Capturing 3G wireless modem traffic.

asked 2017-11-11 14:25:46 +0000

How to capture outgoing IP traffic on 3G USB Modem? I'm getting incoming IP traffic, but outgoing is limited to traffic from 'host' to '1.2.3' which is usb device. All outgoing traffic is made on protocol USB/AT or 0x007d.

edit retag flag offensive close merge delete


That sounds as if the USB dissector could not handle the outgoing data properly, and thus the highest dissected layer remains USB - the addresses shown in packet list are normally those of the highest transport layer found. Try to start capturing before inserting the modem so that the enumeration phase is captured as well. If that doesn't help, please publish that capture (i.e. the one which includes modem enumeration) so that we could have a look at what's going on. Capture files cannot be directly uploaded here - use Cloudshark or any plain file sharing service, and edit your Question with a login-free link to it.

sindy gravatar imagesindy ( 2017-11-11 20:27:29 +0000 )edit
Tom4950 gravatar imageTom4950 ( 2017-11-12 04:19:52 +0000 )edit

Now I am a bit confused. In the original Question, you wrote

I'm getting incoming IP traffic,

but in this capture even incoming IP traffic is not available, only a bunch of "ppp malformed" packets, not all of which are even candidates for IP traffic as they are still part of the ppp negotiation phase (e.g. packets 619-622). What most, if not all, of them have in common is that the last octet (which should be part of a 16-bit FCS like it is for those non-malformed PPP packets in the capture) is 0x7e, and the length decoded from their contents differs by orders of magnitude from the actually captured length.

So the first question is - if you open this capture file yourself, can you see the "incoming IP traffic" as you stated in the Question? If so, what Wireshark version do you use?

What I forgot to ...(more)

sindy gravatar imagesindy ( 2017-11-12 09:07:34 +0000 )edit

I posted the capture that occured before any incoming IP traffic happened. Some USB or USB/AT packets contain info about Microsoft domain that 'host' is trying to reach. This capture formerly included a lot of sensitive data including IMSI and filtering it all away took me a lot of time. What is the main issue that causes the outgoing IP traffic not to show up? PS: USBPcapCMD capture didn't show any outgoing IP traffic.

Tom4950 gravatar imageTom4950 ( 2017-11-12 11:38:48 +0000 )edit

What is the main issue that causes the outgoing IP traffic not to show up?

How do you expect anyone to answer that question if they haven't seen a packet like that?

One possibility is that USBPcap has not saved the captured URB properly. Another possibility is that the Wireshark dissector was unable to dissect it for some other reason (maybe an unexpected value of some bit somewhere in the preceding packets).

If the information you don't want to publish is available in plaintext in those packets, you can filter them out using !(frame contains "first-string-you-don't-want-to-publish") and !(frame contains "another-string-you-don't-want-to-publish") and then go File->Export Specified Packets->Displayed to save the "harmless" packets into a new capture file and post that new capture, but if the Microsoft domain name is available somewhere in the undissected outgoing PPP, there is no other way than configure the machine before capturing ...(more)

sindy gravatar imagesindy ( 2017-11-12 16:40:33 +0000 )edit