), but certainly not a necessary prerequisite.
I tried to ping through the sgsnemu tunnel once but saw, as I mentioned, that the GGSN thwarts GTP messages without a proper context being created first. It shouldn't be too hard, but I haven't investigated further. So you'd want to understand the GTP Ctrl & User messages to setup a PGP context (TEIs and stuff), and figure out how sgsnemu might make your life easier in that regard. You probably want to read ETSI 29.060 to figure out GTP: http://www.etsi.org/deliver/etsi_ts/129000_129099/129060/03.19.00_60/ts_1290... You may find attached pcap file interesting (open in wireshark and note that the DNS queries are transmitted over GTP between SGSN and GGSN even though wireshark tends to show only the DNS and src/dest enclosed in the GTP). And again, you may look at http://git.osmocom.org/openbsc/tree/openbsc/tests/gtphub/gtphub_test.c about simplistic code examples of composing a PGP context conversation.
If you'd like any more answers to questions you didn't ask ;) just give us a shout...
~Neels
osmocom-net-gprs@lists.osmocom.org
-
Neels Hofmeyr -
Terje Kristoffer Hybbestad Skow