Re: gsmtap design/extensions?

From: Guy Harris <guy-FrUbXkNCsVf2fBVCVOL8/A@public.gmane.org>
To: Johannes Berg <johannes-cdvu00un1VgdHxzADdlk8Q@public.gmane.org>
Cc: "Harald Welte" <laforge-TgoAw6mPHtdg9hUCZPvPmw@public.gmane.org>,
	openbsc-qjLDD68F18N4m7O/Vxda39i2O/JbrIOy@public.gmane.org,
	radiotap-S783fYmB3Ccdnm+yROfE0A@public.gmane.org,
	linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	"Subash Abhinov Kasiviswanathan"
	<subashab-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>,
	"Dan Williams" <dcbw-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
	"Bjørn Mork" <bjorn-yOkvZcmFvRU@public.gmane.org>,
	netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	"Sean Tranchetti"
	<stranche-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>,
	"Aleksander Morgado"
	<aleksander-Dvg4H30XQSRVIjRurl1/8g@public.gmane.org>
Subject: Re: gsmtap design/extensions?
Date: Fri, 12 Apr 2019 12:48:54 -0700	[thread overview]
Message-ID: <1089142F-2966-4C41-921B-465FBA721E79__45392.3745475308$1555103635$gmane$org@alum.mit.edu> (raw)
In-Reply-To: <1462659018bc40830efbe2348791b8df45b54cff.camel-cdvu00un1VgdHxzADdlk8Q@public.gmane.org>

On Apr 12, 2019, at 5:24 AM, Johannes Berg <johannes-cdvu00un1VgdHxzADdlk8Q@public.gmane.org> wrote:

> On Thu, 2019-04-11 at 01:32 +0200, Harald Welte wrote:
> 
>> GSMTAP was designed as a format to encapsulate protocols normally not spoken over IP
>> (such as classic GSM radio protocols, e.g. the Layer 2 LAPDm over GSM Um)
>> inside an IP transport.
> 
> Sure, but wifi is also not spoken over IP, yet we don't encapsulate our
> 802.11 frames into IP to show them in wireshark :-)

That's just because the rpcap protocol hasn't been revved yet to handle the new create/set options/activate mechanism in libpcap to allow monitor-mode capturing, so you only get to see fake Ethernet frames. :-)

I.e., there's a split there between "capture" and "getting the packets from a capture delivered to you over an IP network".

Perhaps there should be a GSMTAP link-layer header type, so you can have a GSMTAP pcap file or GSMTAP interface in a pcapng file, combined with a more general "remote capture" mechanism in libpcap so that you could capture on gsmtap://host:port and capture from a host using the GSMTAP-over-UDP encapsulation - or capture using rpcap.

>> No userspace source would ever be able to generate such data and stream
>> it real-time into wireshark, would it?  Sure, I can write pcap file with
>> such ARPHDR_* values, but I could never do this in real-time.  For many
>> but not all use cases, that's really what it is: A vehicle to stream
>> real-time non-IP protocol traces into wireshark so it can visualize
>> the protocol traces.
> 
> I think you can pipe a stream into wireshark?

1) You could pipe into libpcap or otherwise have a way for a libpcap module to connect to a user space source and get packets from it.

2) You could pipe a pcap file into tcpdump/Wireshark/etc..

3) You could have an extcap program:

	https://www.wireshark.org/docs/wsdg_html_chunked/ChCaptureExtcap.html

provide packets to Wireshark.

> To me it feels like the wrong thing to actually make wireshark listen on
> "lo" or "eth0" or something to get data from the cellular that's
> (locally) generated by another application, but I guess that's only
> about how you think about it - and if it's not generated locally then
> that's an easy transport. I'm not sure it makes *sense* because then you
> need permissions to capture on the wired network etc.

Depending on how your system is set up:

	$ ls -l /dev/bpf*
	crw-rw----  1 root  access_bpf   23,   0 Apr 10 22:57 /dev/bpf0
	crw-rw----  1 root  access_bpf   23,   1 Apr 10 22:56 /dev/bpf1

		...

and it could just be rw-rw-rw-.  Perhaps other systems make it harder to grant capture privileges.

> where you don't *really* need that for this stream

If there's a need for that, whatever provides the packets could impose that (by finding out the UID/GID of the other process if this is going over a UNIX-domain socket, at least on some UN*Xes, or by requiring a login if this is going over a network).